Windows 10 Always On VPN DNS resolution problem

  • Thread starter Thread starter Thomas A. Gusset
  • Start date Start date
T

Thomas A. Gusset

Hi

we set up Always On VPN in force-tunnel mode. Server side is RRAS on Win Server 2019, client is Win 10.

The customer use split DNS, that means the same FQDN points to a different IPs depending if you are in an inside or outside network.

Everything works fine but there is a strange issue with DNS resolution.

One would expect that in force-tunnel mode all the network traffic goes to the VPN tunnel. But for DNS requests you can observe, that there are DNS requests to the internal DNS servers (like expected) but also to the DNS servers configured on the LAN interface.

It looks like Win 10 asks all the DNS servers and selects one of the responses (if there are different responses). It seems to be the response from the DNS server on the interface with the lowest metric.

The VPN client changes the metric as soon as the VPN tunnel is up.


metrics while VPN is down




metrics when VPN is up





as we can see the metric of the Ethernet interface has changed from 25 to 4250. Therefore VPN (CL06 VPN Verwaltung) has now the lowest metric and we would expect that DNS responses from the internal DNS servers will be used.

But we still see the DNS response from the DNS server configured on the Ethernet interface. Because we have to access the internal server the DNS response returns the wrong IP.

After some research we found that we should disable IPv6 on the LAN interface. And this works -> now DNS resolves the internal IP.

This seems to be very strange.

Next we changed the metric of IPv6 of the Ethernet interface from 25 to 100 and enabled IPv6 again.



... and it works too

There is no IPv6 connectivity on the Ethernet interface (nor on the VPN). We sniff the traffic on Ethernet interface and see only IPv4 DNS traffic.


Any idea why this behavior could make sence?

For me this seems to be a bug.

Thomas

Continue reading...
 
Back
Top