[Solved] Windows 10 - block-outside-dns - wpad issues

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
lexios
OpenVpn Newbie
Posts: 6
Joined: Mon Jul 25, 2016 9:58 am

[Solved] Windows 10 - block-outside-dns - wpad issues

Post by lexios » Wed Jun 20, 2018 6:30 am

Hello to the community.

Using Windows 10 1803 (and 1709) and trying to make OpenVPN work properly as a client.
I imported "setenv opt block-outside-dns" on the client configs and the results are as expted, thus, the OpenVPN interface is automatically set to InterfaceMetric = 3 and DNS queries on other interfaces is blocked.

PS> Get-NetIPInterface

Code: Select all

ifIndex InterfaceAlias                  AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp     ConnectionState PolicyStore
------- --------------                  ------------- ------------ --------------- ----     --------------- -----------
1       Loopback Pseudo-Interface 1     IPv6            4294967295              75 Disabled Connected       ActiveStore
6       OpenVPN                         IPv4                  1500               3 Enabled  Connected       ActiveStore
2       Ethernet                        IPv4                  1500               5 Enabled  Disconnected    ActiveStore
10      Wi-Fi                           IPv4                  1500              30 Enabled  Connected       ActiveStore
1       Loopback Pseudo-Interface 1     IPv4            4294967295              75 Disabled Connected       ActiveStore

Code: Select all

Wed Jun 20 00:24:23 2018 Block_DNS: WFP engine opened
Wed Jun 20 00:24:23 2018 Block_DNS: Added a persistent sublayer with pre-defined UUID
Wed Jun 20 00:24:23 2018 Block_DNS: Added permit filters for exe_path
Wed Jun 20 00:24:23 2018 Block_DNS: Added block filters for all interfaces
Wed Jun 20 00:24:23 2018 Block_DNS: Added permit filters for TAP interface

Up to this point everything works as expected, the clients connect to the BSD OpenVPN server fine.

BUT, this setup works properly only when connecting over the Wifi interface.
If we connect via Ethernet, again the client properly connects and routing works fine.

1. I can ping internal and external hosts
2. I can nslookup properly any hostname

But what I can't do is to browse the Internet via Edge or IE or PS Invoke-WebRequest.

* IE
When opened, it remains in an "opening state" where we see the IE window but nothing is loaded.
In addition, we can't even get to IE menus as the browser seems not be fully loaded.

* Edge
Opens up and nothing is loading. When entering any hostname,IP the browser doesn't even try to load the page.
It's like it just stays there.

* Invoke-WebRequest -uri xxx.xxx.xx
Huings without erroring out

* Firefox
WORKS FINE


All of the above will never timeout and will just stay in that state indefinitely.

At that point, if I kill the OpenVPN client service, everything is waken up and functions properly.

Now the above behavior does not happen if I don't use the block-outside-dns


At that point, I tried to disable the wpad script on IE (that would affect the OS as well) and the issue was resolved.

Image

Summarizing when the issue occurs:
1. When connected to Ethernet only AND
2. When using the native software (not Firefox) AND
3. When wpad script is in use AND
4. When block-outside-dns is used

I know this is a possible scenario for many enterprises (using a wpad script) and also -block-outside-dns is avoiding DNS leakage which is also necessary from a security perspective.

It seems like the problem has something to do with resolving something on DNS (dnscache ?) and not being able to do so.
Since the wpad script is the first DNS lookup a browser will do in Windows there could be an issue where this lookup is killed by block-outside-dns.

I have noticed that there is a strange lookup being made repeatedly when the browsers open for the first time after a reboot

What I am thinking of trying is to disable Multi-Homed DNS resolution.

DisableSmartNameResolution


Anyone else has faced this strange issue?
--
Alex

lexios
OpenVpn Newbie
Posts: 6
Joined: Mon Jul 25, 2016 9:58 am

Re: Windows 10 - block-outside-dns - wpad issues

Post by lexios » Wed Jun 20, 2018 1:02 pm

The issue is now fixed! I just disabled Smart DNS lookups with below GP.

Prefer link local responses over DNS when received over a network with higher precedence Disabled
Turn off smart multi-homed name resolution Enabled
Turn off smart protocol reordering Enabled


--
Alex

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Windows 10 - block-outside-dns - wpad issues

Post by TinCanTech » Wed Jun 20, 2018 1:16 pm

Thanks for letting us know your solution 8-)

Do you have any details which others can follow ?
(I am not particularly familiar with new Windows)

ValdikSS
OpenVpn Newbie
Posts: 6
Joined: Thu Sep 24, 2015 10:00 am

Re: [Solved] Windows 10 - block-outside-dns - wpad issues

Post by ValdikSS » Wed Jun 20, 2018 6:07 pm

lexios, do you use internal domain name in Proxy Auto-Configuration url? Is it available from the VPN? Could it be it returns different IP address if resolved within LAN and Internet?
I have no issues with PAC URL with Internet address, which uses Internet proxies.

Post Reply