Force DNS Lookup Over Windows VPN Connection

A common problem with Remote Access VPN connections is how to force DNS name resolution across the VPN tunnel. With Windows you will likely need to modify the Windows DNS Client behavior by changing the Network Interface Binding Order (older versions of Windows), or Network Interface Metric (Windows 10).

According to the Microsoft Networking Support Team, “The only known component that used the binding order was DNS ordering. By default, Windows uses the Route Metric + Interface Metric to determine which route has the highest priority by choosing the route with the lowest value.” Because of this, you may need to adjust the interface metric(s) using GUI, PowerShell (Set-NetIPInterface -InterfaceMetric), or netsh (int ip set inerface=”…” metric=…) to ensure that the VPN connection(s) automatically assigned metric will be lower (preferred) over any wired or wireless connection you may be using to access the Internet on your computer.

For reference, here are two StackExchange Q&A discussions of the problem and solution options.

An important note is that when adjusting the interface metric(s) on Windows 10, you should only adjust the metric on NON-VPN interfaces since the VPN interface metric will be reset automatically every time you connect. Base the setting of your other interface metric on the automatic value you see assigned to your VPN connection so that the VPN will always be preferred (lower metric).

Good luck with your Windows VPN DNS troubleshooting and repair tasking! 🙂

About notesbytom

Keeping technology notes on to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in Networking, System Administration and tagged , , . Bookmark the permalink.

2 Responses to Force DNS Lookup Over Windows VPN Connection

  1. Additional tip: It is possible to set the VPN InterfaceMetric via GPO, although there is no direct GPO setting for it.

    We can verify the value of “InterfaceMetric” of all network interfaces by executing Get-NetIPInterface in PowerShell. To force DNS resolution via VPN for the VPN we want to set a value lower than all other interfaces. (See

    Setting the VPN InterfaceMetric may be done through GPO / Computer Configuration / Preferences / Windows Settings / Ini Files, by modifying the file C:\ProgramData\Microsoft\Network\Connections\pbk\rasphone.pbk, which is an INI-style file. Insert this path in the field File Path in the GPO.

    You may take a copy of the file rasphone.pbk and open it in Notepad to check its structure.

    You will see that each VPN connection has a section name like “[My VPN]” Type it without the brackets in the field Section Name in the GPO. The property we need to change is IpInterfaceMetric, so type this name in the field Property Name in the GPO. As default it is set to zero which means ‘automatic metric’; but change it to a value lower than any other network interface. It seems we may even set it to 1. Type in the value of your choice in the field Property Value in the GPO.

    When you have run gpupdate at the client, you may verify the setting in the VPN GUI.

    You may change other VPN options via GPO in the same way. For example, to set “Use default gateway on remote network” on your VPN connection, set the property IpPrioritizeRemote to 1.

  2. mmadeira says:

    I have not verified the claim that the metric gets reset upon connection. Ican reboot the PC and metric for the VPN connection will persist. I am using VPN configuration in C:/Users/ and not the global directory.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s