OpenVPN Access Server not setting windows 10 client DNS IP Addresses

[profileadmin]

OpenVPN Access Server not setting windows 10 client DNS IP Addresseson TAP network interface.

Windows 10 Home Version 1709
Access Server version: 2.5
OpenVPN Connect 2.1.3.110


Description: TAP Adapter OAS NDIS 6.0
Physical Address: ‎00-FF-5D-DB-6D-9E
DHCP Enabled: Yes
IPv4 Address: 10.1.252.2
IPv4 Subnet Mask: 255.255.252.0
IPv4 Default Gateway: 10.1.252.1
IPv4 DNS Server:
IPv4 WINS Server:
NetBIOS over Tcpip Enabled: Yes
Link-local IPv6 Address: fe80::c86e:abd1:deda:6a7a%10
IPv6 Default Gateway:
IPv6 DNS Servers: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1


Routing is correct, I can ping anything on our domain by IP address just not by name. This use to work on Windows 7 but not working on windows 10?

[novaflash]

You are using the DNS resolution zones feature, therefore it is doing exactly as you instruct it to do. If you want the DNS server visible in your ipconfig output then empty the DNS resolution zones field.

[profileadmin]

that makes no sense, if you empty the fields it as least requires 127.0.0.1? I have also try
DNS Settings
Pushing DNS servers to clients is optional, unless clients' Internet traffic is to be routed through the VPN
Do not alter clients' DNS server settings No
Have clients use the same DNS servers as the Access Server host Yes
Have clients use specific DNS servers No

same issues

[profileadmin]

Got it, thanks

If anyone else has this issue please leave the following under VPN Settings:
DNS resolution zones (optional)
For split tunnels that only route private traffic (not internet traffic), specify a comma-separated list of internal domains that clients will resolve through the AS-pushed DNS server(s). Note that some clients (such as Windows) may only respect the first domain given.
DNS zones <LEAVE BLANK>

[novaflash]

Glad you found it! And to explain it a little further; DNS resolution zones uses NRPT on windows, which does split-DNS, meaning only specific zones are resolved through the DNS server pushed by the VPN server, and others are resolved through already configured and present DNS servers in the system. As such implementing the DNS server globally in the network interface configuration is a no-no, so it must be done in the NRPT, and that means it isn't visible.

I'm not entirely sure why those self-assigned ipv6 DNS servers show up, seems to be a curiosity in Windows.

[profileadmin]

Still not working though

[profileadmin]

PS C:\Users\carpe> Get-DnsClientNrptRule


Name : OpenVPNDNSRouting-0
Version : 2
Namespace : {.profilexxxx.xxx}
IPsecCARestriction :
DirectAccessDnsServers :
DirectAccessEnabled : False
DirectAccessProxyType :
DirectAccessProxyName :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired :
NameServers : {10.254.x.167, 10.255.x.167}
DnsSecEnabled : False
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired :
DnsSecValidationRequired :
NameEncoding : Disable
DisplayName :
Comment :

[profileadmin]

PS C:\Users\carpe> netstat -rn
===========================================================================
Interface List
3...48 ba 4e 54 5e f8 ......Realtek PCIe GBE Family Controller
7...d4 6a 6a 24 5f 33 ......Realtek RTL8822BE 802.11ac PCIe Adapter
8...d6 6a 6a 24 5f 33 ......Microsoft Wi-Fi Direct Virtual Adapter
15...00 ff ab dc 4e e2 ......TAP Adapter OAS NDIS 6.0
18...d4 6a 6a 24 5f 34 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.77.1 192.168.77.2 25
10.0.0.0 255.255.0.0 10.254.6.1 10.254.6.2 136
10.1.0.0 255.255.0.0 10.254.6.1 10.254.6.2 136
10.2.0.0 255.255.0.0 10.254.6.1 10.254.6.2 136
10.3.0.0 255.255.0.0 10.254.6.1 10.254.6.2 136
10.4.0.0 255.255.0.0 10.254.6.1 10.254.6.2 136
10.9.0.0 255.255.0.0 10.254.6.1 10.254.6.2 136
10.16.0.0 255.255.0.0 10.254.6.1 10.254.6.2 136
10.254.0.0 255.255.252.0 10.254.6.1 10.254.6.2 136
10.254.6.0 255.255.255.0 On-link 10.254.6.2 291
10.254.6.2 255.255.255.255 On-link 10.254.6.2 291
10.254.6.255 255.255.255.255 On-link 10.254.6.2 291
10.255.0.0 255.255.252.0 10.254.6.1 10.254.6.2 136
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.0 255.255.255.252 10.254.6.1 10.254.6.2 136
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.77.0 255.255.255.0 On-link 192.168.77.2 281
192.168.77.2 255.255.255.255 On-link 192.168.77.2 281
192.168.77.255 255.255.255.255 On-link 192.168.77.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.254.6.2 291
224.0.0.0 240.0.0.0 On-link 192.168.77.2 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.254.6.2 291
255.255.255.255 255.255.255.255 On-link 192.168.77.2 281
===========================================================================

[profileadmin]

but I can reach everything by IP address just not DNS name?
PS C:\Users\carpe> ping frontiernas
Ping request could not find host frontiernas. Please check the name and try again.
PS C:\Users\carpe> ping 10.1.0.7

Pinging 10.1.0.7 with 32 bytes of data:
Reply from 10.1.0.7: bytes=32 time=122ms TTL=62
Reply from 10.1.0.7: bytes=32 time=118ms TTL=62
Reply from 10.1.0.7: bytes=32 time=117ms TTL=62
Reply from 10.1.0.7: bytes=32 time=116ms TTL=62

Ping statistics for 10.1.0.7:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 116ms, Maximum = 122ms, Average = 118ms

[novaflash]

I suggest monitoring tcpdump while filtering for port 53 traffic, see if the DNS requests make it from the VPN client to the VPN server. If it does, but it still does not work, then it's an issue with your network setup or your DNS server or something as the requests are then obviously making it to the VPN tunnel. If you don't see queries through the VPN tunnel then try manually setting the DNS server in the OS to see if that makes a difference at all. It then likely is an issue with the OS network configuration or some weird combination of factors breaking DNS resolution on the client system.

To monitor DNS requests on the Access Server, as root user:
apt-get update
apt-get install tcpdump
tcpdump -eni any port 53

Then do some ping tests to resolve DNS addresses. If you see results and you see things like NXDOMAIN then the DNS server doesn't know the record you're trying to query.

[profileadmin]

FYI, it was my MalwareBytes causing it from the web protection, I had to add exclusion for my DNS servers IP Addresses. It is an issue they are working on resolving.

[novaflash]

Ah okay. Yes, I have heard a report or two about malwarebytes before. They're good guys though, and their software is great, but this particular bit is a little too protective I think.