Always On VPN DNS resolution problem

Thomas Gusset 36

we set up Always On VPN in force-tunnel mode. Server side is RRAS on Win Server 2019, client is Win 10.

The customer use split DNS, that means the same FQDN points to a different IPs depending if you are in an inside or outside network.

Everything works fine but there is a strange issue with DNS resolution.

One would expect that in force-tunnel mode all the network traffic goes to the VPN tunnel. But for DNS requests you can observe, that there are DNS requests to the internal DNS servers (like expected) but also to the DNS servers configured on the LAN interface.

It looks like Win 10 asks all the DNS servers and selects one of the responses (if there are different responses). It seems to be the response from the DNS server on the interface with the lowest metric.

The VPN client changes the metric as soon as the VPN tunnel is up.

metrics while VPN is down

metrics when VPN is up

as we can see the metric of the IPv4 Ethernet interface has changed from 25 to 4250. Therefore VPN (CL06 VPN Verwaltung) has now the lowest metric and we would expect that DNS responses from the internal DNS servers will be used.

But we still see the DNS response from the DNS server configured on the Ethernet interface. Because we have to access the internal server the DNS response returns the wrong IP.

After some research we found that we should disable IPv6 on the Ethernet interface. And this works -> now DNS resolves the internal IP.

This seems to be very strange.

Next we changed the metric of IPv6 of the Ethernet interface from 25 to 100 and enabled IPv6 again.

... and it works too

There is no IPv6 connectivity on the Ethernet interface (nor on the VPN). We sniff the traffic on Ethernet interface and see only IPv4 DNS traffic.

Any idea why this behavior could make sense?

For me this seems to be a bug.
Thomas

Aaron 1 Reputation point

2021-12-16T21:11:58.833+00:00

Has anyone found a good way to deploy the metric fix via InTune?
arambasil 0 Reputation points

2023-09-28T16:38:40.9133333+00:00

The behavior you're experiencing with DNS resolution and metric changes on network interfaces in the context of Windows Always On VPN in force-tunnel mode can be complex and sometimes unexpected. It's important to understand that Windows networking and DNS resolution can be influenced by a variety of factors, and while the behavior you described might seem like a bug, it could also be a result of the design and configuration of the Windows networking stack.

Here are a few considerations and explanations for the behavior you observed:

Metric Changes: When the VPN tunnel is established, Windows will automatically adjust the metric of the VPN interface to make it the lowest-cost route for network traffic. This is expected behavior and helps ensure that traffic destined for the VPN's subnet goes through the tunnel.

IPv6 Impact: Even if you don't have active IPv6 traffic, Windows still prefers to use IPv6 DNS servers if they are available. Disabling IPv6 on an interface might cause Windows to rely exclusively on IPv4 DNS servers.

DNS Resolution: Windows may send DNS queries to all configured DNS servers (both IPv4 and IPv6) and use the response that arrives first. This can result in the behavior you observed, where the DNS response from the LAN DNS server is used, even though the VPN DNS servers should be preferred.

DNS Suffixes: Ensure that DNS suffixes are configured correctly on your VPN adapter and LAN adapter. Incorrect or missing DNS suffixes can affect DNS resolution behavior.

DNS Split Tunneling: In a force-tunnel VPN configuration, Windows is expected to route all traffic through the VPN tunnel, including DNS queries. If DNS traffic is bypassing the tunnel, it might be due to incorrect split-tunneling settings.

Client-Side Configuration: Ensure that the Windows 10 client is configured to use the VPN DNS servers exclusively. Verify that there are no alternative DNS servers configured in the client's network adapter settings.

DNS Server Behavior: Verify the configuration of your DNS servers. They should be configured to resolve internal and external DNS queries correctly based on the client's source IP address.

DNS Caching: Windows may cache DNS responses, so clearing the DNS cache on the client machine might help resolve some DNS-related issues.

If you've gone through these considerations and still experience unexpected behavior, it's a good idea to involve your organization's network or IT support team. They can provide more specific guidance and investigate whether any group policies, scripts, or other factors are affecting DNS resolution on your VPN clients. Additionally, consulting Microsoft support or forums may provide insights from others who have encountered similar issues with Always On VPN configurations.

11 answers

FerryvS 11 Reputation points

2021-07-06T09:13:31.757+00:00

Hi,

we seem to be running into the same issues.

Thought resolving issues with NRPT would resolve this. As we also had the issue that:
Get-DnsClientNrptPolicy

didn't output anything. It's supposed to forward domain.local and external-domain.tld (for exchange amongst other things as it's not available externally, but does resolve to an external IP externally and thus breaks if it doesn't use the split DNS as it's not accessible through that IP).

This is caused by registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig

Which is created by setting a DNS search suffix through GPO.

See here for example: https://social.technet.microsoft.com/Forums/sqlserver/en-US/99b7ad27-e58e-411c-8fa8-12782992ee3b/always-on-vpn-local-dns-issue-for-clients-using-a-nic?forum=winserverNIS

We remove that registry key with the same GPO now, but it's still not stable unfortunately and this only seems to be the case for users with cabled IPv6 connections.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Sunny Qi 10,906 Reputation points Microsoft Vendor

2021-03-16T08:40:07.267+00:00

Hi,

Thanks for posting in Q&A platform.

The metric of specified interface determines the priority of the interface, the lower metric, the more priority of the interface.

Based on provided information, my understanding is when VPN is down, the DNS query and DNS resolution is working normally. When VPN is up, the DNS query is going through the incorrect DNS server which also means when VPN is up, the DNS query is going through Ethernet interface rather than VPN interface. Am I correct here? Please correct me if my understanding is wrong.

When VPN is up, could you please help to provide the result of Get-NetIPInterface, ipconfig /all and nslookup -d2 FQDN for further troubleshooting.

Please kindly note that this forum is a public forum that everyone can view this thread, when you post the required screenshots please remove your private information.

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Thomas Gusset 36 Reputation points

2021-03-16T11:17:12.77+00:00

Hi Sunny
thanks for your response.
Yes, it's correct that DNS queries are going through Ethernet interface and therefore return wrong results.
The core problem seems to be that Windows changes the metric of the Ethernet Interface from 25 to 4250 as you can see in the second screenshot. But only for IPv4 and not for IPv6.
ipconfig /all shows correct DNS servers (local Internet router for Ethernet, company's internal DNS servers for VPN connection)
nslookup -d2 shows that DNS query goes to DNS servers configured for Ethernet IF and result is the external IP

After changing the metric of Ethernet IPv6 from 25 (default) to 100 (see screenshot 3) ipconfig still shows the same DNS servers.
But nslookup now queries the internal DNS servers and returns the correct internal IP

Best Regards
Thomas
Please sign in to rate this answer.
Steven McKenzie 6 Reputation points

2021-06-16T01:14:30.397+00:00

Did you find a fix? i don't want to do this to every laptop in the fleet
Sign in to comment
Cheong00 3,471 Reputation points

2021-06-16T02:04:14.31+00:00

IMO, you should configure the remote DNS to only resolve DNS query for private DNS zone only, and not to resolve external domain from your private IP range. (I know how to setup with BIND10, but not sure how to set with Azure.)

Alternatively, you can remove the DnsServers settings from the Always On DNS configuration so that clients connecting VPN will not use Azure DNS to resolve host names. And the at your domain DNS server, add a secondary/slave zone that listen to Azure DNS server as master to update the private DNS zone records. (With master DNS server points to the value in DnsServers settings just removed)
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
mbolster 1 Reputation point

2021-06-24T11:06:16.673+00:00

Hello,

Is there already a hotfix available for this issue? We are facing exactly the same issue.

Currently I need to execute a migration from Direct Access to AOVPN which will not be really user friendly if IPv6 should be disabled on forehand.
Also disabling the Ipv6 interface seems not to be a future proof solution to me.

Regards,
Martijn
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Always On VPN DNS resolution problem

11 answers