v2.6+ on Windows: can it actually implement split DNS?

[dmick]

I'm extremely sorry to resort to an issue for this, but please feel free to redirect and close:

I can't figure out if the community Windows client can actually implement split DNS or not. For a long time I believed Windows 10 did not have the capability at the OS level, but then I discovered

1) the Powershell-accessible DnsClient, and specifically the NRPT (Name Resolution Policy Table), also accessible through a GUI system management interface, that claims to be able to apply specific rules for specific domains, which is exactly what one would need for split DNS, and

2) the new 'dns' config option in v2.6+

Together, those look like they have the capability to make it happen, but two things are stopping me from feeling as though I understand correctly:

1) I can't find a place in the code that treats the dns option as affecting anything like DnsClient, and

2) I can't understand what the 'numbers' for dns servers are in the "dns server" option, and whether the choice is completely arbitrary or what it might correspond to

So I guess those are two subquestions to the "can it do split DNS on Windows": 2a) does it use DnsClient (and if not, does it need to), and 2b) are the choices of numbers in the dns server options constrained in some way?

[cron2]

This is work in progress. As of today, no support for NRPT yet, but it's being worked on.

The "number" (dns server <n>) is a priority table, so you can have DNS servers pushed by the OpenVPN server possibly overruled by the client config, or extended

              The --dns server directive is used to configure DNS server n.
              The server id n must be a value between -128 and 127. For pushed
              DNS server options it must be between 0 and 127. The server id
              is used to group options and also for ordering the list of
              configured DNS servers; lower numbers come first. DNS servers
              being pushed to a client replace already configured DNS servers
              with the same server id.

as of today, on windows, the first 4 servers (those with the lowest number) are used - with no further differentiation towards windows - and the rest is ignored.

[dmick]

just so I understand, then: is using NRPT critical to allowing split DNS to work? (I don't really understand what it means to set a domain..or was it the server IP?...on the tun/tap driver)

[dmick]

@cron2, can you help me understand the above ^ ?

[d12fk]

Yeah, NRPT is the way to do split-DNS on Windows. The domains you enter in the regular UI with the rest of the interface config are just to complete non-fully qualified names during lookup, i.e. search domains.

[irumaru]

Hello. How far along is the work here?

[lspiehler]

I've been attempting on and off for over a year to get split-DNS working with our OpenVPN deployment. I've never seen any great example OpenVPN configurations using the newer "--dns" options. In my OpenVPN server (version 2.6.12) configuration I have the following DNS settings:

dns server 1 address 192.168.1.10 192.168.1.11
dns server 1 resolve-domains mydomain.org
dns server 1 transport plain

I've noticed the following DNS related environment variables in my connect scripts (I use jq to convert the env vars to JSON):

{
  ...
  "dns_server_1_transport": "plain",
  "dns_server_1_resolve_domain_1": "mydomain.org",
  "foreign_option_1": "dhcp-option DNS 192.168.1.10",
  "foreign_option_2": "dhcp-option DNS 192.168.1.11",
  "dns_server_1_address_1": "192.168.1.10",
  "dns_server_1_address_2": "192.168.1.11"
  ...
}

That output gave me some confidence that my settings on the server are being recognized and working correctly, but I've tested the community version of the OpenVPN client version 2.6.12 and OpenVPN Connect version 3.5.0 and neither seems to honor the DNS settings. In the log file of OpenVPN Connect, I see the following DNS related output:

[Aug 23, 2024, 16:09:20] SetupClient:
{
   ...
   "dns_options":
   {
      "servers": {}
   }
   ...
}

On my Windows machines, I've been manually using the Add-DnsClientNrptRule powershell command to get the desired DNS configuration, but it would be ideal to be able to configure this on the server and have it pushed to clients. Any feedback on what I'm doing wrong, whether this is still in development, etc is greatly appreciated. Thanks!

[cron2]

My understanding is that a full NRPT-using implementation of --dns for windows is still being worked on. @d12fk might have more insights for us.