Always On VPN - DNS queries always sent to all servers
We are using Always On VPN with split tunneling, configured with ProfileXML and a list of internal domain suffixes. It works as expected, however, I noticed that clients always query all DNS servers.
What I had expected:
- For internal domains, DNS client queries corporate DNS over VPN tunnel
- For other domains, DNS client queries local DNS (of underlying Internet connection)
What actually happens:
- For internal domains, DNS client queries all DNS servers, ignores reponses from local DNS and uses response from corporate DNS
- For other domains, DNS client queries all DNS servers, ignores reponses from corporate DNS and uses response from local DNS
Is this expected behavior with Windows 10 and 11?
It caused some issues because certain AWS and/or Autodesk services seem to use DNS to detect the client location. When a user from US is connected to a VPN server in Europe, and AWS receives his DNS queries from a European ISP, he is assigned to a European Autodesk server, even thoughhe sends the same DNS queries over his US ISP and connects to Autodesk from US.
It is hard to explain, but according to our tests, it's definitely DNS. We just changed our internal DNS server (the one that serves Always On clients) to route through a US Internet connection, and Autodesk clients are now served by their US server. Change internal DNS back to EU Internet connection -> VPN clients served by EU Autodesk server. Even though the clients do not use the DNS responses from the internal server and do not route Internet traffic over VPN.