"Primary" DNS when there are multiple network connections

networking windows domain-name-system vpn

Solution 1:

From the way your question is worded, it seems your expectation is that when Windows needs to resolve a name, it will ask the primary DNS server. And if the primary DNS server doesn't know the answer, it will then ask the secondary.

I hope the above isn't what you were expecting, but if it is, then let me show you why that's a mistake.

DNS doesn't work that way. The only time a resolver will failover to the secondary DNS server is when the primary does not respond at all. An example will clarify:

Suppose you have a primary DNS server at 1.1.1.1 and a secondary at 2.2.2.2. Your client is configured with them in this order. 2.2.2.2 hosts a a private zone foocompany.local; 1.1.1.1 hosts no zones of its own, and does root lookups for internet hosts.

If your client tries to lookup someserver.foocompany.local, 1.1.1.1 will return NXDOMAIN (eg "I queried the root servers and they say that domain does not exist"). Your resolver will not then ask 2.2.2.2 what it knows, unless 1.1.1.1 fails to reply within the timeout period (usually 2 seconds). It'll just quit looking. Further, your client will cache the NXDOMAIN result, as per RFC2308. Even if you change NIC settings such that 2.2.2.2 is the primary server, you'll still get NXDOMAIN results until that local NXDOMAIN cache is expired. You can verify this by issuing ipconfig /displaydns at the command prompt.

IIRC, Windows' DNS resolver caches NXDOMAIN for a short time - 5 minutes. But still this can be annoying.

Anyhow. I realize this is a little bit tangential to your problem, but clarifying this point may bring about an epiphany for your planned design. EG: you may want the VPN's DNS server first to resolve after all. Although it is a tad slower, it knows more, since it can resolve both the domains private to the VPN and public internet domains; whereas the local LAN DNS resolver knows nothing of those domains private to the VPN.

Cheers!

Solution 2:

It sounds like you want to set up split tunnelling. First, verify that your VPN software is setting up routing on your client PC correctly. The command:

route print

Will display the routing table of your client host. You should have an entry for your office(?) network that points to the default gateway of your VPN interface. The main thing is that your default route with the lowest metric points to the default gateway of your LAN interface.

Once you have confirmed that routing is configured correctly, the next thing to check is the binding order of your network interfaces. This is the order in which various network services try each of your network adapters. Instructions on how to change it on Windows XP can be found here.

I can't find a similar KB article for Vista, but in summary:

From the 'Network Connections' window: 

Organize -> Layout -> Menubar

The menu bar will appear. From there:

Advanced -> Advanced Settings

Will get you into the options dialogue you need. In your case, your VPN adapter should be listed below your LAN interface.

NOTE: changing the binding order so that your local internet connection is used first could cause different issues relating to name resolution for hosts on your VPN network. It's difficult to determine without more information.

EDIT: Having thought about this a little more, I'm not sure how you could not use your VPN DNS when connected to your VPN. If you use internet DNS servers, then you wouldn't be able to resolve anything on the VPN that wasn't in public DNS. The only way I could think to do it would be to configure a local DNS server, and having it forward queries for your VPN DNS zone (*.local, from your example) to 192.168.0.3, and everything else to your ISPs DNS server.

Is using the company DNS server really causing you that much of a performance hit? Every resolution will be cached, and your actual data traffic will go direct onto the internet, bypassing your VPN.

Solution 3:

When the VPN is connected, Windows seems to ask the DNS servers of the VPN connection first, then the DNS servers configured for the LAN connection.

This is normal.

Most VPNs support a split-view and/or private view mode, where you have to ask for the internal DNS first, otherwise the public DNS would return the external address or NXDOMAIN.

I need this to be the other way around for performance issues, since the VPN is slow.

It may be possible to work around this but only if your internal DNS zone is completely private (i.e. using a fake TLD such as ".local"). As per Murali's answer, you'd need to run a local DNS server which forwards the query either to the VPN or to the public DNS depending on the suffix.

Related

Getting started with deploying full linux networks [closed]
Should i do MCSE 2003 or MCITP for Windows Server 2008 [closed]
Is there a decent flat-rate online backup solution for Linux machines? [closed]
crontab environment
Can you rely on Nginx as your only webserver for php/mysql
What user should own /var/www on Ubuntu 9.04 Server?
How to fine-tune our MySQL server?
Tunneling a public IP to a remote machine
How to identify heavy write to disk?
Postfix: Custom Reject Message for Certain Email Adresses
How to corrupt a file system
How can I run Selenium tests on an Ubuntu server?