How should DNS be configured for remote VPN access to a Windows Domain?

domain-name-system active-directory vpn internal-dns cisco-asa

Solution 1:

For Windows laptops that sometimes connect via VPN, how should their DNS be configured?

The Network Adapter should be configured with DNS local to itself, either ISP or Home Router DNS. The VPN Adapter should receive the AD DNS servers via DHCP you have listed when connecting to the VPN. In addition, DHCP should be handing out the default domain name (domain.local) to support the answer to your next question:

How much control does a VPN client have over Windows DNS lookups? Should split tunneling be enabled?

Using fully qualified dns names (FQDN) from the remote laptop will ensure the request is associated with the VPN adapter and sent to the DNS servers on that adapter. If you rely on just hostnames then your laptop will want to use the Network Adapters DNS servers.

Using split-tunneling is a matter of security preference. With it enabled, it is possible for the laptop to access both their local network and the VPN simultaneously where there are endless possibilities for compromise. With split tunneling turned off, the laptop cannot access TCP/IP on the physical adapter and so will lose access to network printers and shares while maintaining a 'tunnel' just to the VPN endpoint.

Related

Any problems with having an active/active HAProxy setup with Keepalived
Previous versions not available on file server share. But vss seems to be working
Can't mount samba share, but can access using smbclient
How to find out which server generated a CSR
What is the recommended way to version VMware Templates?
rsync termiates after a while unexpectedly
PCI-DSS: Virtualization segmentation in ESXi environment
Restored 2 day old Microsoft Exchange - lost one month of entries
Wordpress behind reverse proxy
Folder Redirection DFS Slowness
Error Could not contact Elasticsearch at http://localhost:9200. - kibana dashboard
recover IPSec VPN preshared key