Windows 10 DNS resolution via VPN connection not working
I have fixed this problem permanently by manually setting the metric of my LAN connection to be higher (15) than the one windows assigns to my VPN (11).
This can be done two ways:
- Through the GUI: Network connections, Properties, TCP/IP v4 Properties, Advanced, Set Metric to 15;
- Command line:
netsh int ip set interface interface="LAN CONNECTION NAME" metric=15
The effect is immediate (at least when using the command line) and DNS lookups now go through my VPN as expected.
This works with Split Tunneling and is a permanent fix across reconnections and reboots.
Note that you could also change the metric of the VPN instead of the LAN connection, but this wouldn't be permanent as Windows resets the metric when the connection is established.
Depending on your environment, you may have a different default metric for your LAN and VPN connection. Simply adjust accordingly so that your VPN has a lower metric than your LAN connection.
Furthermore, if you find that you cannot edit your VPN's TCP/IP properties because that was also broken in Windows 10, you can set most properties through Powershell:
1. Get-VpnConnection
2. Set-VpnConnection -Name "myVPN" -SplitTunneling $True
3. Set-VpnConnection -Name "myVPN" -DnsSuffix yourdomain.local
I spun up a fresh install of Windows 10 in a VM to test on after seeing this issue on every physical Win10 machine I have. I tested all of the answers in this thread and none of them worked. I discovered that the solution is to combine the answers posted here by "Keenans" and "ECC-Dan":
http://answers.microsoft.com/en-us/windows/forum/windows_10-networking/win-10-dns-resolution-of-remote-network-via-vpn/513bdeea-0d18-462e-9ec3-a41129eec736?page=1
Control Panel > Network and Sharing Center > Change adapter settings > Right click your Ethernet or Wifi adapter > Properties > double click IPv4 > Advanced > Uncheck Automatic Metric > Enter 15 for interface metric > OK > OK.
On that same Properties page, double click IPv6 > Advanced > Uncheck Automatic Metric > Enter 15 for interface metric > OK > OK.
Only after changing both of those settings is the issue resolved. I tested changing either one back and it breaks again. After changing both I ran nslookup from command line and it returned the DNS server on the remote network where the VPN is connected to, where as otherwise it would return the local DNS server. I then used Wireshark capturing on the Ethernet interface, did some pings to random websites, and verified that there were no DNS packets captured. This proves that after making the changes, DNS queries are being sent ONLY over the VPN connection, and not simultaneously over all connections (which is known as the Win10 DNS leak). So this is also part of the solution for the Win10 DNS leak:
https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1#.7ppsn1nda
Note that fix the DNS leak, you first need to do the steps above. Then you need to set two registry values. The linked articles only list one, which by itself, does not fix the issue in newer builds of Win10. Set these registry values:
Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient
Value: DisableSmartNameResolution
Data: 1
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
Value: DisableParallelAandAAAA
Data: 1
Only after doing all of that, will your DNS client behavior be back to the way it was in Win7. You have to wonder how this got through QA at Microsoft.
Another way:
Find Out the Network Index
Get-NetIPInterface | select ifindex,*int*
ifIndex InterfaceAlias InterfaceIndex InterfaceMetric
------- -------------- -------------- ---------------
26 vEthernet (Default Switch) 26 5000
11 VPN - VPN Client 11 1
7 Ethernet 7 25
1 Loopback Pseudo-Interface 1 1 75
Mine was the VPN with index 11
Changing the VPN "interfaceMetric" from 1 to 30
Get-NetIPInterface -InterfaceIndex 11 | Set-NetIPInterface -InterfaceMetric 30
Verifying the change:
Get-NetIPInterface | select ifindex,*int*
ifIndex InterfaceAlias InterfaceIndex InterfaceMetric
------- -------------- -------------- ---------------
26 vEthernet (Default Switch) 26 5000
11 VPN - VPN Client 11 30
7 Ethernet 7 25
1 Loopback Pseudo-Interface 1 1 75