Using DNS with Forefront UAG DirectAccess

This topic provides an overview of DNS requirementsForefront Unified Access Gateway (UAG) DirectAccess requires a DNS infrastructure for the following:

  1. DNS for DirectAccess clients—DirectAccess clients attempt to connect to the network location server in order to determine whether they are located on the Internet, or on the corporate network: If the connection is successful, then clients are determined to be on the intranet and DirectAccess is not used.

    1. If the connection is successful, then clients are determined to be on the intranet and DirectAccess is not used. Client requests are resolved using the DNS server configured on the network adapter of the client computer.

    2. If the connection does not succeed, clients are assumed to be on the Internet. DirectAccess clients will use the name resolution policy table (NRPT) to determine which DNS server to use when resolving name requests. You can use DNS64 to resolve names, or an alternative internal DNS server. For more information about DNS64, see Using integrated NAT64 and DNS64 with Forefront UAG DirectAccess.

  2. DNS for infrastructure servers—DNS intranet A records are required for the following:

    1. The network location server. For more information see Network location server.

    2. CRL distributions points. For more information, see Certificate revocation checking.

    3. The DirectAccess server acting as an IP-HTTPS server. For more information, about IP-HTTPS, see Using transition technologies.

  3. Resolution support for the ISATAP name. For more information about ISATAP, see Using transition technologies.

NRPT

Windows Server 2008 R2 includes a NRPT that enables DNS servers to be identified per DNS namespace, instead of per interface. The NRPT consists of rules that define a DNS namespace, and DNS client behavior for that namespace. The following occurs when clients access resources with DirectAccess enabled:

  1. Clients request an FQDN or single-label name such as https://internal. If a single-label name is requests, a DNS suffix is appended to make an FQDN. By default the appended suffix is based on the DirectAccess client domain. If a DNS suffix search list is configured, those DNS suffixes will be appended to the name.

  2. The requested FQDN is compared to the NRPT, as follows:

    1. If there is a match, and either DNS64 or an intranet DNS server specified for the rule, the query is sent for name resolution using the specified server.

    2. If there is a match, but no DNS server IPv6 address is specified for the rule, then this indicates an exemption rule, and normal name resolution is applied.

    3. If there is no match, normal name resolution is applied. Queries are sent to the DNS server configured in the TCP/IP settings of the client’s network adapter. In addition, if the original name is a single-label name, use Link-Local Multicast Name Resolution (LLMNR) and Network Basic Input/Output System (NetBIOS) name resolution methods to resolve the name.If the original name is a single-label name and the DNS query sent to NRPT rule-configured DNS servers results in an error, use LLMNR and NetBIOS name resolution methods based on the configured fall back behavior.

    4. If the original name is a single-label name and the DNS query sent to NRPT rule-configured DNS servers results in an error, use LLMNR and NetBIOS name resolution methods based on the fallback local name resolution behavior.

Local name resolution for single-name labels

When the original client request is for a single label name, and queries with appended DNS suffixes fail, you can specify that a local name resolution method be used. Local name resolution is not available when the original request was for an FQDN. You can configure local name resolution for single-name labels as follows:

  1. Only use local name resolution if the name does not exist in DNS— With this option selected, local name resolution occurs if the queried name does not exist in DNS. the most secure option, because the DirectAccess client only sends DNS queries to Internet-facing DNS servers for server names that cannot be resolved.

  2. Fall back to local name resolution if the name does not exist in DNS or the DNS servers are unreachable when the client computer is on a private network —With this option, local name resolution occurs if the name does not exist in DNS, or if the DNS server cannot be reached when the client is on a private network (where the client selected Home or Work, and not Public, for their network type.

  3. Fall back to local name resolution for any kind of DNS resolution error—This option specifies that local name resolution is used if any type of DNS query error occurs, including for clients located on a public network. This is the least secure option, because the names of internal network servers that the DirectAccess client is attempting to resolve can be sent out to Internet-facing DNS servers. This could result in an eavesdropper between the DirectAccess client and the Internet-facing DNS server determining the names of internal network servers.

NRPT exemptions

Some names must be treated differently to others with regard to name resolution; these names must not be resolved using intranet DNS servers. To ensure that these names are resolved with interface-configured DNS servers, you must add them as NRPT exemptions.

If no DNS server addresses are specified in the NRPT rule, or by selecting the Do not use an internal DNS server for the specified server or suffix option in the DNS Suffixes page of the wizard, the rule is an exemption. If a DNS name matches a rule in the NRPT that does not contain addresses of DNS servers or does not match a rule in the NRPT, the DirectAccess client sends the name query to interface-configured DNS servers.

If any of the following servers have a name suffix that matches an NRPT rule for the intranet namespace, that server name must be an NRPT exemption:

  • WPAD servers.

  • Network location servers.

  • Intranet certificate revocation list (CRL) distribution points.

  • All quarantine and system health remediation servers.

These servers must always be resolved with interface-configured DNS servers.

Populating the NRPT

You configure the NRPT in the DirectAccess Server Configuration Wizard. You add namespaces such as server names or DNS suffixes, and specify how queries for the namespace should be resolved with one of the following methods:

The NRPT allows DirectAccess clients to use intranet DNS servers, or the Forefront UAG DirectAccess server when integrated DNS64 is configured, for name resolution (dedicated DNS servers are not required). Forefront UAG DirectAccess is designed to prevent the exposure of your intranet namespace to the Internet.

  1. Use the Forefront UAG DirectAccess DNS64 server IP address when resolving names for the suffix or server. For more information about DNS64, see Using integrated NAT64 and DNS64 with Forefront UAG DirectAccess.

  2. Use an alternative IPv4 or IPv6 intranet DNS server to resolve names.

  3. Create an exemption by specifying that an internal DNS server should not be used for a specific suffix or server.