DNS server configuration for Windows 10 Always On VPN clients is crucial to ensuring full access to internal resources. For Always On VPN, there are a few different ways to assign a DNS server to VPN clients.
Default DNS Servers
By default, Windows 10 clients use the same DNS server the VPN server is configured to use. This is true even if the VPN client IP address assignment method is DHCP.
There may be some scenarios in which this is not appropriate. For example, if the DNS server is in a DMZ network and is not configured to use internal Active Directory domain DNS servers, clients will be unable to access internal resources.
DNS Server Assignment
To configure Windows 10 Always On VPN clients to use DNS servers other than those configured on the VPN server, configure the DomainNameInformation element in the ProfileXML, as shown here.
<VPNProfile>
<DomainNameInformation>
<DomainName>.corp.example.net</DomainName>
<DnsServers>10.21.12.100,10.21.12.101</DnsServers>
</DomainNameInformation>
</VPNProfile>
Note: Be sure to include the lading “.” In the domain name to ensure that all hosts and subdomains are included.
Reference: https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp
DNS and NRPT
Once the DomainNameInformation element has been defined, the new DNS server assignment does NOT appear on the VPN virtual adapters interface. In fact, it will still be configured to use the DNS server assigned to the VPN server, just as before. Using the DomainNameInformation element instead configures the Name Resolution Policy Table (NRPT) and assigns the new DNS server to the namespace defined by the administrator. You can view the NRPT running the Get-DnsClientNrptPolicy PowerShell command.
Additional Information
Windows 10 Always On VPN and the Name Resolution Policy Table (NRPT)
Deploying Windows 10 Always On VPN with Microsoft Intune
