How should DNS be configured for remote VPN access to a Windows Domain?
Solution 1:
For Windows laptops that sometimes connect via VPN, how should their DNS be configured?
The Network Adapter should be configured with DNS local to itself, either ISP or Home Router DNS. The VPN Adapter should receive the AD DNS servers via DHCP you have listed when connecting to the VPN. In addition, DHCP should be handing out the default domain name (domain.local) to support the answer to your next question:
How much control does a VPN client have over Windows DNS lookups? Should split tunneling be enabled?
Using fully qualified dns names (FQDN) from the remote laptop will ensure the request is associated with the VPN adapter and sent to the DNS servers on that adapter. If you rely on just hostnames then your laptop will want to use the Network Adapters DNS servers.
Using split-tunneling is a matter of security preference. With it enabled, it is possible for the laptop to access both their local network and the VPN simultaneously where there are endless possibilities for compromise. With split tunneling turned off, the laptop cannot access TCP/IP on the physical adapter and so will lose access to network printers and shares while maintaining a 'tunnel' just to the VPN endpoint.