none
Windows 10 - VPN DNS problem

    Question

  • Hello,
    I have a question about DNS resolver in W10. As I understand it, new behavior in W10 is, that resolver queries on all adapters in parallel and than takes the first answer. Am I right? We have a split brain DNS architecture in our company and this behavior is really a problem for us. When we are outside the company and we establish VPN connection into the corporate network, we need to ask DNS server on the VPN interface, because otherwise the corporate resources are inaccessible. I know, that I can achieve it manually by setting DNS server, metrics etc., but we have a hundreds of notebooks, so I need to find a systematic solution, like GPO. Is there any way, how to achieve that? Thank you...
    Tuesday, October 27, 2015 8:15 AM

Answers

  • Hi,
    thank you, but this is not about gateway, but about DNS. Read something about Windows 10 DNS resolver and DNS leaks. There are lot of articles writen on that. For example: 

    https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1

    There are problem-solving scripts, but they are written on OpenVPN (we use another solution).

    https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html

    Some VPN clients have solution already implemented in client software, but unfortunatelly, not our VPN client.

    I think, we could close this thread. There is most likely no elegant solution. I should write a script, similar to this script: https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html. Even though, I hope, there will be an option, how to fix this by GPO in the future...

    Thank you for your time...

    Wednesday, November 18, 2015 8:38 AM

All replies

  • Hi d3VL1n,

    Regarding adding the DNS entry, how about we add it with the Netsh command?

    netsh interface ipv4 set dns "Local Area Connection" static 192.168.0.123

    And:

    netsh interface ipv4 add dns "Local Area Connection" 192.168.0.3 index=2

    If this is OK, then we could save the command into scripts, after that, deploy it using the logon/startup script group policy.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, October 29, 2015 5:38 AM
    Moderator
  • Thank you for your response. Unfortunately, I can't set static addresses to interfaces. Also, we haven't VPN clients on all computers and computers with VPN clients aren't separated in AD. We need this: When the VPN connection is established, DNS resolver query only the DNS server on the VPN interface. That's all. I don't understand, why Windows 10 behave in this way...
    Wednesday, November 4, 2015 1:04 PM
  • Hi D3vl1n,

    Well, I can't tell how Windows 10 behaves as I don't know much about it.

    How about we enable the use the default gateway on Remote network?

    If the above is available ,then please check:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/f228d2ae-232d-4572-8eee-60252f6d03a3/can-i-enable-use-default-gateway-on-remote-network-on-vpn-connection-using-group-policy?forum=winserverGP

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, November 9, 2015 9:01 AM
    Moderator
  • Hi,
    thank you, but this is not about gateway, but about DNS. Read something about Windows 10 DNS resolver and DNS leaks. There are lot of articles writen on that. For example: 

    https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1

    There are problem-solving scripts, but they are written on OpenVPN (we use another solution).

    https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html

    Some VPN clients have solution already implemented in client software, but unfortunatelly, not our VPN client.

    I think, we could close this thread. There is most likely no elegant solution. I should write a script, similar to this script: https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html. Even though, I hope, there will be an option, how to fix this by GPO in the future...

    Thank you for your time...

    Wednesday, November 18, 2015 8:38 AM
  • Thank you for your response. Unfortunately, I can't set static addresses to interfaces. Also, we haven't VPN clients on all computers and computers with VPN clients aren't separated in AD. We need this: When the VPN connection is established, DNS resolver query only the DNS server on the VPN interface. That's all. I don't understand, why Windows 10 behave in this way...

    I'd say the same thing, that is exactly how a vpn connection is suppsoed to work but Windows 10 never query's the vpn dns servers. Definitely seems to be a bug in Windows 10 based on the behavior we've seen with it and the fact that not every client works the same.  

    I had been hoping to find a hotfix or something available to fix it.

    Very frustrating.

    Friday, April 1, 2016 5:32 PM