Force Windows to Use a VPN's DNS Server

I often connect to my home network when I'm on the road, to encrypt my traffic as well as access my computers at home. Unfortunately, even though I had set up the VPN as the default route ("Use default gateway on remote network"), which encrypted most traffic, I noticed that my DNS queries were still being passed to the local (untrusted) DNS server rather than the one at home. Not only is this insecure, it also makes it difficult to use the hostnames of my home network devices.

Fortunately, the fix is pretty easy once you know it. Based on Microsoft KB311218, I discovered that the problem is a faulty binding order, which causes the dialup/VPN network adapter to be secondary to the local network adapter(s) with respect to DNS priority. These steps fixed my problem:

  1. Open Regedit.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
  3. In the right pane, double-click Bind
  4. In the value text box, select the "\Device\NdisWanIp" item, press CTRL+X, click the top of the list of devices, and then press CTRL+V.
  5. Click OK, and then quit Registry Editor.
  6. Restart your VPN connection.

The article only mentions 2000 and XP. According to the comments below, Windows 7 has similar issues.

Comments

  • John
  • April 3, 2010
  • 2:13 pm
Your procedure, slightly adapted, worked beautifully on my Windows 7 laptop running the Cisco VPN client.
Instead of performing step 4 as you've listed,(because my Bind pop-up window provided me with non-human readable strings) I simply cut the string at the bottom of the Bind list and pasted it at the top so that it was the first entry. I closed the Registry Editor and restarted the VPN client. It now works like a charm.!!!
After looking at over 100 web forums for help, this was the one that made the critical difference. thanks!!!
John
  • Bill
  • May 29, 2010
  • 4:41 pm
Great post. Also helped me as well with Win7 and a Fortigate SSL VPN dns issue.
  • Carlos
  • June 29, 2011
  • 7:43 am
Thanks a lot that helped me too with WIndows 7 and Cisco VPN client. I also had only GUIDs in this registry key and no clue which of this GUIDs was my Cisco VPN adapter. After a little bit searching around in the registry I found the following key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards]

I compared the content of the Linkage key with the GUIDs of the nic in the network cards key and was able to find all guids but one. That one was the GUID of the Cisco VPN adapter. I moved this GUID to the top of the list and the bindung order was correct again.

Carlos
Great addition, Carlos. Thanks!
  • Victor
  • August 17, 2011
  • 5:35 am
Thank you! This helped me to resolve DNS problem on my Windows 7 x64 box using Cisco VPN client.
  • wharton
  • February 13, 2012
  • 10:26 am
Thanks, it helps me, and alittle different from Carlos', i find the GUIDs Under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
click each GUID, we can see the details includes DNS value...

  • pds
  • March 22, 2012
  • 12:41 am
Nice post, fixed my wagon too. I'm using Cisco VPN 5.07 on Win7 64 and could not figure out how to set DNS priority for my VPN over my local network.

Many Thanks!
  • Insitec helpdesk
  • May 2, 2012
  • 3:23 am
Also -try using NETSH to define the primary DNS for the VPN tunnel.
EG :
netsh int ipv4 set dns name="vpn linkname" static 192.169.0.3 primary

where 0.3 is the prefered DNS server, sets it as the primary DNS.
vpn linkname will be a variable for your system, so change this as required, and is typed in " " marks
  • Trey Bianchini
  • May 18, 2012
  • 8:29 pm
just like they said I figured out which one of the interfaces was the vpn and put it on the top of the bind list and I am resolving....

Thank YOU!!!!!!!!!!

This was driving me nuts!
  • Josh
  • August 3, 2012
  • 12:42 pm
The regedit commands did not work for me (windows 7 professional), but the netsh command did the trick. It should be noted that the 'name=""' part refers to the name of your connection - in my case it was "Local Area Connection 2". Thanks!!
  • Eugene
  • August 8, 2012
  • 4:46 pm
Hi. I have an issue with Cisco VPN and Windows 7.
This solution works like a chamr but.
Is there any way to do this change permament for USB Modems ???
I see that when i disconnect and connect again USB Modem rewrite again HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
and and guid show on first place.

I know i can put more than one copy of this string on bottom, but when i recconect my interent one of this string will be deleted.

Is there any way to do this permament to show win7 that when i establish VPN connection use DNS from VPN not from IPS ???

I use advance settings for network cards, and my VPN connection is on first place too.

There is one wat to do this but not premament. When i go to advance setting for ipv4 in cisco vpn and don't change anything but use ok then ok and ok I saw that my dns change to right one from vpn.

O and ofc on XP works like a charm :)
  • JC
  • September 14, 2012
  • 4:06 pm
Hi everyone. I would like to know how can I bind to interfaces using DNS servers with netsh and then, how Can I order my vpn server on debian to give address to my openVPN Tap in windows?
  • Panta
  • October 25, 2012
  • 3:14 pm
Thanks for the fix. What an obscure bug.
  • Reader
  • February 14, 2013
  • 7:05 am
But this priority is only working, if the answer comes back in 1 second. Then the other servers will be asked and thats a security problem - could be.
  • Ian
  • July 5, 2013
  • 1:57 am
Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces you can on the fly change your DNS ( Name Server ) Server. Very useful for the above and testing. Might now try putting a DNS server on the local machine and set the Name server to 127.0.0.1
  • Lee
  • March 27, 2014
  • 9:10 am
From what I can see, the netsh command only sets the DNS setting in the adapter to be manually set, just like turning it from auto set to manually set in the options, and typing in the IP address. I don't see it doing anything useful. And I don't even see it working as described above. When I enter the 'VPN (corporate)' DNS server in the VPN adapter, it still isn't used. When I enter the home DNS AND the corporate DNS as primary and secondary DNS in the primary (cable or wireless) adapter settings, THEN it works for both local/home and corporate DNS entries. This, however, breaks things if you take your PC somewhere not home or corporate. I wish it did work with the VPN adapter settings as described.
  • Andy
  • July 28, 2014
  • 10:42 am
Hi. Thank you so much for this fix!! Couldn't find the string for my adapter so just went through one by one putting them at the top of the entry and it worked on the 4th one! Nslookup now returning the correct VPN (Windows 7). Nice find mate.
  • ruben
  • October 10, 2014
  • 5:10 pm
FANTASTIC THAT POST IS THE POINT TO SOLVE ALL THIS PROBLEM, THANK YOU A LOT SIR!!!
  • Tomas
  • April 10, 2015
  • 4:35 am
I had a similar problem. After connecting to VPN the DNS order was different than set in the VPN, so I could not resolve the intranet addresses from VPN client. The problem was, that I was assigning the VPN hosts the IP addresses from the same range as on the intranet. After I configured the different address range, the DNS servers were in correct order.
  • Ben
  • May 19, 2015
  • 11:53 am
You are my hero and i'm live again
  • Daniel
  • July 27, 2015
  • 4:48 pm
Top stuff :)
  • Daniel
  • July 27, 2015
  • 4:49 pm
Top stuff -- the comments are excellent too!
  • Bob
  • June 11, 2016
  • 5:00 am
As everyone else mentioned this fixed my problem. I was just wondering why all the other search hits on this issue, not one has a clue. Most give the same answers that indicate they never saw this problem and just giving generic answers which are useless. Anyway thanks for the answer!
  • rular
  • December 16, 2016
  • 7:17 am
It helped me not. But I figured something else out. some new broadband routers give ipv6 addresses and dns-servers via dhcp to internal clients. like speedport models from Deutsche Telekom do (speedport w724v). So the problem is, that these ipv6 dns-servers are more priorized than ipv4 dns-servers - so they will be asked first. There is no chance to reorder these dns-servers - except deactivate the ipv6 protocol on the wifi or cabled connection. Then the ipv6-dns-server is away.
  • Aws Albayati
  • June 13, 2017
  • 5:46 am
WoW, i was looking for a solution about this for a long time, thanks.

Leave a Comment

  • After submission, your comment will be held for moderation until it is reviewed
Please wait ...

There was an error fetching the requested dialog.