0

I am not network administrator but was a developer 15 years go. So bear with me if my networking understanding is rusty.

I have a Win 10 Pro client with local internet connection (home) and a VPN connection to office network. The home internet connection's DNS is set to google's DNS 8.8.8.8. The VPN connectino's DNS setting is pointing to a Windows Server 2019 w/ DNS service enabled (10.0.1.2). When both connections are connected, how does the local client determine with DNS to use when an new domain name is queried? I ran nslookup and have seen both DNS being used at different times. There must be a rule, right?

Am I correct that routing table doesn't come into play at this step? because routing table only deals with IP addresses, not domain names

Lex Shan
  • 1

1 Answers1

0

It does actually use the routing table. The route with the lowest interface metric will be the primary DNS. Any DNS queries it is unable to answer will go to the DNS on the other route. Open a command prompt as Administrator and type route print | more to see what the current metrics are. If you want the VPN route to be the primary DNS, you can change the interface metric for both the PC's main network adapter and the VPN virtual network adapter. Default is Automatic, which typically means that the real adapter will get the lowest metric. I usually set my VPN virtual adapter to e.g. 25 and my main to 50. That way, domain names that have both a public and a private IP address will be answered by the VPN DNS and I can access them from behind the firewall, as it were.

CB_Ron
  • 338
  • 2
  • 10
  • 1
    The VPN server can also push a requirement that all traffic is passed through the VPN rather than the local interface and that will make a change to the Route metrics automatically. This is generally a rule on Corporate VPN services, unless the link has especially low bandwidth. – Rowan Hawkins Apr 22 '20 at 23:46
  • Thanks CB_Ron. That makes a lot of sense. I never noticed that "Automatic Metric" checkbox being there. @RowanHawkins, how can i set up the "push"? through GPO? which GPO setting specifically? – Lex Shan Apr 23 '20 at 20:25
  • I don't know if it should be set though GPO. Commercial VPN hosts have a setting that tells their clients to set the VPN virtual interface route with a higher priority. You could use `route change` with the required options to change the metric on an interface. but I'm not sure how that would affect things if the VPN isn't connected.My GPO concern would be if the Virtual interface picks a different interface number on different systems. I haven't done any poking at making changes on the client side, I've always just used the sonicwall or checkpoint host feature to drive the routing. – Rowan Hawkins Apr 25 '20 at 23:30
  • I just looked quickly and the Route metric for an interface is a checkbox in the advanced settings of the interface so it should be possible to affect it with a registry mod since the virtual interface will always have the same name, if not the same interface # displayed by the `route print` command since the automatic setting seems to use 25 you could just change that interface lower. you should select @CB_Ron's answer as correct since that has answered your question. – Rowan Hawkins Apr 25 '20 at 23:37
  • https://superuser.com/questions/12022/how-can-i-make-the-windows-vpn-route-selective-traffic-by-destination-network – Rowan Hawkins Apr 25 '20 at 23:41