The DNS servers and suffixes configured for VPN connections are utilized in Windows 10 to resolve names utilizing DNS within the Force Tunneling mode (“Use default gateway on distant community” choice enabled) in case your VPN connection is energetic. In this case, you can not resolve DNS names in your native community or have Internet entry utilizing your inner LAN.
At the identical time, you’ll be able to ping any assets on your LAN (attempt to ping your gateway, neighboring laptop or printer IP deal with). They can be found solely by IP addresses, however not by their host names. The truth is that Windows 10 is attempting to resolve host names in your native community via the DNS servers specified within the VPN connection settings.
I discovered some suggestions on disabling IPv6 protocol on your native (LAN) interface and it might assist if you wish to use the Force-Tunneling mode.
If you might be utilizing Split Tunneling (the “Use default gateway on distant community” choice is unchecked) on your VPN connection, you’ll be able to entry the Internet out of your native community, however you can not resolve DNS addresses within the distant VPN community (IPv6 disabling doesn’t assist right here).
You should perceive that Windows sends a DNS question from the community interface, which has the very best precedence (decrease worth of the interface metric). For instance, your VPN connection works within the the Split Tunneling mode (you wish to entry Internet out of your LAN and your company assets over VPN).
Check the values of all community interface metrics from PowerShell:
Get-NetIPInterface | Sort-Object Interfacemetric
The screenshot above reveals that the native Ethernet connection has a decrease metric (25) than the VPN interface (100). So the DNS site visitors goes via the interface with the decrease metric worth. It signifies that your DNS requests are despatched to your native DNS servers as a substitute of the DNS servers for VPN connection. In this configuration, you can not resolve names within the linked exterior VPN community.
In addition, a brand new function of the DNS consumer for Windows eight.1 and Windows 10 ought to be talked about right here. Smart Multi-Homed Name Resolution (SMHNR) was added in these OS variations to get quicker response to DNS requests. By default, SMHNR sends simultaneous DNS requests to all DNS servers identified to the system and makes use of the response it acquired first ( queries are additionally despatched). It will not be safe because the exterior DNS servers (specified on your VPN connection) can doubtlessly see your DNS site visitors (the leak of your DNS requests). You can disable the SMHNR in Windows 10 via the GPO: Computer Configuration -> Administrative Templates -> Network -> DNS Client-> Turn off sensible multi-homed title decision = Enabled.
Or you’ll be able to disable SMHNR utilizing the next instructions (in Windows eight.1):
Set-ItemProperty -Path "HKLM:SoftwarePoliciesMicrosoftWindows NTDNSClient" -Name DisableSmartNameResolution -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesDnscacheParameters" -Name DisableParallelAandAAAA -Value 1 -Type DWord
In Windows 10 Creators Update (1709) and newer, DNS requests are despatched to all identified DNS servers one-by-one (not in parallel). You can improve the precedence of a selected DNS when you make its metrics decrease.
So altering the interface metric lets you ship DNS requests over the connection (LAN or VPN) the place title decision is probably the most precedence for you.
Thus, the decrease is the worth of the interface metric, the upper is the precedence of the connection. Windows assigns metrics of IPv4 interfaces robotically relying on their velocity and sort. For instance, a LAN reference to the velocity > 200 Mbit/s has the metric worth equal to 10, and a Wi-Fi reference to the velocity of 50-80 Mbit/s has the worth of 50 (see the desk https://assist.microsoft.com/en-us/assist/299540/an-explanation-of-the-automatic-metric-feature-for-ipv4-routes).
You can change the interface metric from the Windows GUI, PowerShell or utilizing the netsh command.
For instance, you need your DNS requests to be despatched over your VPN connection. You have to extend the metrics of your LAN connections in order that their values exceed 100 (in my instance).
Go to the Control Panel -> Network & Internet -> Network Connections, open the properties of your Ethernet connection, choose TCP/IPv4 properties and go to the Advanced TCP/IP Settings tab. Uncheck the Automatic metric choice and alter the interface metric to 120.
You can do the identical utilizing the next PowerShell command (use the index of your LAN interface which you can get with the Get-NetIPInterface cmdlet):
Set-NetIPInterface -InterfaceIndex 11 -InterfaceMetric 120
Or utilizing netsh (specify the title of your LAN connection):
netsh int ip set interface interface="Ethernetzero" metric=120
In the identical means you’ll be able to lower the metric worth within the properties of your VPN connection.
Also you’ll be able to change the settings of your VPN connection by altering the mode to Split Tunneling and specifying a DNS suffix for connection utilizing PowerShell:
Set-VpnConnection -Name "VPN_work" -SplitTunneling $True
Set-VpnConnection -Name "VPN_work" -DnsSuffix yourdomainname.com