Typically when configuring a remote access VPN, the goal is for DNS requests to be resolved by DNS servers on the remote/server side of the VPN connection.
This is either because the connection is from a less trusted network to a more trusted one – i.e. from home to office, and so split tunnels are not allowed. Even if split tunnels are allowed, the local client network is typically less complex and can use broadcast name resolution while the remote network is complex so using it requires DNS.
Since this is the predominant configuration, this is how most VPN clients are configured and many, including the Windows VPN client, do not offer an option to change this configuration.
In some cases, however, it makes sense for DNS resolution to remain local to the client side of the VPN connection. This is useful when the connection is from a more trusted and complex network to a less trusted and complex network. For example, a connection from the office network to a lab network or to a home network, would benefit from keeping DNS resolution on the client side of the connection.
I ran into this problem trying to configure a connection to my lab that would allow me to keep the connection open while working on the office network.
Unfortunately, this isn’t easy to do this with the VPN client that is included in Windows Vista/7 (The VPN client with Windows XP had an issue that resulted in a side effect with this exact configuration). While Windows does allow configuring the binding order to different interfaces using the ‘Advanced Settings’ menu option in the ‘Network Connections’ control panel, changing the binding order for ‘[Remote Access Connections]’ doesn’t seem to have any impact.
The binding order is stored in the registry in the following location: HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind. The list includes all the device GUIDs for network adapters and active connections in the binding priority order.
When working with the registry key, the following facts emerge:
- Changing the order of the GUIDs in the registry does impact the binding order, including for VPN connections
- Any changes to the key take effect immediately
- When a VPN connection is completed, the GUID for the connection is added to the top of the bind order if it does not already exist
- When a VPN connection is closed, the GUID entry for the connection is removed
- If there are multiple GUID entries for the connection, only one is removed when the connection is closed
This mechanism creates the possibility of the following workaround:
- Examine the Bind registry key
- Connect to your VPN connection
- Check the Bind key again and copy the GUID that was added to the top of the list
- Paste the GUID entry at the bottom of the list 20 times
- Export the key and clean up the exported file to only include the bind key
The result is a key that will support the desired behavior. Every time a VPN connection is established, since the GUID is present, it will not be added. Since the GUID is at the bottom, DNS resolution will be done locally to the client. When the connection is disconnected, one GUID entry will be removed. After 20 VPN connections, the exported registry file can be used to reimport the key.
Of course, you can paste the GUID more times to reduce how often you have to reimport the key.
Also important to remember to redo this procedure if there are any changes to network adapters.