Client DNS with multiple VPN connections

windows domain-name-system vpn split-tunnel

I have a scenario where Windows client devices will be connected to two different VPN networks. The remote networks each have separate address spaces, 10.0.0.0/16 and 10.20.0.0/16 respectively. IP routes are established on the client machine so that traffic for those IP ranges are sent over the correct VPN connections, and all other traffic is sent over the internet as normal.

Here's where our fun starts. Each network also hosts it's own Active Directory domain, which I'll call DomainA.com and DomainB.com. Ideally, I'd like the user to be able to access resources in either domain by FQDN, not just IP address. So, for example, server.DomainA.com would resolve to 10.0.0.50 and be contacted over the first VPN connection, and server.DomainB.com would resolve to 10.20.0.50 and be contacted over the second VPN.

Of course, the DNS servers in the 10.0.0.0/16 network don't know anything about DomainB.com, and the DNS servers in the 10.20.0.0/16 network don't know anything about DomainA.com. And the internet DNS doesn't know the correct address of either domain.

In a scenario like this, how would you go about getting DNS resolution to work for DomainA.com, DomainB.com and the internet? I feel like I should be able to tell Windows "Use X DNS server for DomainA.com" and "Use Y DNS server for DomainB.com". Is there any way to do that? If not, is there some other change I could make, either to the client devices or the remote networks?


I found an answer. You can use the Windows Name Resolution Policy Table (NPRT). This is, essentially, exactly what is requested in the question: a way to tell Windows to use a specific DNS server for a specific domain. You can configure NRPT using Group Policy, but in my case I configured it using PowerShell, specifically Add-DnsClientNrptRule.

Below is my final PowerShell script for managing a given NRPT rule:

$Domain = ".DomainA.com"
[string[]]$NameServers = "10.0.0.4", "10.0.0.5"

Get-DnsClientNrptRule | Where Namespace -eq $Domain | ForEach-Object {Remove-DnsClientNrptRule -Name $_.Name -Force}
Add-DnsClientNrptRule -Namespace $Domain -NameServers $NameServers

(Note the . at the start of the domain name string.)

I start by deleting any existing rules for that domain, because NRPT rules don't override each other. Instead, a conflict results in no rule being applied.

As another side note, I've read that nslookup doesn't respect NRPT rules. So don't be fooled by that if you are testing this out. In my tests ping, mstsc and other Windows components work perfectly with these rules in place.

Related

Can the Dell PowerEdge T320 boot from a USB stick in hard drive emulation mode?
nginx basic_auth fails when moving outside location, to "root"
Convey 2 meanings in one sentence correctly [closed]
The space shuttle returned to the earth
Is mentioning full name on email replies considered rude? [closed]
What does "growing from strength to strength" mean?
Price "Plus Tax"
Grammar - Is this type of sentence structure correct [duplicate]
parallelism: the farther/the more [duplicate]
Sentence Fragment? "The [adverb] [noun] [verb], the [adverb] [noun] [verb]."
What topicalizing role does "do" play in "Only now do we have what we need to move forward"?
Can't just vs. Just can't [duplicate]