Always On VPN Client DNS Server Configuration

Always On VPN Client DNS Server ConfigurationDNS server configuration for Windows 10 Always On VPN clients is crucial to ensuring full access to internal resources. For Always On VPN, there are a few different ways to assign a DNS server to VPN clients.

Default DNS Servers

By default, Windows 10 clients use the same DNS server the VPN server is configured to use. This is true even if the VPN client IP address assignment method is DHCP.

Always On VPN Client DNS Server Configuration

There may be some scenarios in which this is not appropriate. For example, if the DNS server is in a DMZ network and is not configured to use internal Active Directory domain DNS servers, clients will be unable to access internal resources.

DNS Server Assignment

To configure Windows 10 Always On VPN clients to use DNS servers other than those configured on the VPN server, configure the DomainNameInformation element in the ProfileXML, as shown here.


Note: Be sure to include the lading “.” In the domain name to ensure that all hosts and subdomains are included.

Always On VPN Client DNS Server Configuration



Once the DomainNameInformation element has been defined, the new DNS server assignment does NOT appear on the VPN virtual adapters interface. In fact, it will still be configured to use the DNS server assigned to the VPN server, just as before. Using the DomainNameInformation element instead configures the Name Resolution Policy Table (NRPT) and assigns the new DNS server to the namespace defined by the administrator. You can view the NRPT running the Get-DnsClientNrptPolicy PowerShell command.

Always On VPN Client DNS Server Configuration

Additional Information

Windows 10 Always On VPN and the Name Resolution Policy Table (NRPT)

Deploying Windows 10 Always On VPN with Microsoft Intune

Windows 10 Always On VPN Certificate Requirements for IKEv2

Windows 10 Always On VPN Hands-On Training

Leave a comment


  1. Hi! Is that valid for both the user and the machine tunnel? I have configured both and both are connecting. However, if both tunnels are connected I cannot access domain ressources. Before I added the machine tunnel everything worked like a charm. Any ideas? Thanks in advance! Dietmar

    • Correct. There are many issues with device tunnel/user tunnel coexistence, so you may be encountering one of them. Can’t say for sure though. Have a close look at routing, becuase that can cause problems/conflicts if configured incorrectly.

  2. Robert Olsen

     /  November 7, 2018

    We have configured Always On VPN in our enviroment, both the Device tunnel and the User tunnel with IKEv2. We have also implemented the fallback to SSTP which seems to be working well also. There is only one more problem to solve, and that is to have the VPN Clients to register their VPN IP in the DNS (for Manage Out capabilities).

    As I understand, the applies only to Device Tunnel, correct? That does not seem to work, the VPN clients does not get registered in the DNS. Is there a workaround for this?

    • Incorrect. DNS registration is supported for both the device and user tunnels. Best practice is to define the RegisterDNS element only on the device tunnel if you are using it. However, be advised that there are a number of known issues with DNS registration. Sometimes it doesn’t register, other times it registers both the tunnel interface IP and the client’s ethernet or Wi-Fi IP. Be sure you are running 1803 with the latest cumulative update for the best experience. 🙂

  3. Colin

     /  February 1, 2019

    One thing that annoys me about AOVPN is that setting

    doesn’t work to exclude an internal fqdn from using the internal dns servers. I set it for an fqdn that is available on the outside and inside and it always resolves to the inside address.

    If i specify public DNS servers along with it it will resolve outside. It doesn’t seem to work as advertised. Unless I am missing something.

    • Agreed. I need to evaluate this post again closely. When I wrote it initially this worked as expected. However, I tried it again recently for a customer and it didn’t work. I suspect that something changed in the OS that changed this behavior. The workaround is to specify public DNS servers for the namespace you want to exclude. I’m not entirely comfortable with this because there’s no guarantee they’ll be available (could be blocked by a firewall). I do some more testing soon and update the post with additional information if necessary.

  4. Mike

     /  February 8, 2019

    I am using AOVPN, and found that I was sending SfB traffic back over the tunnel, and encountering odd issues. I have split brain DNS, with SfB on a subdomain. I have attempted to use NRPT to send the SfB traffic out to the internet, rather than back over the tunnel, while sending traffic for the root domain over the tunnel. Initially I applied settings using GPO, but found that NRPT was applying even when the clients were connected to the internal network. I have since attempted to apply NRPT in the VPN profile; in this scenario I have found that NRPT settings are not applied until the VPN is connected. Once connected, if the client disconnects then the NRPT settings are still applied. The NRPT settings are still applied after log off / log on. A reboot of the machine finally clears the NRPT settings.

    Do you know if this is the expected behaviour? Perhaps I’m missing something with how / when NRPT is applied…

    Appreciate your blog posts – they have proven very useful.

    • Hi Mike. A number of my customers have been experiencing this issue. I am also able to reproduce. It certainly appears to be a bug. I’d suggest giving Microsoft support a call to have them troubleshoot. Perhaps they can share a private hotfix or workaround with you. 🙂

  5. Steve

     /  April 25, 2019

    Hi Richard,
    We are getting issues with clients registering there External DNS along with the device tunnel DNS into windows DNS. We are running 1803 with the April cumulative updates installed. Are you still experiencing the same thing, and have you found any workarounds?
    Thanks for your wonderful blog!

  6. Hi Richard,
    I configured the NRPT for a device tunnel and set the registerdns option.
    Have you heard of any dependencies using these two options? I am asking because the registerdns is not working in this combination and the checkbox “Register this connection’s addresses in DNS” is not set for the Device-Tunnel-Adapter. Removing the NRPT-Settings (Domain Name Information) leads to a correct registerdns!
    When not removing the NRPT-Settings, then setting the Checkbox manually in the network connection is a workaround. Strange.
    Cheers, Karsten…

    • There was an update that addressed an issue where DNS registration was happening for both the physical and virtual (tunnel) interface, but that doesn’t seem to be what is happening here. You might try playing with the registry entries listed in this post: Other than that, perhaps it is a bug?

      • Christof Computing

         /  November 14, 2019

        I have the update and registry key applied but still experience the issue Karsten is experiencing. A workaround I am using is to run the following commands via a scheduled task.
        set-DnsClient -InterfaceAlias “VPN Device Tunnel Name” -RegisterThisConnectionsAddress $True -UseSuffixWhenRegistering $True
        ipconfig /registerdns

  7. Matt H

     /  November 20, 2019

    I noticed something interesting. I’ve ready the posts here and thought I’d chime in.

    So I’m using the split DNS with NRPT.
    On the server, if I change the adapter to “Allow RAS to select adapter” under “Use the following adapters to obtain DHCP, DNS, and WINS addresses for dial-up clients, this happens:
    DNSServer is blank for my vpn adapter when doing get-netipconfiguration
    My NRPT exclusions do work. If I ping the excluded address, they ping the outside address.
    My internal NRPTs do work. They ping/resolve to internal ips as expected.
    My client IP does not register in DNS
    Using a packet capture, we see DNS queries gets split as expected by the NRPT table.

    On the server, if I change the adapter to use my “internal nic” under “Use the following adapters to obtain DHCP, DNS, and WINS addresses for dial-up clients, this happens:
    DNSServer shows the same DNS servers my internal nic shows on the server.
    My NRPT exclusions do not work. They ping the internal ip.
    My internal NRPTs do work. They ping/resolve to internal ips as expected.
    My client IP does register in DNS.
    Using a packet capture, we see all DNS queries go through the vpn tunnel instead of splitting.

    This is driving me crazy. I want the client ip to register but I wan the NRPT to work as expected.

    • Very strange indeed. This is one of the reasons I try to avoid using the NRPT if at all possible. Question…are the DNS servers configured on the internal network interface of your RRAS server capable of resolving internal hostnames? If so, I’d suggest not using the NRPT altogether. If they aren’t, or if you have some other specific reason to use the NRPT, we’ll have to continue to investigate.

  8. Hello Richard,

    Thank you for commenting and your valuable blog.

    To answer your question, our internal DNS servers are indeed set on the internal nic of our RRAS server. They are capable of resolving internal hostnames.

    For now, I am just going to use the “internal nic” under “Use the following adapters to obtain DHCP.

    At least that way my client’s vpn ip does register a record in our DNS. As suggested in the comments here, I will just use a public DNS (like in the xml for NRPT exclustions.

  9. Ryan Young

     /  February 3, 2020

    Maybe I’m not fully understanding NRPT. If I configure a device tunnel to use the NRPT setting for to force certain DNS, what is the expected behavior for any other non-specified domain?

    • The NRPT essentially provides policy-based name resolution request routing. The NRPT will direct name resolution queries for defined namespaces to specified DNS servers. Name resolution requests for namespaces not defined in the policy are sent to the DNS servers configured on the network interface of the device.

  1. Always On VPN Routing Configuration | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: