Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,296 questions
Always On VPN DNS resolution problem
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 74%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Thomas Gusset
36
Reputation points
Hi
we set up Always On VPN in force-tunnel mode. Server side is RRAS on Win Server 2019, client is Win 10.
The customer use split DNS, that means the same FQDN points to a different IPs depending if you are in an inside or outside network.
Everything works fine but there is a strange issue with DNS resolution.
One would expect that in force-tunnel mode all the network traffic goes to the VPN tunnel. But for DNS requests you can observe, that there are DNS requests to the internal DNS servers (like expected) but also to the DNS servers configured on the LAN interface.
It looks like Win 10 asks all the DNS servers and selects one of the responses (if there are different responses). It seems to be the response from the DNS server on the interface with the lowest metric.
The VPN client changes the metric as soon as the VPN tunnel is up.
metrics while VPN is down
metrics when VPN is up
as we can see the metric of the IPv4 Ethernet interface has changed from 25 to 4250. Therefore VPN (CL06 VPN Verwaltung) has now the lowest metric and we would expect that DNS responses from the internal DNS servers will be used.
But we still see the DNS response from the DNS server configured on the Ethernet interface. Because we have to access the internal server the DNS response returns the wrong IP.
After some research we found that we should disable IPv6 on the Ethernet interface. And this works -> now DNS resolves the internal IP.
This seems to be very strange.
Next we changed the metric of IPv6 of the Ethernet interface from 25 to 100 and enabled IPv6 again.
... and it works too
There is no IPv6 connectivity on the Ethernet interface (nor on the VPN). We sniff the traffic on Ethernet interface and see only IPv4 DNS traffic.
Any idea why this behavior could make sense?
For me this seems to be a bug.
Thomas
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 82%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Aaron 1 Reputation point2021-12-16T21:11:58.833+00:00 Has anyone found a good way to deploy the metric fix via InTune?
-
arambasil 0 Reputation points2023-09-28T16:38:40.9133333+00:00 The behavior you're experiencing with DNS resolution and metric changes on network interfaces in the context of Windows Always On VPN in force-tunnel mode can be complex and sometimes unexpected. It's important to understand that Windows networking and DNS resolution can be influenced by a variety of factors, and while the behavior you described might seem like a bug, it could also be a result of the design and configuration of the Windows networking stack.
Here are a few considerations and explanations for the behavior you observed:
Metric Changes: When the VPN tunnel is established, Windows will automatically adjust the metric of the VPN interface to make it the lowest-cost route for network traffic. This is expected behavior and helps ensure that traffic destined for the VPN's subnet goes through the tunnel.
IPv6 Impact: Even if you don't have active IPv6 traffic, Windows still prefers to use IPv6 DNS servers if they are available. Disabling IPv6 on an interface might cause Windows to rely exclusively on IPv4 DNS servers.
DNS Resolution: Windows may send DNS queries to all configured DNS servers (both IPv4 and IPv6) and use the response that arrives first. This can result in the behavior you observed, where the DNS response from the LAN DNS server is used, even though the VPN DNS servers should be preferred.
DNS Suffixes: Ensure that DNS suffixes are configured correctly on your VPN adapter and LAN adapter. Incorrect or missing DNS suffixes can affect DNS resolution behavior.
DNS Split Tunneling: In a force-tunnel VPN configuration, Windows is expected to route all traffic through the VPN tunnel, including DNS queries. If DNS traffic is bypassing the tunnel, it might be due to incorrect split-tunneling settings.
Client-Side Configuration: Ensure that the Windows 10 client is configured to use the VPN DNS servers exclusively. Verify that there are no alternative DNS servers configured in the client's network adapter settings.
DNS Server Behavior: Verify the configuration of your DNS servers. They should be configured to resolve internal and external DNS queries correctly based on the client's source IP address.
DNS Caching: Windows may cache DNS responses, so clearing the DNS cache on the client machine might help resolve some DNS-related issues.
If you've gone through these considerations and still experience unexpected behavior, it's a good idea to involve your organization's network or IT support team. They can provide more specific guidance and investigate whether any group policies, scripts, or other factors are affecting DNS resolution on your VPN clients. Additionally, consulting Microsoft support or forums may provide insights from others who have encountered similar issues with Always On VPN configurations.
Sign in to comment
11 answers
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more