Windows DNS从VPN中为本地区域回答NXDOMAIN

注意：错误的假设

事实certificate，VPNconfiguration为将所有名称查找redirect到不同的服务器。所以问题不在于Windows DNS，而在于VPN网关。

原来的确信

我有一个远程networking10.12.0.0/16与Windows域控制器（SBS 2011）和VPN网关。某些Windows PC（无域成员）使用l2tp VPN连接到SBS。它在10.14.0.0/24中获得一个虚拟IP。 VPN网关是SBS的默认网关和两个networking之间的路由。 SBS和客户端可以互相ping通。

域控制器拥有Active Directory域company.local 。如果我在SBS上查找它，它将被正确parsing为SBS的IP。来自VPN网关的查询也起作用。但是客户端的nslookup company.local 10.12.0.5 （以后是SBS IP）将会回应没有find该域。通过VPN网关上的tcpdump，我可以看到SBS确实返回了NXDOMAIN 0/0/0 。

正如你可能已经猜测的目标是join与VPN连接的计算机域。

为什么DNS服务器不能返回正确的Alogging？我唯一的想法是，查询来自一个未知的专用networking。

更新01

来自客户端计算机的完整查询：

 C:\Users\abc>nslookup -debug company.local 10.12.0.5 ------------ Got answer: HEADER: opcode = QUERY, id = 1, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: 5.0.12.10.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 5.0.12.10.in-addr.arpa name = xyz.cloud.internal ttl = 0 (0 secs) ------------ Server: xyz.cloud.internal Address: 10.12.0.5 ------------ Got answer: HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: company.local, type = A, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 3, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: company.local, type = AAAA, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 4, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: company.local, type = A, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 5, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: company.local, type = AAAA, class = IN ------------ *** xyz.cloud.internal can't find company.local: Non-existent domain

更新02

 C:\Users\abc>nslookup -debug _ldap._tcp.dc._msdcs.company.local. ------------ Got answer: HEADER: opcode = QUERY, id = 1, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: 5.0.12.10.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 5.0.12.10.in-addr.arpa name = xyz.cloud.internal ttl = 0 (0 secs) ------------ Server: xyz.cloud.internal Address: 10.12.0.5 ------------ Got answer: HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: _ldap._tcp.dc._msdcs.company.local, type = A, class = IN ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 3, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: _ldap._tcp.dc._msdcs.company.local, type = AAAA, class = IN AUTHORITY RECORDS: -> (root) ttl = 10789 (2 hours 59 mins 49 secs) primary name server = a.root-servers.net responsible mail addr = nstld.verisign-grs.com serial = 2013011600 refresh = 1800 (30 mins) retry = 900 (15 mins) expire = 604800 (7 days) default TTL = 86400 (1 day) ------------ *** xyz.cloud.internal can't find _ldap._tcp.dc._msdcs.company.local.: Non-existent domain

问题（因为注释中的麻烦）最终是VPN网关拦截了DNS查询。