Windows 10 Always On VPN, Split DNS, NRPT, and how to configure which DNS server is used

internal-dnssplit-dnssplit-tunnelvpnwindows 10

Here's the setup:

  • Windows 10 1803 clients
  • Server 2012R2 RRAS server
  • Always On VPN device tunnel setup per these instructions, with split tunneling.
  • Device VPN only has routes to 1 DC/DNS server, and our configuration manager server, so it can be managed and new users can authenticate when away from the office. When users need full access to the office network, there is a separate user VPN they can connect to. This works well, except for DNS.
  • AD domain name is example.local
  • Public domain name is example.com

The problem:

  • We use split DNS for our public domain name – so mail.example.com resolves to an internal IP address when using our internal DNS servers, and our public address from the outside world.
  • I need VPN clients to resolve it to the public address. The device VPN doesn't let them talk to the internal address for mail.example.com, so they can't get their email.
  • I'd also like (but not a must have) DNS resolution for local services at other locations to work properly – eg. when I'm in the offices of Other Corp, DNS for othercorp.local works even with the VPN connected.

What I want to happen:

  • Queries for example.local go over the VPN to our internal DNS servers
  • Everything else, including example.com, use the DNS servers provided by the LAN/Wifi connection the laptop is connected to.
  • The other user based VPN (which routes all traffic over the VPN) continues to use our internal DNS servers for everything.

What I've tried:

  • Setting Name Resolution Policy Table rules for example.local pointing at our internal DNS servers. This does seem to work, queries for example.local go over the VPN…but so does everything else.
  • Setting NRPT rules for example.com, with blank DnsServers field, which should make sure they are excluded. Seems to have no effect.
  • Setting NRPT rules for example.com, with public resolvers for the DnsServer. This does work, but breaks at remote locations that block anything but their own dns resolvers (which many of the sites my users travel to do), and doesn't solve the local services problem.
  • Setting "Use the following DNS server addresses" on the VPN connection in network connections, and leaving it blank. No effect, the VPN connection still gets set to use our internal servers.
  • Setting "Use the following DNS server addresses", and putting in a public DNS server like 8.8.8.8. When connected, I end up with 3 DNS servers on that interface, with our internal ones at the top and 8.8.8.8 at the bottom of the list.

I suspect that if I could get the VPN to not list any DNS servers at all, the NRPT rules would kick in just for example.local, and everything would work properly. But I can't find a way to make it not use the ones provided by the RRAS server.

Best Answer

A potential workaround you could try is standing up a Server 2016 DNS server and implementing a DNS policy to do split-dns with geolocation awareness. This would allow you to tell DNS queries from the Device VPN subnet to use the external IP instead of the internal.

The powershell commands would look something like below.

Device VPN subnet

Add-DnsServerClientSubnet -Name "DeviceVPNSubnet" -IPv4Subnet "192.168.1.0/24"

Device VPN Zone Scope

Add-DnsServerZoneScope -ZoneName "example.com" -Name "DeviceVPNZoneScope"

Default A record (should already exist)

Add-DnsServerResourceRecord -ZoneName "example.com" -A -Name "mail" -IPv4Address "192.168.0.5"

Device VPN A record

Add-DnsServerResourceRecord -ZoneName "example.com" -A -Name "mail" -IPv4Address "203.0.113.5" -ZoneScope "DeviceVPNZoneScope"

Device VPN Resolution Policy

Add-DnsServerQueryResolutionPolicy -Name "Device VPN Policy" -Action ALLOW -ClientSubnet "eq,DeviceVPNSubnet" -ZoneScope "DeviceVPNZoneScope,1" -ZoneName "example.com"

See: Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers

Related Topic