DNS servers and suffixes configured for VPN connections are used in Windows 10 for name resolution using forced tunneling DNS (the Use Default Gateway on Remote Network option is enabled) when your VPN connection is active. In this case, you cannot resolve DNS names on your local network or access the Internet via your internal LAN.

At the same time, you can send a ping to any source on your local network (try sending a ping to your gateway, to a nearby computer, or to a printer’s IP address). They are only available based on the IP address, not the host name. The problem is that Windows 10 tries to resolve host names on your local network using the DNS servers specified in the VPN connection settings.

I found some recommendations to disable IPv6 for the local interface (LAN), and it helps if you want to use forced tunneling mode.

If you use split tunneling (the Use Default Gateway on Remote Network option is not enabled) for your VPN connection, you can access the Internet from your local network, but you cannot resolve DNS addresses on the remote VPN network (disabling IPv6 does not help here).

You must understand that Windows sends a DNS query from the network interface with the highest priority (the lowest value of the interface metric). Your VPN connection works z. For example, in split-tunneling mode (you want to access the Internet from your local network and your company’s resources via VPN).

Check the values of all network interface measurements via PowerShell :

Get-NetIPInterface | Sort-Object Interfacemetric


In the screenshot above you can see that the local Ethernet connection has a lower metric (25) at the VPN interface (100). For example, DNS traffic is routed through the interface with a lower metric value. This means that your DNS queries are sent to your local DNS servers instead of to the DNS servers for the VPN connection. In this configuration, you cannot resolve names in the connected external VPN network.

Also worth mentioning is the new functionality of the DNS client for Windows 8.1 and Windows 10. Intelligent Multiple Domain Name Resolution (SMHNR) has been added to these versions of the operating system for faster response to DNS queries. By default, the SMHNR simultaneously sends DNS queries to all DNS servers known to the system and uses the first response received. This is not safe because external DNS servers (specified for your VPN connection) may be able to see your DNS traffic (leakage of your DNS queries). You can disable SMHNR in Windows 10 using a GPO : Computer configuration -> Administrative templates -> Network -> DNS client -> Disable intelligent multi-domain name resolution = Enabled.


Or you can disable SMHNR with the following commands (under Windows 8.1)

Set-ItemProperty -Name HKLM:SoftwarePoliciesMicrosoftWindows NTDNSClient -Name DisableSmartNameResolution -Property 1 -Type DWord
Set-ItemProperty -Name HKLM:SYSTEMCurrentControlSetServicesDnscacheParameters -Name DisableParallelAndAAAAA -Property 1 -Type DWord

In Windows 10 Creators Update (1709) and later, DNS queries are sent one after the other (not in parallel) to all known DNS servers. You can increase the priority of a particular DNS by setting its parameters at a lower level.

For example, by changing the interface data, you can send DNS queries on the connection (LAN or VPN) where the name resolution has the highest priority for you.

Therefore, the lower the value of the interface is metric, the higher the priority of the connection. Windows automatically assigns IPv4 interface settings based on speed and interface type. For example, a LAN connection at >200 Mbps has a metric value of 10, while a Wi-Fi connection at 50-80 Mbps has a value of 50 (see table https://support.microsoft.com/en-us/help/299540/an-explanation-of-the-automatic-metric-feature-for-ipv4-routes).

You can change the interface settings using the Windows GUI, PowerShell or netsh command.

For example, you want your DNS requests to be sent via your VPN connection. You need to increase the settings of your LAN connection so that they are greater than 100 (in my example).

Go to Control Panel -> Network and Internet -> Network Connections, open the properties of your Ethernet connection, select TCP/IPv4 properties and click on the Advanced TCP/IP Settings tab. Disable the Auto Metric option and change the interface metric to 120.


You can also do it with the following PowerShell command (use the index of your LAN interface obtained with the Get-NetIPInterface command) :

Set-NetIPInterface -InterfaceIndex 11 -InterfaceMetric 120

Or with netsh (enter the name of your LAN connection) :

netsh int ip set interface=Ethernet0 metric=120

In the same way, you can reduce the metric value in the properties of your VPN connection.


You can also change the settings of your VPN connection by changing the mode to Split Tunneling and specifying the DNS suffix to connect to PowerShell :

Set-VpnConnection -Name VPN_work -SplitTunneling $True
Set-VpnConnection -Name VPN_work -DnsSuffix contoso.com

dns resolution through vpn tunnel,dns not working over vpn mac,dns not working over vpn sonicwall,dns not working over vpn ubuntu,vpn dns error,sstp vpn dns not working,windows 10 vpn ipv6,disableparallelaandaaaa,netextender dns not working,pulse vpn dns issue,windows 10 vpn dns ipv6,disablesmartnameresolution,windows dns binding order,network connection showing as public,sonicwall vpn dns not resolving,dns order,globalprotect vpn dns issues,openvpn block-outside-dns,openvpn dns settings,openvpn dhcp-option dns,dns_probe_finished_nxdomain openvpn,openvpn dns ip,do not alter clients dns server settings,openvpn dns not working windows 10,windows 10 remote vpn client cannot resolve domain dns,dns not resolving over vpn,windows 10 vpn split tunnel dns,windows 10 vpn dns suffix