OK, I don't speak DNS as well as you but I can report my results. I'll let you explain them however you like!
My scenario: A local LAN adapter references one Windows AD DNS - TLD= a.com A PPP adapter referencing another Windows AD DNS - TLD= b.com When I start NSLookup, the PPP adapter's DNS is identified. So I know the PPP adapter's DNS is first in line. That being the case, 1. Ping can resolve server.a.com, only defined in a.com's DNS. 2. Ping can resolve server.b.com, only defined in b.com's DNS. Both TLDs also exist in the public DNS world. So the TLDs are resolvable by both DNS's. But server.a.com and server.b.com are not defined in the public DNS's. Based on what you've said, an NXDOMAIN response was not returned - because the domain did exist, only the hostname was not found. Carl -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Friday, December 12, 2008 7:35 PM To: NT System Admin Issues Subject: Re: Lose access to local domain servers when connected w/VPN to remote / different Windows domain On Fri, Dec 12, 2008 at 12:37 PM, Carl Houseman <[email protected]> wrote: > When there are multiple adapters each with their own DNS, DNS > resolution is attempted on each adapter in turn until one resolves > it and only fails if none of them resolve it. I believe that is inaccurate. To the best of my knowledge, an NXDOMAIN response from an authoritative nameserver *is* considered a successful result for a DNS query. The query did not fail. The local stub resolver *did* receive an answer. That answer said, "I contacted a nameserver which is authoritative for the zone in question, and that nameserver said the domain name you want does not exist". A failure would be a SERVFAIL response from an intermediate full-service resolver, or no response at all (timeout). In every relevant situation I've encountered, observed behavior has corroborated the above. It's the difference between sending an email message and getting a failure notice stating "The recipient address does not exist on this server", vs sending an email message and getting a failure notice stating "The destination email server could not be reached after several tries; I'm giving up". The former says authoritatively the recipient address is bogus; the message could never be delivered (unless configuration changes). The later just says your message could not be delivered, but it might be a temporary problem. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
