Share via

Always On VPN DNS resolution problem

Thomas Gusset 36 Reputation points
2021-03-15T14:25:36.607+00:00

Hi

we set up Always On VPN in force-tunnel mode. Server side is RRAS on Win Server 2019, client is Win 10.

The customer use split DNS, that means the same FQDN points to a different IPs depending if you are in an inside or outside network.

Everything works fine but there is a strange issue with DNS resolution.

One would expect that in force-tunnel mode all the network traffic goes to the VPN tunnel. But for DNS requests you can observe, that there are DNS requests to the internal DNS servers (like expected) but also to the DNS servers configured on the LAN interface.

It looks like Win 10 asks all the DNS servers and selects one of the responses (if there are different responses). It seems to be the response from the DNS server on the interface with the lowest metric.

The VPN client changes the metric as soon as the VPN tunnel is up.

metrics while VPN is down
77852-0.png
metrics when VPN is up
77808-1.png
as we can see the metric of the IPv4 Ethernet interface has changed from 25 to 4250. Therefore VPN (CL06 VPN Verwaltung) has now the lowest metric and we would expect that DNS responses from the internal DNS servers will be used.

But we still see the DNS response from the DNS server configured on the Ethernet interface. Because we have to access the internal server the DNS response returns the wrong IP.

After some research we found that we should disable IPv6 on the Ethernet interface. And this works -> now DNS resolves the internal IP.

This seems to be very strange.

Next we changed the metric of IPv6 of the Ethernet interface from 25 to 100 and enabled IPv6 again.
77853-2.png
... and it works too

There is no IPv6 connectivity on the Ethernet interface (nor on the VPN). We sniff the traffic on Ethernet interface and see only IPv4 DNS traffic.

Any idea why this behavior could make sense?

For me this seems to be a bug.
Thomas

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,296 questions

11 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. FerryvS 11 Reputation points
    2021-07-06T09:39:28.307+00:00

    Haven't tested this yet (no machines available to test with), this powershell should modify only wired adapters for the metric 

    Get-NetAdapter | ? {$_.MediaType -eq "802.3"} | Get-NetIPInterface -AddressFamily "IPv6" | Set-NetIPInterface -AutomaticMetric Disabled -InterfaceMetric 100

    How did you set it?

    0 comments
  2. Stefan Bauer 1 Reputation point
    2021-08-06T16:12:55.583+00:00

    Too bad. We hit the same problem. In 2021 disabling v6 is not an option.

  3. Thomas Gusset 36 Reputation points
    2021-09-07T14:22:45.257+00:00

    As another workaround it is possible to change the default metric for the VPN connection.
    Therefore the rasphone.pbk file must be changed.
    The following parameters define the metric for the VPN interface created by AoVPN.
    • IpInterfaceMetric
    • Ipv6InterfaceMetric
    Change these values to the metric you need (it should be lower than 25), e.g. 24.
    The location of rasphone.pbk is
    C:\ProgramData\Microsoft\Network\Connections\Pbk\
    if the user using AoVPN has no admin rights (which I hope is the case) Windows creates a copy of that file at
    %appdata%\Microsoft\Network\Connections\Pbk\_hiddenPbk
    Richard M. Hicks has published a PS script that can be used to change rasphone.pbk -> https://github.com/richardhicks/aovpn/blob/master/Update-Rasphone.ps1
    for example: 

    .\Update-Rasphone.ps1 -AllUserConnection -ProfileName '<profile name>' -InterfaceMetric 24

    Thomas

  4. RuKo 26 Reputation points
    2022-08-31T16:05:44.577+00:00

    Hello all,

    I have been having a similar issue. In the end, I found that the issue is not Windows per say but your VPN Server not providing you with an IPv6 Address and DNS internal server address.

    Try enabling IPv6 addressing and setup an IPv6 IP address for your DNS Server so that the requests can come into it.

    Then what will happen is the metrics will be updated for both IPv4 and IPv6 when your always on connection is active.

    Therefore:

    • Ask your VPN Administrator to enable IPv6 DHCP for your VPN connections
    • Add IPv6 to your DNS Server and start hosting IPv6 on your Internal DNS server.
    • Ask your Networking team to confirm IPv6 is working between the VPN server and the DNS Server.
    • Once all the above is confirmed, test with your always on VPN connection to see if the metrics have been updated automatically.
      or
      • Enable IPv6 on your VPN RRAS server but do not enter an IPv6 DNS Server or route it to your network interfaces. This will activate the dummy IPv6 to allow Windows auto metrics be configured correctly.

    I currently can not do this as we are in the same boat on this issue.
    I am waiting for management to approve these changes to have this updated.

  5. Nick Doud 6 Reputation points
    2023-09-28T15:45:05.31+00:00

    Recently converted from DA to Always ON. AO working, for months, changed my DC and now some VPN connections aren't getting the DNS servers, and not able to connect to mapped drives. I can force DNS through policy, but not sure why? Agree it could be the metrics mentioned above. There is a power shell to set the metric.

    However, end-user would constantly have to run the command to set the lower setting.

    Why is user connected to NICs?

    Plus your VPN is getting a lower number and becoming primary.