Issue with resolving hostnames while connected to p2s Azure VPN

alex2015 1 Reputation point

Hi all. Our company has different web apps and web servers hosted at Azure. All people connect to private IPs of those resources via Azure p2s VPN. Everything was good but on some Windows 10 workstations we faced an issue. Some howe it resolves not private but public IPs. Looks like DNS settings of the network adapter somehow overrides DNS settings of the VPN connection.
If set Azure DNS at the network adapter settings it resolves private IP but the workstation doesn't have access to the rest of the world. If I add or to the network adapter settings additionally (Azure DNS as primary DNS and as secondary DNS) it starts to resolve public IP again.

Is there any way to use the DNS of the VPN connection when need to access Azure resources and the DNS of the network adapter when need to access the rest of the world? Does anybody know how to resolve this issue?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,147 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Rob H 41 Reputation points

    I had this issue and spent 3 days trying to find an answer.
    Setup was:

    1. The virtual network in Azure is assigned a local VM DNS server (internal IP)
    2. Azure VPN client showed the DNS server when connected and IpConfig did NOT show the dns server
    3. Powershell Get -DnsClientNrptPolicy showed the correct local dns server was assigned
    4. Could not resolve any internal IP addresses in the azure network as nslookup always used the lan/wlan dns server for resolution
    5. Followed every step for setting up DNS forwarders for file shares and privatelink
    6. Still could not resolve any internal IP addresses in the azure network as nslookup always used the lan/wlan dns server for resolution

    The answer turns out to be ridiculously simple but took me 3 days to finally resolve. Modify the xml file that you download from the azure portal for the vpn client to add the in the dnssuffixes you want resolved via the vpn (make sure to put the (.) before typing out the domain name

    Nslookup immediately returned the correct internal IP's of every query. Since I had also setup an azure file share and had setup the forwarders for it in the DNS server I added the dns suffix "" and now mapping drives resolves to the internal IP. Anyway, I hope this helps because this was a ridiculous problem I spent HOURS and HOURS trying to find an answer.


    How do I add DNS suffixes to the VPN client?
    You can modify the downloaded profile XML file and add the <dnssuffixes><dnssufix> </dnssufix></dnssuffixes> tags.



    4 people found this answer helpful.

  2. GitaraniSharma-MSFT 39,421 Reputation points Microsoft Employee

    Hello @alex2015 ,

    This is a known issue and is documented as below:

    When the client connects to Azure by using point-to-site VPN connection, it cannot resolve the FQDN of the resources in your local domain.

    Point-to-site VPN client normally uses Azure DNS servers that are configured in the Azure virtual network. The Azure DNS servers take precedence over the local DNS servers that are configured in the client (unless the metric of the Ethernet interface is lower), so all DNS queries are sent to the Azure DNS servers. If the Azure DNS servers do not have the records for the local resources, the query fails.

    To resolve the problem, make sure that the Azure DNS servers that used on the Azure virtual network can resolve the DNS records for local resources. To do this, you can use DNS Forwarders or Conditional forwarders. For more information, see Name resolution using your own DNS server

    You can refer the below article for this issue:

    Kindly let us know if you need any further assistance on this issue from our end.


    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

  3. The Architect 1 Reputation point

    I love it when I read a trend of posts that programmers and developers trying to do a simple fix by hacking codes and files all over the place for days and at the end they end up with a mess that ain't working.

    There is absolutely no such thing as DNS issue for Azure P2S VPN, you just didn't do it right.

    All you need to do is this,
    On the VNET that you plan to have your VPN's GatewaySubnet, make sure you configure your DNS server IP. If it is on a VM in the same tenancy or OnPrem or internal IP of azure firewall when you use it as DNS proxy.

    If you didn't do the previous step before building your azure vpn gateway, then you need to rebuild it after configuring the DNS.

    That's it.

  4. Joe Freeman 56 Reputation points

    How does the system know when to use which DNS server without the suffixes?

    1. I deployed a DNS server and tied it to the VNET.
    2. Downloaded the VPN configuration.
    3. Verified the DNS server is in the generic configuration. There are no DNS suffixes in the config file
    4. Deleted my Azure Windows 10 VPN config and then launched the VPN config .exe to create the VPN in Windows 11
    5. Connected to the VPN.
    6. ipconfig /all shows the correct DNS server for the PPP adapter

    Test results

    1. nslookup for my privatelink when explicitly selecting to the VNET DNS server finds the internal IP as expected
    2. nslookup for my private link when not explicitly selecting the VNET DNS server finds the external IP
    0 comments No comments

  5. Joe Freeman 56 Reputation points

    In the PBK file

    1. IpDnsSuffix=
    2. IpDnsFlags=0

    looking at the interfaces

    PS C:\Users\xxx> netsh interface ipv4 show interfaces

    Idx Met MTU State Name

    60 25 1400 connected FsiExample-VNET
    1 75 4294967295 connected Loopback Pseudo-Interface 1
    23 70 1500 disconnected Wi-Fi
    4 25 1500 connected Ethernet
    5 25 1500 disconnected Local Area Connection* 1
    12 65 1500 disconnected Bluetooth Network Connection
    25 25 1500 disconnected Local Area Connection* 2
    24 15 1500 connected vEthernet (Default Switch)
    11 35 1500 connected VMware Network Adapter VMnet1
    20 35 1500 connected VMware Network Adapter VMnet8
    19 35 1500 connected Azure Sphere
    56 15 1500 connected vEthernet (WSL)

    It was the metric of the Ethernet interface vs the VPN interface. They had the same metric.

    If I unplug my Ethernet and connect using Wi-Fi then the lookups return the internal azure DNS. The VPN interface is higher priority than the Wi-Fi
    If I plug the Ethernet cable back in then I get the external IPs instead of internal Azure.