Always On VPN Client DNS Server Configuration

Always On VPN Client DNS Server ConfigurationDNS server configuration for Windows 10 Always On VPN clients is crucial to ensuring full access to internal resources. For Always On VPN, there are a few different ways to assign a DNS server to VPN clients.

Default DNS Servers

By default, Windows 10 clients use the same DNS server the VPN server is configured to use. This is true even if the VPN client IP address assignment method is DHCP.

Always On VPN Client DNS Server Configuration

There may be some scenarios in which this is not appropriate. For example, if the DNS server is in a DMZ network and is not configured to use internal Active Directory domain DNS servers, clients will be unable to access internal resources.

DNS Server Assignment

To configure Windows 10 Always On VPN clients to use DNS servers other than those configured on the VPN server, configure the DomainNameInformation element in the ProfileXML, as shown here.

<VPNProfile>
   <DomainNameInformation>
      <DomainName>.corp.example.net</DomainName>
      <DnsServers>10.21.12.100,10.21.12.101</DnsServers>
   </DomainNameInformation>
</VPNProfile>

Note: Be sure to include the lading “.” In the domain name to ensure that all hosts and subdomains are included.

Always On VPN Client DNS Server Configuration

Reference: https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp

DNS and NRPT

Once the DomainNameInformation element has been defined, the new DNS server assignment does NOT appear on the VPN virtual adapters interface. In fact, it will still be configured to use the DNS server assigned to the VPN server, just as before. Using the DomainNameInformation element instead configures the Name Resolution Policy Table (NRPT) and assigns the new DNS server to the namespace defined by the administrator. You can view the NRPT running the Get-DnsClientNrptPolicy PowerShell command.

Always On VPN Client DNS Server Configuration

Additional Information

Windows 10 Always On VPN and the Name Resolution Policy Table (NRPT)

Deploying Windows 10 Always On VPN with Microsoft Intune

Windows 10 Always On VPN Certificate Requirements for IKEv2

Windows 10 Always On VPN Hands-On Training

Leave a comment

17 Comments

  1. Hi! Is that valid for both the user and the machine tunnel? I have configured both and both are connecting. However, if both tunnels are connected I cannot access domain ressources. Before I added the machine tunnel everything worked like a charm. Any ideas? Thanks in advance! Dietmar

    Reply
    • Correct. There are many issues with device tunnel/user tunnel coexistence, so you may be encountering one of them. Can’t say for sure though. Have a close look at routing, becuase that can cause problems/conflicts if configured incorrectly.

      Reply
  2. Robert Olsen

     /  November 7, 2018

    Hi!
    We have configured Always On VPN in our enviroment, both the Device tunnel and the User tunnel with IKEv2. We have also implemented the fallback to SSTP which seems to be working well also. There is only one more problem to solve, and that is to have the VPN Clients to register their VPN IP in the DNS (for Manage Out capabilities).

    As I understand, the applies only to Device Tunnel, correct? That does not seem to work, the VPN clients does not get registered in the DNS. Is there a workaround for this?

    Reply
    • Incorrect. DNS registration is supported for both the device and user tunnels. Best practice is to define the RegisterDNS element only on the device tunnel if you are using it. However, be advised that there are a number of known issues with DNS registration. Sometimes it doesn’t register, other times it registers both the tunnel interface IP and the client’s ethernet or Wi-Fi IP. Be sure you are running 1803 with the latest cumulative update for the best experience. 🙂

      Reply
  3. Colin

     /  February 1, 2019

    One thing that annoys me about AOVPN is that setting

    .corp.example.net

    doesn’t work to exclude an internal fqdn from using the internal dns servers. I set it for an fqdn that is available on the outside and inside and it always resolves to the inside address.

    If i specify public DNS servers along with it it will resolve outside. It doesn’t seem to work as advertised. Unless I am missing something.

    Reply
    • Agreed. I need to evaluate this post again closely. When I wrote it initially this worked as expected. However, I tried it again recently for a customer and it didn’t work. I suspect that something changed in the OS that changed this behavior. The workaround is to specify public DNS servers for the namespace you want to exclude. I’m not entirely comfortable with this because there’s no guarantee they’ll be available (could be blocked by a firewall). I do some more testing soon and update the post with additional information if necessary.

      Reply
  4. Mike

     /  February 8, 2019

    I am using AOVPN, and found that I was sending SfB traffic back over the tunnel, and encountering odd issues. I have split brain DNS, with SfB on a subdomain. I have attempted to use NRPT to send the SfB traffic out to the internet, rather than back over the tunnel, while sending traffic for the root domain over the tunnel. Initially I applied settings using GPO, but found that NRPT was applying even when the clients were connected to the internal network. I have since attempted to apply NRPT in the VPN profile; in this scenario I have found that NRPT settings are not applied until the VPN is connected. Once connected, if the client disconnects then the NRPT settings are still applied. The NRPT settings are still applied after log off / log on. A reboot of the machine finally clears the NRPT settings.

    Do you know if this is the expected behaviour? Perhaps I’m missing something with how / when NRPT is applied…

    Appreciate your blog posts – they have proven very useful.

    Reply
    • Hi Mike. A number of my customers have been experiencing this issue. I am also able to reproduce. It certainly appears to be a bug. I’d suggest giving Microsoft support a call to have them troubleshoot. Perhaps they can share a private hotfix or workaround with you. 🙂

      Reply
  5. Steve

     /  April 25, 2019

    Hi Richard,
    We are getting issues with clients registering there External DNS along with the device tunnel DNS into windows DNS. We are running 1803 with the April cumulative updates installed. Are you still experiencing the same thing, and have you found any workarounds?
    Thanks for your wonderful blog!

    Reply
  6. Hi Richard,
    I configured the NRPT for a device tunnel and set the registerdns option.
    Have you heard of any dependencies using these two options? I am asking because the registerdns is not working in this combination and the checkbox “Register this connection’s addresses in DNS” is not set for the Device-Tunnel-Adapter. Removing the NRPT-Settings (Domain Name Information) leads to a correct registerdns!
    When not removing the NRPT-Settings, then setting the Checkbox manually in the network connection is a workaround. Strange.
    Cheers, Karsten…

    Reply
  1. Always On VPN Routing Configuration | Richard M. Hicks Consulting, Inc.

Leave a Reply to Mike Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: