DNS problem with Azure and OpenVPN, not accessing via DNS, only by IP

Question

I have a problem with the company related to DNS. Due to the need for quarantine we had to put our almost 150 employees working remotely. Until today we only had our e-mail service (O365) in the cloud all the rest of our infrastructure is local (on premises).

As we are already a Microsoft customer on some Azure products, build a topology for accessing our services on premises using Azure VPN. Basically I have an S2S IPSec VPN that connects our infrastructure on premises to our tenant at Microsoft. And we also have a P2S VPN gateway for connecting our employees who are at home. The connection between Azure and our on premises infrastructure is made by a PFSense on the local side and an IPSec Gatewey on the Azure side, using the IPSec protocol. On the client side, we have stations with Windows 7 and Windows 10 using the OpenVPN Client connecting to an OpenVPN on Azure Gateway.

The point is that everything works when we try to reach a server in our infrastructure on premises by IP. But when we try to reach a server by name, there is no DNS resolution. I have already placed our DNS in Azure settings to be published on client connections and I have already placed the IP of our local DNS server (on premises) in the .ovpn file. We have not yet tested the configuration of directing all customer traffic through the VPN tunnel. That I believe will be a solution ... but not elegant, because if the customer wants to surf the internet, when the VPN is active, his traffic will be through Azure, going to the on premises, and then going to the internet.

A point of attention that we have not been able to investigate further is that some customers have IP addresses (assigned by the equipment of their internet provider) that are within the range of our IP addresses on premises. For example, one of our customers has a local address 192.168.0.0/24, which clearly conflicts with our address on premises 192.168.0.0/22. However, these clients are able to reach our servers by IP, but not by name.

The figure below illustrates this topology.

Live long and prosper, Marcelo Magalhãe Rio de Janeiro - Brasil Topology

[MORE INFORMATIONS] Hi, I found one of our customers who has the problem of access by name and did some tests. When I run nslookup the DNS server set as the default for searches is exactly what I defined. The queries I make through nslookup give a certain result, but when I go back to CMD or Windows Explorer ... nothing to access by name. Below I placed the 3 command outputs (sorry... is in Portuguese):

1) ipconfig /all before connecting to the Azure VPN;

Configuração de IP do Windows

  Nome do host. . . . . . . . . . . . . . . . : NOTE123
  Sufixo DNS primário . . . . . . . . . . . . : marte.local
  Tipo de nó. . . . . . . . . . . . . . . . . : híbrido
  Roteamento de IP ativado. . . . . . . . . . : não
  Proxy WINS ativado. . . . . . . . . . . . . : não
  Lista de pesquisa de sufixo DNS . . . . . . : marte.local

Adaptador Ethernet Conexão local 2: <<<<< interface de tunelamento - OpenVPN OFF

  Estado da mídia. . . . . . . . . . . . . . : mídia desconectada
  Sufixo DNS específico de conexão. . . . . . : 
  Descrição . . . . . . . . . . . . . . . . . : TAP-Windows Adapter V9
  Endereço Físico . . . . . . . . . . . . . . : 00-FF-B6-15-A0-73
  DHCP Habilitado . . . . . . . . . . . . . . : Sim
  Configuração Automática Habilitada. . . . . : Sim

Adaptador Ethernet Conexão local: <<<<< interface local - Ethernet

  Sufixo DNS específico de conexão. . . . . . : 
  Descrição . . . . . . . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
  Endereço Físico . . . . . . . . . . . . . . : A0-D3-C1-9C-BE-82
  DHCP Habilitado . . . . . . . . . . . . . . : Sim
  Configuraçao Automática Habilitada. . . . . : Sim
  Endereço IPv4. . . . . . . . . . . . . . . : 192.168.0.10(Preferencial) 
  Máscara de Sub-rede . . . . . . . . . . . . : 255.255.255.0
  Concessão Obtida. . . . . . . . . . . . . . : segunda-feira, 20 de abril de 2020 05:52:12
  Concessão Expira. . . . . . . . . . . . . . : segunda-feira, 20 de abril de 2020 06:53:12
  Gateway Padrão. . . . . . . . . . . . . . . : 192.168.0.1
  Servidor DHCP . . . . . . . . . . . . . . . : 192.168.0.1
  Servidores DNS. . . . . . . . . . . . . . . : 181.213.132.3
                                                181.213.132.2
  NetBIOS em Tcpip. . . . . . . . . . . . . . : Habilitado

2) ipconfig /all after connecting to the Azure VPN;

Configuração de IP do Windows

  Nome do host. . . . . . . . . . . . . . . . : NOTE123
  Sufixo DNS prim rio . . . . . . . . . . . . : marte.local
  Tipo de nó. . . . . . . . . . . . . . . . . : híbrido
  Roteamento de IP ativado. . . . . . . . . . : não
  Proxy WINS ativado. . . . . . . . . . . . . : não
  Lista de pesquisa de sufixo DNS . . . . . . : marte.local

Adaptador Ethernet Conexão local 2: <<<<< interface de tunelamento - OpenVPN ON

  Sufixo DNS espec¡fico de conexão. . . . . . : marte.local
  Descrição . . . . . . . . . . . . . . . . . : TAP-Windows Adapter V9
  Endereço Físico . . . . . . . . . . . . . . : 00-FF-B6-15-A0-73
  DHCP Habilitado . . . . . . . . . . . . . . : Sim
  Configuração Automática Habilitada. . . . . : Sim
  Endereço IPv4. . . . . . . . . . . . . . . : 192.168.10.3(Preferencial) 
  Máscara de Sub-rede . . . . . . . . . . . . : 255.255.255.128
  Concessão Obtida. . . . . . . . . . . . . . : segunda-feira, 20 de abril de 2020 06:17:24
  Concessão Expira. . . . . . . . . . . . . . : terça-feira, 20 de abril de 2021 06:17:23
  Gateway Padrão. . . . . . . . . . . . . . . : 
  Servidor DHCP . . . . . . . . . . . . . . . : 192.168.10.126
  Servidores DNS. . . . . . . . . . . . . . . : 192.168.1.51
                                                192.168.1.51
  NetBIOS em Tcpip. . . . . . . . . . . . . . : Habilitado


Adaptador Ethernet Conexão local: <<<<< interface local - Ethernet

  Sufixo DNS espec¡fico de conexão. . . . . . : 
  Descrição . . . . . . . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
  Endereço Físico . . . . . . . . . . . . . . : A0-D3-C1-9C-BE-82
  DHCP Habilitado . . . . . . . . . . . . . . : Sim
  Configuração Automática Habilitada. . . . . : Sim
  Endereço IPv4. . . . . . . . . . . . . . . : 192.168.0.10(Preferencial) 
  Máscara de Sub-rede . . . . . . . . . . . . : 255.255.255.0
  Concessão Obtida. . . . . . . . . . . . . . : segunda-feira, 20 de abril de 2020 05:52:12
  Concessão Expira. . . . . . . . . . . . . . : segunda-feira, 20 de abril de 2020 06:53:12
  Gateway Padrão. . . . . . . . . . . . . . . : 192.168.0.1
  Servidor DHCP . . . . . . . . . . . . . . . : 192.168.0.1
  Servidores DNS. . . . . . . . . . . . . . . : 181.213.132.3
                                                181.213.132.2
  NetBIOS em Tcpip. . . . . . . . . . . . . . : Habilitado

3) route print after connecting to the Azure VPN;

===========================================================================
Lista de interfaces
17...00 ff b6 15 a0 73 ......TAP-Windows Adapter V9
16...c4 d9 87 1f a9 d8 ......Microsoft Virtual WiFi Miniport Adapter #2
15...c4 d9 87 1f a9 d8 ......Microsoft Virtual WiFi Miniport Adapter
14...c4 d9 87 1f a9 d7 ......Intel(R) Centrino(R) Advanced-N 6235
13...a0 d3 c1 9c be 82 ......Intel(R) 82579LM Gigabit Network Connection
  1...........................Software Loopback Interface 1
===========================================================================

Tabela de rotas IPv4
===========================================================================
Rotas ativas:
Endereço de rede         Máscara Ender. gateway     Interface Custo
          0.0.0.0         0.0.0.0     192.168.0.1   192.168.0.10   10
        10.0.0.0     255.255.0.0   192.168.10.1   192.168.10.3   276
        127.0.0.0       255.0.0.0     No vínculo       127.0.0.1   306
        127.0.0.1 255.255.255.255     No vínculo       127.0.0.1   306
  127.255.255.255 255.255.255.255     No vínculo       127.0.0.1   306
      192.168.0.0   255.255.252.0   192.168.10.1   192.168.10.3   276
      192.168.0.0   255.255.255.0     No vínculo     192.168.0.10   266
    192.168.0.10 255.255.255.255     No vínculo     192.168.0.10   266
    192.168.0.255 255.255.255.255     No vínculo     192.168.0.10   266
    192.168.10.0 255.255.255.128     No vínculo     192.168.10.3   276
    192.168.10.3 255.255.255.255     No vínculo     192.168.10.3   276
  192.168.10.127 255.255.255.255     No vínculo     192.168.10.3   276
        224.0.0.0       240.0.0.0     No vínculo       127.0.0.1   306
        224.0.0.0       240.0.0.0     No vínculo     192.168.0.10   266
        224.0.0.0       240.0.0.0     No vínculo     192.168.10.3   276
  255.255.255.255 255.255.255.255     No vínculo       127.0.0.1   306
  255.255.255.255 255.255.255.255     No vínculo     192.168.0.10   266
  255.255.255.255 255.255.255.255     No vínculo     192.168.10.3   276
===========================================================================
Rotas persistentes:
  Nenhuma

Be aware that in the route table there are two exits for the 192.168.0.0/22 ​network (where my DNS on premises is) ... a route on the 192.168.0.10/24 local network interface (address assigned by the ISP's router client's internet) and another route leaving through the tunneling interface (OpenVPN) 192.168.10.3/24 ... I'm really finding strange behavior in the TCP / IP stack. Clearly I have an overlapping, but it only gives problem in the resolution of names, because I believe that it is sending DNS requests to the client's local interface, 192.168.0.10/24, but when access by IP there is due to the route. Could that be it?