Here's the setup:
- Windows 10 1803 clients
- Server 2012R2 RRAS server
- Always On VPN device tunnel setup per these instructions, with split tunneling.
- Device VPN only has routes to 1 DC/DNS server, and our configuration manager server, so it can be managed and new users can authenticate when away from the office. When users need full access to the office network, there is a separate user VPN they can connect to. This works well, except for DNS.
- AD domain name is example.local
- Public domain name is example.com
The problem:
- We use split DNS for our public domain name - so mail.example.com resolves to an internal IP address when using our internal DNS servers, and our public address from the outside world.
- I need VPN clients to resolve it to the public address. The device VPN doesn't let them talk to the internal address for mail.example.com, so they can't get their email.
- I'd also like (but not a must have) DNS resolution for local services at other locations to work properly - eg. when I'm in the offices of Other Corp, DNS for othercorp.local works even with the VPN connected.
What I want to happen:
- Queries for example.local go over the VPN to our internal DNS servers
- Everything else, including example.com, use the DNS servers provided by the LAN/Wifi connection the laptop is connected to.
- The other user based VPN (which routes all traffic over the VPN) continues to use our internal DNS servers for everything.
What I've tried:
- Setting Name Resolution Policy Table rules for example.local pointing at our internal DNS servers. This does seem to work, queries for example.local go over the VPN...but so does everything else.
- Setting NRPT rules for example.com, with blank DnsServers field, which should make sure they are excluded. Seems to have no effect.
- Setting NRPT rules for example.com, with public resolvers for the DnsServer. This does work, but breaks at remote locations that block anything but their own dns resolvers (which many of the sites my users travel to do), and doesn't solve the local services problem.
- Setting "Use the following DNS server addresses" on the VPN connection in network connections, and leaving it blank. No effect, the VPN connection still gets set to use our internal servers.
- Setting "Use the following DNS server addresses", and putting in a public DNS server like 8.8.8.8. When connected, I end up with 3 DNS servers on that interface, with our internal ones at the top and 8.8.8.8 at the bottom of the list.
I suspect that if I could get the VPN to not list any DNS servers at all, the NRPT rules would kick in just for example.local, and everything would work properly. But I can't find a way to make it not use the ones provided by the RRAS server.
A potential workaround you could try is standing up a Server 2016 DNS server and implementing a DNS policy to do split-dns with geolocation awareness. This would allow you to tell DNS queries from the Device VPN subnet to use the external IP instead of the internal.
The powershell commands would look something like below.
Device VPN subnet
Device VPN Zone Scope
Default A record (should already exist)
Device VPN A record
Device VPN Resolution Policy
See: Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers
Just a thought, but maybe set a connection script .bat that adds the correct Public IP address of the mail server upon connection to the hosts file, and then removes it from the client's hosts file at disconnection? Theoretically I guess you could always have it in the hosts file, and then they would just access the server from it's public ip even in the office. Regardless that will override any DNS from the RRAS server.
The hosts file is located at C:\Windows\System32\Drivers\etc\hosts .
You can define internal DNS servers for any namespace using the DomainNameInformation element in your ProfileXML. If you are using split DNS, there may be some cases where "internal" namespaces should be routed externally and not over the VPN tunnel. In these scenarios you'll have to create "exclusions", which are essentially namespaces defined NOT to use the internal DNS servers. To do this you don't simply leave the DnsServers field blank, but you leave the DnsServers out of the element entirely.
You can find more information here: https://directaccess.richardhicks.com/2018/04/23/always-on-vpn-and-the-name-resolution-policy-table-nrpt/
Hope that helps!
I figured out the solution.
Adjusting the interface metric to be a larger number than the existing ethernet/wifi adapters will make it prefer the DNS servers on the local network, but NRPT rules will still work to send DNS queries for my own domain to my servers over the VPN.
However, there's no way to adjust the interface metric for a VPN connection in powershell, nor in VBscript, nor .NET, nor VPNv2 CSP.
If the VPN is connected the metric can be changed in powershell with the Set-NetIPInterface cmdlet, but when the VPN is not connected, it doesn't show up there at all. And changes there will not persist across reboots.
The only way to change it seems to be editing the
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
file and changing the linesIpInterfaceMetric
andIpv6InterfaceMetric
to higher numbers. I changed them both to 100.After that, and in combination with the NRPT rules, DNS works as desired - all queries for example.local get sent to my AD DNS servers. Anything else (including example.com) gets sent to the DNS servers of their local network.
When using automatic metric settings on all interfaces, for some reason the LAN Ethernet adapter has a lower metric the the device tunnel interface, but the wifi interfaces has a higher metric than device tunnel interface.
So with Split DNS of a public domain zone, the following happens for LAN and Wifi connected devices.
Device tunnel clients using LAN interface (cable) - Resolves the public domain records using locally configured DNS servers
Device tunnel clients using WIFI - Resolves the public domain records using the DNS servers configured on the device tunnel interface
I find it strange and I would have expected the device tunnel always would have the lowest metric, when using automatic metric assignment. The strangest part is that device tunnel interface metric is set to a number between LAN (cable) and WIFI interfaces.
Which is correct? I would rather not set metric manually for any of the interfaces.
This is confirmed using Split-tunnel VPN, have not tested with force-tunnel. I would like all DNS, even for Split-tunnel to resolve using the DNS servers configured by the device tunnel and use NRPT settings, if for some reason I need to resolve a domain outside the VPN connection.