Windows 10 DNS resolution via VPN connection not working

In Windows 10, when connected to a VPN with Split Tunneling enabled (Gateway disabled), DNS resolution always uses the LAN DNS servers, ignoring the DNS servers and the DNS Suffix set on the VPN connection.

The expected behavior is to use the VPN's DNS servers, otherwise it becomes impossible to resolve DNS entries on the remote network (such as domain computers).

This was working properly in previous version of Windows.

This was widely discussed on this microsoft answers thread.

ECC-Dan

Posted 2015-09-03T13:42:31.427

Reputation: 1 151

It's not clear from your question what is your problem (do you want it to use DNS server specified by the VPN?), please edit it. – Máté Juhász – 2015-09-03T14:05:14.500

Edited as suggested. – ECC-Dan – 2015-09-03T16:04:14.620

tbh: Then there is something wrong with your servers. The first DNS request should ALWAYS hit the local servers. Only if the host is unresolvable the system should attempt to query the Remote-DNS. Your issue might be, that local and remote networks are running on the same subnets, thus the local one is claiming "to be able to resolve the query", but delivers "host not found"? (If a Server configured to server the subnet a.b.c.d cannot resolve a host, no further dns-server for this subnet is queried, unless primary is offline, since they SHOULD be in sync - hence it assumes the host is unknown) – dognose – 2016-06-29T23:22:42.563

Answers

I have fixed this problem permanently by manually setting the metric of my LAN connection to be higher (15) than the one windows assigns to my VPN (11).

This can be done two ways:

Through the GUI: Network connections, Properties, TCP/IP v4 Properties, Advanced, Set Metric to 15;
Command line: netsh int ip set interface interface="LAN CONNECTION NAME" metric=15

The effect is immediate (at least when using the command line) and DNS lookups now go through my VPN as expected.

This works with Split Tunneling and is a permanent fix across reconnections and reboots.

Note that you could also change the metric of the VPN instead of the LAN connection, but this wouldn't be permanent as Windows resets the metric when the connection is established.

Depending on your environment, you may have a different default metric for your LAN and VPN connection. Simply adjust accordingly so that your VPN has a lower metric than your LAN connection.

Furthermore, if you find that you cannot edit your VPN's TCP/IP properties because that was also broken in Windows 10, you can set most properties through Powershell:

1. Get-VpnConnection
2. Set-VpnConnection -Name "myVPN" -SplitTunneling $True
3. Set-VpnConnection -Name "myVPN" -DnsSuffix yourdomain.local

ECC-Dan

Posted 2015-09-03T13:42:31.427

Reputation: 1 151

2For me this not work... I have two machine with windows 10 , one works all fine other is problematic with VPN. I able to resolve the default gateway enabling the SplitTunneling, but the DNS of VPN still not recognize either when I change the metric... – ceinmart – 2015-10-28T01:04:24.960

3This fixed the issue for us (and we've been battling it for some time), with one important additional step -- disabling IPv6. Our VPN does not do IPv6 but my understanding is any IPv6 resolver will take precedent over IPv4 ones. Once we disabled IPv6 on the adapters then adjusted the metrics split-tunnel DNS resumed working.

If your VPN supports IPv6 this is likely not needed and if the metric adjustment by itself fixes DNS for you keep IPv6 enabled on your adapter. – Adam Strohl – 2016-01-30T11:32:19.700

Fun fact: For me the issue was "vice versa" - When connected to VPN, Windows was unable to resolve local FQDNs... It was setting up the default Metric for the "VPN-Connection" to 1 - so I gave the local connection a lower number which resolved my issue. (My local servers are configured correctly, so any unresolvable name will be queried on the connection of "second preference" - which makes now both: local and remote dns to work as expected while VPN is established.) – dognose – 2016-06-29T23:13:20.390

Any idea why this fix is only needed for me when connecting via one ISP but not the other (both coaxial cable connected)? – Gaia – 2016-07-29T17:36:04.410

Somehow I got the reversed issue in the first place: my local Win10 laptop automatically uses only the DNS in VPN (most of the time), and because that DNS in that internal VPN is not (yet) configurated to provide DNS service, I can not browse any internet website during my VPN enabling period. So, I use this solution in a reverse way, i.e. setting my local LAN connection to be a number as small as 1, which seemingly solves the problem for now. FWIW, I don't know the metric value for my VPN connection though, because there is no "Advance" button in the VPN connection properties pop-up window. – RayLuo – 2016-11-29T08:54:57.633

changing the metrix just worked for me, windows 10 home, 64 bit, latest patches as of March 9th 2019. However, I had to set the metric to 500. Running "netstat -rn" showed the metrics of the other routes, and most were in the high 200s and 300s! I changed the metric for both ipv4 and ipv6, just to be sure. – Paul M – 2019-03-09T11:36:18.273

I spun up a fresh install of Windows 10 in a VM to test on after seeing this issue on every physical Win10 machine I have. I tested all of the answers in this thread and none of them worked. I discovered that the solution is to combine the answers posted here by "Keenans" and "ECC-Dan":

http://answers.microsoft.com/en-us/windows/forum/windows_10-networking/win-10-dns-resolution-of-remote-network-via-vpn/513bdeea-0d18-462e-9ec3-a41129eec736?page=1

Control Panel > Network and Sharing Center > Change adapter settings > Right click your Ethernet or Wifi adapter > Properties > double click IPv4 > Advanced > Uncheck Automatic Metric > Enter 15 for interface metric > OK > OK.

On that same Properties page, double click IPv6 > Advanced > Uncheck Automatic Metric > Enter 15 for interface metric > OK > OK.

Only after changing both of those settings is the issue resolved. I tested changing either one back and it breaks again. After changing both I ran nslookup from command line and it returned the DNS server on the remote network where the VPN is connected to, where as otherwise it would return the local DNS server. I then used Wireshark capturing on the Ethernet interface, did some pings to random websites, and verified that there were no DNS packets captured. This proves that after making the changes, DNS queries are being sent ONLY over the VPN connection, and not simultaneously over all connections (which is known as the Win10 DNS leak). So this is also part of the solution for the Win10 DNS leak:

https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1#.7ppsn1nda

Note that fix the DNS leak, you first need to do the steps above. Then you need to set two registry values. The linked articles only list one, which by itself, does not fix the issue in newer builds of Win10. Set these registry values:

Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient
Value:  DisableSmartNameResolution
Data:  1

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
Value: DisableParallelAandAAAA
Data:  1

Only after doing all of that, will your DNS client behavior be back to the way it was in Win7. You have to wonder how this got through QA at Microsoft.

LikeARock47

Posted 2015-09-03T13:42:31.427

Reputation: 111

It does not work even I changed metrics on both IPv4 and IPv6 and used registry DisableSmartNameResolution and DisableParallelAandAAAA with current Windows 10 Edu (as of December 2018) when the client is connected by UTP cable and IPv6 protocol is supported on the local LAN (ie. client has public/global IPv6 address).

It is sufficient to disable IPv6 protocol on UTP/LAN interface used for VPN to make it work (to remove/not_use global IPv6 address on the client).

It works with no problem when the client is connected to the Internet by Wi-Fi and IPv6 is available (client has global IPv6 address and has no UTP/LAN connection).

Milan Kerslager

Posted 2015-09-03T13:42:31.427

Reputation: 181

In my case, I found that browsers and pings could not resolve DNS when I was connected to VPN, but nslookups could. This link helped resolve my issue: https://windowsreport.com/nslookup-works-but-ping-fails/

The part that worked for me was running these 5 commands in a command prompt with Administrator rights:

netsh winsock reset catalog
netsh int ip reset reset.log
ipconfig /flushdns
ipconfig /registerdns
route /f

sfarbota

Posted 2015-09-03T13:42:31.427

Reputation: 200