Always On VPN Client DNS Server Configuration

Always On VPN Client DNS Server ConfigurationDNS server configuration for Windows 10 Always On VPN clients is crucial to ensuring full access to internal resources. For Always On VPN, there are a few different ways to assign a DNS server to VPN clients.

Default DNS Servers

By default, Windows 10 clients use the same DNS server the VPN server is configured to use. This is true even if the VPN client IP address assignment method is DHCP.

Always On VPN Client DNS Server Configuration

There may be some scenarios in which this is not appropriate. For example, if the DNS server is in a DMZ network and is not configured to use internal Active Directory domain DNS servers, clients will be unable to access internal resources.

DNS Server Assignment

To configure Windows 10 Always On VPN clients to use DNS servers other than those configured on the VPN server, configure the DomainNameInformation element in the ProfileXML, as shown here.

<VPNProfile>
   <DomainNameInformation>
      <DomainName>.corp.example.net</DomainName>
      <DnsServers>10.21.12.100,10.21.12.101</DnsServers>
   </DomainNameInformation>
</VPNProfile>

Note: Be sure to include the lading “.” In the domain name to ensure that all hosts and subdomains are included.

Always On VPN Client DNS Server Configuration

Reference: https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp

Additional Information

Windows 10 Always On VPN and the Name Resolution Policy Table (NRPT)

Deploying Windows 10 Always On VPN with Microsoft Intune

Windows 10 Always On VPN Certificate Requirements for IKEv2

Windows 10 Always On VPN Hands-On Training

Leave a comment

5 Comments

  1. Hi! Is that valid for both the user and the machine tunnel? I have configured both and both are connecting. However, if both tunnels are connected I cannot access domain ressources. Before I added the machine tunnel everything worked like a charm. Any ideas? Thanks in advance! Dietmar

    Reply
    • Correct. There are many issues with device tunnel/user tunnel coexistence, so you may be encountering one of them. Can’t say for sure though. Have a close look at routing, becuase that can cause problems/conflicts if configured incorrectly.

      Reply
  2. Robert Olsen

     /  November 7, 2018

    Hi!
    We have configured Always On VPN in our enviroment, both the Device tunnel and the User tunnel with IKEv2. We have also implemented the fallback to SSTP which seems to be working well also. There is only one more problem to solve, and that is to have the VPN Clients to register their VPN IP in the DNS (for Manage Out capabilities).

    As I understand, the applies only to Device Tunnel, correct? That does not seem to work, the VPN clients does not get registered in the DNS. Is there a workaround for this?

    Reply
    • Incorrect. DNS registration is supported for both the device and user tunnels. Best practice is to define the RegisterDNS element only on the device tunnel if you are using it. However, be advised that there are a number of known issues with DNS registration. Sometimes it doesn’t register, other times it registers both the tunnel interface IP and the client’s ethernet or Wi-Fi IP. Be sure you are running 1803 with the latest cumulative update for the best experience. 🙂

      Reply
  1. Always On VPN Routing Configuration | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: