Client DNS with multiple VPN connections

Question

I have a scenario where Windows client devices will be connected to two different VPN networks. The remote networks each have separate address spaces, 10.0.0.0/16 and 10.20.0.0/16 respectively. IP routes are established on the client machine so that traffic for those IP ranges are sent over the correct VPN connections, and all other traffic is sent over the internet as normal.

Here's where our fun starts. Each network also hosts it's own Active Directory domain, which I'll call DomainA.com and DomainB.com. Ideally, I'd like the user to be able to access resources in either domain by FQDN, not just IP address. So, for example, server.DomainA.com would resolve to 10.0.0.50 and be contacted over the first VPN connection, and server.DomainB.com would resolve to 10.20.0.50 and be contacted over the second VPN.

Of course, the DNS servers in the 10.0.0.0/16 network don't know anything about DomainB.com, and the DNS servers in the 10.20.0.0/16 network don't know anything about DomainA.com. And the internet DNS doesn't know the correct address of either domain.

In a scenario like this, how would you go about getting DNS resolution to work for DomainA.com, DomainB.com and the internet? I feel like I should be able to tell Windows "Use X DNS server for DomainA.com" and "Use Y DNS server for DomainB.com". Is there any way to do that? If not, is there some other change I could make, either to the client devices or the remote networks?

Answer 1

I found an answer. You can use the Windows Name Resolution Policy Table (NPRT). This is, essentially, exactly what is requested in the question: a way to tell Windows to use a specific DNS server for a specific domain. You can configure NRPT using Group Policy, but in my case I configured it using PowerShell, specifically Add-DnsClientNrptRule.

Below is my final PowerShell script for managing a given NRPT rule:

$Domain = ".DomainA.com"
[string[]]$NameServers = "10.0.0.4", "10.0.0.5"

Get-DnsClientNrptRule | Where Namespace -eq $Domain | ForEach-Object {Remove-DnsClientNrptRule -Name $_.Name -Force}
Add-DnsClientNrptRule -Namespace $Domain -NameServers $NameServers

(Note the . at the start of the domain name string.)

I start by deleting any existing rules for that domain, because NRPT rules don't override each other. Instead, a conflict results in no rule being applied.

As another side note, I've read that nslookup doesn't respect NRPT rules. So don't be fooled by that if you are testing this out. In my tests ping, mstsc and other Windows components work perfectly with these rules in place.