SSL VPN issue with DNS on Windows 10

Some (but not all) of our Windows 10 users are having a DNS problem when connecting to our local internal network via SSL VPN.

The IP range for our internal network is 192.168.31.0/24. SSL VPN users all get addresses in the 10.242.2.0/24 range.

Our UTM provides DNS services for local network. We have several internal servers which are ONLY accessible from the LAN, or from an SSL VPN connection to the LAN. They have only private IP addresses.

Here's the problem. Our Windows 10 users (again, only some of them) connect successfully to the VPN. They then try to connect to one of our local servers via an IP name (for example, "projectserver.mydomain.com" which points to, for example, 192.168.31.4). The specific error varies, depending on what application they're using, but basically, it's an "NXDOMAIN" error.

The error occurs because, even though they're connected to the VPN, their PC has prioritized their regular (non-VPN) network connection. So when an app on their computer requests a domain name address, the request goes to their normal internet connection to a public DNS server, not over the VPN to our UTM's DNS server. The UTM knows about "projectserver.mydomain.com", but the public DNS server does not, hence the error.

If the user happens to know the numeric IP address (say, 192.168.31.4), they can type that in instead of projectserver.mydomain.com, and it works.

In Windows 7 and earlier, this was never a problem for us. If the SSL VPN connection was active, it was always prioritized and got all DNS requests. With Windows 10, it doesn't always work that way. This may well be a Windows problem and not a UTM problem, but either way, there must surely be a fix by now. Does any one have any suggestions?

  • Hi, Bruce, and welcome to the UTM Community!

    Fellow member Twister5800 was the first (before Sophos!) to have solved this problem.

    Cheers - Bob

  • Thanks, Bob. In reading the thread, I note that the problem was supposed to have been fixed in UTM firmware version 9.316. Do you know if that actually happened? I haven't had the problem myself, so I can't really test. It may be that our users who are experiencing the problem are still using older versions of the SSL VPN software. If I can just direct them to log back into the user portal and download the current version, that's going to be the easiest solution. (We're running 9.354-4.)
  • In reply to BruceGiles:

    Please let us know if that resolved the issue for them, Bruce.

    Cheers - Bob
  • Just to be certain, you've set the options (Domain and UTM for DNS) at Remote Access > Advanced, correct?
  • In reply to Scott_Klassen:

    Yes, that's correct. Both the DNS servers and the domain name are set in the advanced options.

    -- Bruce

  • In reply to BAlfson:

    I don't know if it's resolved or not. We had a whole flurry of issues with this when a bunch of our users upgraded to Windows 10. Most of them "solved" the problem by switching to using the dotted-decimal IP addresses for our local servers. (Which will continue to work as long as we don't move any of our servers to new IP addresses.)  In the last several weeks, we haven't had any more instances of the problem. If it does come up again, I'll get them to re-download the client software and see if that solved the problem.

  • In reply to BAlfson:

    Quick Question, in the Advanced area where it says domain.  Is this the External FQDN of the UTM or the internal as my internal domain is utm.domain.local and my external is gw.company.com.

    Thanks!

  • In reply to DonV:

    Don, it's just the internal domain - company.local.  That gets added to make "server" into "server.company.local," thus allowing name resolution.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    this thread is now one year old and I still have that same issue, yes me - the UTM admin himself! :-)  I just installed the latest client from the Portal but still the problem persists. Can you confirm this? Should I switch to the OpenVPN client?

     

    It looks like this on the command line:

    > ping xy.fqdn.com
    Ping request could not find host xy.fqdn.com. Please check the name and try again.
    > nslookup xy.fqdn.com
    Server: dnsserver.fqdn.com
    Address: 10.2.1.2
    Name: xy.fqdn.com
    Address: 10.2.1.72
    > ping xy.fqdn.com
    Ping request could not find host xy.fqdn.com. Please check the name and try again.
    > nslookup xy
    Server: dnsserver.fqdn.com
    Address: 10.2.1.2
    Name: xy.fqdn.com
    Address: 10.2.1.72
    > ping xy
    Ping request could not find host xy.fqdn.com. Please check the name and try again.
  • In reply to astiadmin:

    Just a hint: I think it is better if I use a network cable instead of my wireless network but that may be a coincidence.

  • In reply to astiadmin:

    I don't know as I cannot reproduce this behavior on 9.409.

    Cheers - Bob

  • In reply to astiadmin:

    I guess the problem you’ve mentioned is common for windows 10 users when it comes to SSL VPN, I have managed to resolve the issue for my client by changing VPN Adapter metric to take precedence over all other adapters and adding remote domain to “VPN Adapters TCP IPV4 > Properties > Advanced > DNS & selecting Append these DNS suffixes (in order)”

     

    I hope above suggestion will resolve the issue for you.