7

I have some network services available on my home LAN (subnet 10.88.0.0/24), with internal DNS on that LAN (provided by the router, 10.88.0.1) at a domain suffix like my.lan. On the local network I can access these services via IP or domain name.

I am connecting to that LAN remotely via an OpenVPN server. I can access all the services via IP over OpenVPN. OpenVPN is setup to push a DNS resolution zone for my.lan that should use the router as a DNS provider for this domain (OpenVPN server options: push "dhcp-option DNS 10.88.0.1"; push "dhcp-option DOMAIN my.lan").

This is causing a NRTP rule to be installed on the system that looks like this:

PS C:\WINDOWS\system32> Get-DnsClientNrptPolicy


Namespace                        : .my.lan
QueryPolicy                      :
SecureNameQueryFallback          :
DirectAccessIPsecCARestriction   :
DirectAccessProxyName            :
DirectAccessDnsServers           :
DirectAccessEnabled              :
DirectAccessProxyType            : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   : False
NameServers                      : 10.88.0.1
DnsSecIPsecCARestriction         :
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         : False
DnsSecValidationRequired         : False
NameEncoding                     : Utf8WithoutMapping

However, this rule doesn't seem to get used for actual DNS client queries. Domains like www.my.lan still get resolved (or rather fail to resolve) at the DNS given by my regular network interface, either my ethernet card, or wifi, depending on how I'm connected at the time (nslookup + WireShark confirm this). I am able to resolve names on the LAN with nslookup by providing the DNS server: nslookup www.my.lan 10.88.0.1 resolves correctly over the VPN connection. I have also attempted to enable NRPT by setting QueryPolicy to QueryBoth:

PS C:\WINDOWS\system32> Set-DnsClientNrptGlobal -QueryPolicy "QueryBoth" -PassThru

EnableDAForAllNetworks QueryPolicy SecureNameQueryFallback
---------------------- ----------- -----------------------
Disable                QueryBoth   Disable

This appears to have no effect (either Disable or QueryBoth). The other parameters on this object seem to be for DirectAccess clients, and a fallback option for DNS queries that should be 'secure', do they need to be active as well?

What is the proper way to cause the Name Resolution Policy Table to affect DNS queries?

markb
  • 118
  • 1
  • 6
  • 4
    As it turns out, `nslookup` doesn't actually use the NRPT, however a domain query from powershell does return the correct address. Now to figure out why some of my machines don't get an NRPT rule even though OpenVPN is pushing one to them... – markb Feb 10 '20 at 23:51
  • 2
    Also, make sure your namespace begins with a dot (`.`). I had the exact same question as @markb, and after sorting out `nslookup` as a culprit, it still did not work. My namespace was set to `my.lan`, however. – bers Jan 04 '21 at 18:28
  • 1
    And as a replacement for `nslookup`, use `Resolve-DnsName`. – bers Jan 04 '21 at 18:42
  • It's not a good replacement because it doesn't show which nameservers were used. – TJJ Jan 14 '22 at 16:12
  • @bers thank you! Damn I havn't seen this one - forgot the dot in the config and it stopped working when connected to LAN. I guess had something to do with metrics as wifi had higher metric than AlwaysOn or something... Had no clue where to look as NRPT just wouldn't work. Thank you! – Dominik Jan 09 '23 at 08:44

0 Answers0