Hello and a Happy New Year to everybody!
I have an issue making Windows 10 clients to “honor” DNS servers that are pushed through OpenVPN conf. I have tried the OpenVPN client from Client Export package and the OpenVPN Connect client. I am pushing the domain and DNS server in the conf, and can see them in the tun interface, however any attempt to access a device using FQDN fails.
I am not forcing all traffic through the VPN connection.
If I remember correctly I had this issue in the past and it was due to the OpenVPN Connect app not running with administrator privileges, therefore it couldn’t add routes and DNS servers. So if you don’t already, try starting the client as administrator.
If that doesn’t help, maybe try a packet sniff to see which DNS server is actually queried when a request is made.
Tried it, no dice. Route print shows the correct routing table, but DNS not working at all…
Is the Windows machine allowed to query the DNS server? Are there maybe firewall rules that prevent this?
Check your Win 10 DNS settings.
if they look something like this
ISP DNS Server 1
ISP DNS Server 2
VPN DNS Server 1
VPN DNS Server 2
This maybe cause issues. The DNS standard says at if the first server in the list cannot resolve try the next. Which would indicate that the above settings should in fact work. However many consumer ISPs are greedy and have intentionally improperly implemented DNS. Instead of returning a nxdomain for lookups they cannot resolve they instead return the IP address of whatever search engine they have a contract with so that they get paid for the hit.
An easy way to check if this is what is causing your issue is to do an nslookup on the Win10 for a domain that should not be publicly resolvable such as mydomain.local. If you get an response other than a nxdomain response then this is most likely your issue.
To resolve this issue you can either change the local systems DNS so that it uses a provider that correctly implements DNS such as Quad9, Level3, Google, and CloudFlare or you would have to configure the VPN client to either reorder or override the DNS server setting upon establishing a connection.
This checkbox can be found on the client OpenVPN export page within pfSense, if you are using pfSense…
Thank you all. Issue resolved, and it was the DNS server on the clients site… However, I can confirm that DNS over OpenVPN works fine (along with NetBIOS), using the advanced client settings (push DNS and domain name).
Working in Windows 10 by running the client as user (not admin).