locked
Always on VPN - local dns issue for clients using a nic RRS feed

  • Question

  • Hello,

    Always On VPN is working pretty well.   I just have a couple more items to work out before we decide if we'll use it.    If someone could help resolve the issue below, I'd greatly appreciate it.   

    We use split tunneling.

    When a vpn client connects by wireless, we have no issues with DNS.

    When a vpn client connects by wired, it wants to use the nic's dns to resolve queries.   It can't resolve anything.

    If we change the metric on the vpn adapter to something low, it will work right.   Surely this isn't the norm though and I'm missing something as we don't want to have to update this regularly for staff.

    Thank you much,

    Matt

    Tuesday, October 29, 2019 7:24 PM

All replies

  • I'm hoping this is the answer.  I'll test more tomorrow

    https://directaccess.richardhicks.com/2018/04/23/always-on-vpn-and-the-name-resolution-policy-table-nrpt/ 

    Tuesday, October 29, 2019 8:21 PM
  • Hi ,

    I will wait for your good news.

    If you have any updates during this process, please feel free to let me know.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Wednesday, October 30, 2019 5:12 AM
  • Hi Candy,

    Unfortunately it doesn't seem to work.  

    Here's my interface list.   I currently don't have a connection to nic (I219-LM) to test with so I changed my wifi card interface to have a lower metric then the always on vpn interface.   This would be the same scenario.  So here's my list.
    --

    Interface List
     11...8c ec 4b e7 b9 94 ......Intel(R) Ethernet Connection (5) I219-LM
     24...........................Always On VPN
     16...74 e5 f9 f5 44 6c ......Microsoft Wi-Fi Direct Virtual Adapter
     18...76 e5 f9 f5 44 6b ......Microsoft Wi-Fi Direct Virtual Adapter #2
      7...74 e5 f9 f5 44 6b ......Intel(R) Dual Band Wireless-AC 8265
     14...74 e5 f9 f5 44 6f ......Bluetooth Device (Personal Area Network)
      1...........................Software Loopback Interface 1

    --

    I added below to my vpn ps1 script and recreated my vpn connection

       <DomainNameInformation>

    <DomainName>.company.lan</DomainName>

    <DnsServers>10.100.6.205,10.100.6.210</DnsServers>

    </DomainNameInformation>

       <DomainNameInformation>

    <DomainName>.company.org</DomainName>

    <DnsServers>10.100.6.205,10.100.6.210</DnsServers>

    </DomainNameInformation>

    --

    I connected to my vpn.    I cannot connect to internal connections with .company.org.   It's trying to use out my wifi interface dns  instead of my always on vpn interface dns.

    C:\Users\username>nslookup wiki.company.org
    DNS request timed out.
        timeout was 2 seconds.
    Server:  UnKnown
    Address:  fe80::cba:2377:d84e:8b0d

    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Request to UnKnown timed-out

    --

    Wireless LAN adapter Wi-Fi:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8265
       Physical Address. . . . . . . . . : 74-E5-F9-F5-44-6B
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::5090:29cf:1789:3255%7(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.20.10.5(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.240
       Lease Obtained. . . . . . . . . . : Tuesday, October 29, 2019 4:57:26 PM
       Lease Expires . . . . . . . . . . : Thursday, October 31, 2019 7:36:22 AM
       Default Gateway . . . . . . . . . : 172.20.10.1
       DHCP Server . . . . . . . . . . . : 172.20.10.1
       DHCPv6 IAID . . . . . . . . . . . : 108324345
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-21-57-D8-8C-EC-4B-E7-B9-94
       DNS Servers . . . . . . . . . . . : fe80::cba:2377:d84e:8b0d%7
                                           172.20.10.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Wireless LAN adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
       Physical Address. . . . . . . . . : 74-E5-F9-F5-44-6C
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Local Area Connection* 10:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
       Physical Address. . . . . . . . . : 76-E5-F9-F5-44-6B
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter Ethernet 2:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : centerstone.lan
       Description . . . . . . . . . . . : Dell Giga Ethernet
       Physical Address. . . . . . . . . : A4-4C-C8-A3-68-A4
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes

    PPP adapter Always On VPN:

       Connection-specific DNS Suffix  . : company.lan
       Description . . . . . . . . . . . :  Always On VPN
       Physical Address. . . . . . . . . :
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 172.30.32.16(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.255
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 10.100.6.210
                                           10.100.6.205
       NetBIOS over Tcpip. . . . . . . . : Enabled






    • Edited by CSMatMan Wednesday, October 30, 2019 12:30 PM
    Wednesday, October 30, 2019 12:13 PM
  • This appears to be the issue.

    https://github.com/MicrosoftDocs/windowsserverdocs/issues/1527

    Basically I need to delete HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig

    An empty DNSPolicyConfig key in registry will cause the AOVPN NRPT to be ignored. 

    Soon as I delete it, it works as expected.   The Get-DnsClientNrptPolicy pulls up the entries where before it was blank.

    From reading, it will come back since I have a Network/DNS policy configured in a GPO.  

    I'm going to try a few things to get it removed.   I'll probably just create a GPO preference item to delete it.

    Wednesday, October 30, 2019 1:46 PM
  • Hi ,

    Appreciate your effort and time!

    Thanks for sharing in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, October 31, 2019 1:29 AM
  • Although this is an old/resolved issue, I would like to add for those referencing this thread that you should not use nslookup.exe to test client name resolution when using the DomainNameInformation element in your ProfileXML. Specifying DNS servers using DomainNameInformation enables the Name Resolution Policy Table (NRPT) on the client. Nslookup.exe bypasses the NRPT and will yield unexpected results. It is recommended to use the Resolve-DnsName PowerShell command when testing name resolution on Windows 10 clients.

    Hope that helps!


    Richard M. Hicks
    Founder and Principal Consultant - Richard M. Hicks Consulting, Inc.
    directaccess.richardicks.com

    Thursday, July 23, 2020 4:41 PM