Private DNS resolver randomly stopped working for point-to-site VPN

Alex L 20

Hi there,

Months ago I setup an Azure point-to-site Network Gateway VPN client along with a private DNS resolver. I configured the VPN client with the following:

  <clientconfig>
    <dnsservers>
        <dnsserver>10.X.Y.Z</dnsserver>
    </dnsservers>
    <dnssuffixes>
        <dnssuffix>.my.custom.domain</dnssuffix>
    </dnssuffixes>
  </clientconfig>

Everything was working fine. Then all of a sudden last week, when new VPN users would download the VPN client config and set up their local VPN client, DNS was no longer resolving. However, on my computer that didn't download the latest VPN client config, DNS was still working. I just removed my VPN config and re-added it using the same exact config as I was using previously, and now I can't resolve DNS either. Yet, I'm able to connect to the DNS server and use it when I specify it. See below for two nslookup examples where one specifies the DNS server:

$ nslookup foo.my.custom.domain                                                                                                                                                                                                                 
Server:		192.168.X.Y
Address:	192.168.X.Y#Z
** server can't find foo.my.custom.domain: NXDOMAIN

$ nslookup foo.my.custom.domain 10.X.Y.Z # my private DNS resolver IP                                                                                                                                                                                                     
Server:		10.X.Y.Z
Address:	10.X.Y.Z#A
Non-authoritative answer:
Name:	foo.my.custom.domain
Address: 10.A.B.C

Any ideas why this is happening and how I can fix it? I've also tried downloading the latest VPN client config but that doesn't work either. I think maybe the Azure VPN app was updated on my mac too? Although I can't remember. Maybe that broke something?

Thanks for your help!

Luke Murray 10,636 Reputation points MVP

2023-11-16T02:49:45.8933333+00:00

Hi, Alex

Every time you download the latest config from the portal - it doesn't have your custom DNS config, you are essentially overwriting the config with the default one. The VPN users need to use a config that has the private DNS resolver set, this is in the config that you have modified - not the one straight from Azure with none of the custom config.
Riaan-VS 356 Reputation points

2023-11-16T23:26:49.5733333+00:00
Hi Alex,

I had the exact same issue just a week ago.

Really strange to be honest.

But i managed to find a solution that worked for me:

Download the Config again from the Azure portal (From the VPN Gateway Point to Site configuration pane)

Unpack the ZIP archive

Go to the AzureVPN folder

open the azurevpnconfig.xml file

Look for the line that states: <clientconfig i:nil="true" /> delete that.

Give a enter underneath </clientauth>

And paste your config as stated below: (obviously change to your suffix and ip's ;))

<clientconfig> <dnssuffixes> <dnssuffix>.yxz.com</dnssuffix> </dnssuffixes> <dnsservers> <dnsserver>1.2.3.4</dnsserver> <dnsserver>2.3.4.5</dnsserver> </dnsservers> </clientconfig>

Leave the rest as default. And save it for deployment.

Whenever i import that profile to a client (intune) or manually i can see a dns server again in the Azure VPN client (3.2.0 the newest one). That was not showing anymore after a update?

I am also able to resolve DNS Short names again.

I do not know what caused the issue, just been testing allot and finally this worked for me.

I discovered in the last week when giving the command:
"netsh namespace show effectivepolicy" there was no output. And there was no DNS suffix showing. Whenever i applied the fix as posted above i can now see proper output again and a DNS suffix, with the right Private DNS resolvers.

<clientconfig i:nil="true" /> is the strange part for me.
I have deployed the configuration with just that line in the XML in Intune for my endpoints. And it worked for like 5 months now. After "some update" it broke i guess? Looks like the client ignores anything if you use that line now except for the routes you define.

Anyway hope this works for you aswell!
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-11-20T11:35:37.07+00:00

@Alex L

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

As stated by Luke Murray, you should manually add the "dnssuffixes" and "dnsservers".

A good design is to have the Admin distribute the updated client configuration file instead of letting users download the config file directly from the VPN Gateway.

By any chance, do you have an Intune profile configured?

Cheers,

Kapil
Alex L 20 Reputation points

2023-11-21T04:00:59.8266667+00:00

@Luke Murray and @KapilAnanth-MSFT , I didn't explain myself well... I'm updating the downloaded client config with the <clientconfig> XML I shared in my original post. So the config I'm using has the DNS configured, but DNS queries still aren't working. I just tried again with a fresh client config downloaded from the portal, and the issue still exists.

Kapil, the design you're recommending is what I'm doing. As for Intune, I don't know what this is so I assume I don't have a profile configured.

By the way, when I connect to the VPN, the Azure VPN UI shows me that the correct DNS server is configured. But my Mac doesn't know to use that DNS server unless I specify it explicitly eg in my nslookup examples in my original post.

Thanks for your help!
Alex L 20 Reputation points

2023-11-21T04:05:51.45+00:00

@Riaan-VS , thanks for your response. Unfortunately this didn't solve my problem.
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-11-24T06:36:38.35+00:00

@Alex L

This looks like an OS misconfiguration and would require a deeper investigation.

So if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Cheers,

Kapil
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-11-27T11:10:21.51+00:00

@Alex L

Did you get a chance to open a support ticket with Azure?

Please let us know if you are facing any challenges.

Cheers,

Kapil.
Alex L 20 Reputation points

2023-11-27T17:47:24.24+00:00

@KapilAnanth-MSFT I can open a ticket. I'll let you know what I learn. Thanks!
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-11-28T05:49:49.2333333+00:00

@Alex L

Thanks for keeping us updated.

Cheers,

Kapil
Alex L 20 Reputation points

2023-11-28T21:36:00.4466667+00:00

@KapilAnanth-MSFT , the issue was resolved when I restarted my laptop. I believe what happened was a new version of the Azure VPN was installed via the Mac App Store. This new version broke DNS for some reason. But after a restart, the issue was resolved. Thanks for your help!
Alex L 20 Reputation points

2023-11-28T21:36:33.82+00:00

The issue was resolved when I restarted my laptop. I believe what happened was a new version of the Azure VPN was installed via the Mac App Store. This new version broke DNS for some reason. But after a restart, the issue was resolved. Thanks for your help!
KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-11-29T04:11:39.88+00:00

@Alex L

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

Thank you for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

Cheers,

Kapil

Accepted answer

KapilAnanth-MSFT 39,461 Reputation points Microsoft Employee

2023-11-29T04:06:59+00:00

@Alex L

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

You informed us that DNS configurations from the VPN Client File was not working and you don't have an Intune profile configured.

Further, the issue was resolved once you restarted the Mac device.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Private DNS resolver randomly stopped working for point-to-site VPN

0 additional answers