Windows VPN Changes DNS Server
Hello,
we are using Remote Desktop Manager Enterprise v9.0.12.0 and have Problems when opening a remote Connection with a Windows VPN (phonebook file).
The main Problem is, as with Windows VPN already known, that the VPN replaces the Primary DNS Server with the DNS Server from the VPN Connection.
Since we are using this product on a RDS Server, we often face the Problem that someone opened a VPN, and the RDS Server does not let other users log in because he cannot contact the DOmain COntroller (via DNS) anymore to verify the user.
Does someone have a good Workaround to solve this Problem?
BTW: Routing is actually not a issue on our VPN's, because we disable the "Default Gateway" Option on very VPN.
Thank you.
Regards Simon
All Comments (8)
Hello,
I'm afraid you will need help from the community on this one ;). I would have thought that disabling the "use default gateway on remote network" would prevent your routes from being changed.
Can someone chime in?
Maurice
Microsoft VPN creates a locked-down tunnel. This is(probable) not a direct DNS issue you are having.
What you want is split tunnelling (if SLA/Auditing department allows it).
There are several clients that support this. Most of them are not free. But OpenVPN is.
More on Split tunneling:
http://en.wikipedia.org/wiki/Split_tunneling
OpenVPN for Windows Example:
https://forums.openvpn.net/topic8229.html
Hopefully this can help you.
Note: I wrote this in a hurry, so I do apologise if I have misunderstood your scenario :)
//Brandur
Thank you for your fast replies. I think you undersood it wrong. I don't have the classic "routing" issue where the default gateway changes to the VPN Server.
I can still ping my domaincontrollers on my LAN when a VPN is opened, only DNS gives me error, since the primary DNS was changed by the VPN.
In a forum I've found a post where they said, that this command would solve the problem. Only problem is, that i would have to do this for every VPN connection as a "on connect" Script and i don't know if I can pass the variable from the VPN COnnectionname to the script:
netsh interface ipv4 delete dnsservers name="<Interface Name>" address=all validate=no
At the moment the only simple way to solve this would be to create a entry in the HOSTS file for my DC's, but I personally do not like such solutions..
Any other ideas?
Ok, I see.
If you find a command that works for you(after connected), then you should be able to use PowerShell to mass edit sessions.
But this could be a future improvement for RDM. I mean you can add/remove routes before/after VPN connect. This could be improved by being able to control the DNS in the same manner!(just thinking out loud here) :)
But does it have any affect if you change the primary DNS manually after VPN is connected?
You could you do a "ipconfig -all", "route print", "nslookup primaryDomainController.domain.local" and "nslookup mail.google.com" before VPN and after VPN is connected, just so I/we can have a better understanding of your scenario.
Maybe attach it as separate txt attachments(example "ipconfig-disconnected/connected.txt", "routeprint-disconnected/connected.txt" and etc.").
I know this is a bit overkill, but I just would like a better understanding of your network and I/we don't use VPN this way any-more. We use dedicated VPN tunnels.
//Brandur
do you mean by dedicated VPN Tunnels a site2site VPN? Wich device did you use for that? Your regular firewall?
Since a lot of our support engineers work on this 2012 R2 RDS Server, we face also the problem that when someone connects to the RDS Server, all currently active VPN's on the server get disconnected (by design since Vista).
When I have time, I'll create the reports ;)
Regards
Simon
As I understand this you already have the solution who I could offer you since this is a build in behavior of MS VPN. But you have two options to fix this.
A:
As you mentioned above use netsh to delete all DNS server on the interface.
B:
Re add the original DNS as the first one (if you want to keep the DNS for the VPN)
netsh interface ipv4 add dnsservers name="<Interface Name>" address=<Non-VPN DNS server> index=1 validate=no
Eg: netsh interface ipv4 add dnsservers name="My VPN" address=192.168.0.1 index=1 validate=no
This did I not get, are you running multiple user based VPN's from the RDS server?
If Yes than I would say that is no good solution to that since that is a general really bad idea.
Regards,
Ingvar Orn Ingolfsson
System Engineer
Axdata AS - Norway
I've found a other solution now. Since we are using a phonebook file for the VPN Connections, I could easily update all DNS Server Settings for the VPN connections and set our internal DNS there.
Well, actually we are using exact the szenario as you mentioned. RDS Server with multiple user based VPN's. It's a historical thing.. I would love to se a other solution but some customers do only have VPN access. Bigger part of the remote connections are direct connections to the servers.
Does someone know a software or appliance on that I could offload my client VPN connections, and only use static routes from the RDS Server to this "VPN-Client" Appliance?
I know it sounds special, but I'm shure that we are not the only ones with this type of requirements.
Regards
Simon
this is really great solution.
thank u for providing one.