Tutorial: Configure DNS Settings in Access Server
Configure DNS settings in OpenVPN Access Server, including DNS proxy modes, DNS servers, split DNS (resolution zones), and how DNS interacts with domain-based routing.
Overview
The Domain Name System (DNS) translates domain names into IP addresses so clients can connect to resources. In Access Server, DNS settings determine how connected VPN clients resolve domain names and which DNS servers they use.
Access Server can:
Use the same DNS servers as the host system.
Push specific DNS servers to VPN clients.
Leave client DNS settings unchanged.
Access Server also supports advanced configurations, such as default domain suffix, split DNS (resolution zones), and integrates with domain routing, where DNS responses control how traffic is routed through the VPN.
Prerequisites
Access Server installed and running
Access to the Admin Web UI
Sign in to the Admin Web UI.
Click Access Controls.
The Access Rules tab displays.
Click the Internet Access and DNS tab.
Under DNS Server Proxy, select one of the following:
Auto: (Default) Uses DNS proxy only when domain-based access rules are active; otherwise, queries go directly to configured DNS servers.
Always: Forces all DNS queries through Access Server.
Never: Disables DNS proxy, any domain-based routing rules, and pushing DNS servers to the client (only available in split-tunnel mode).
Click Save and Restart.
Note
In full tunnel mode, DNS servers are always pushed to clients to help prevent DNS leaks.
In the DNS Servers section, select how DNS servers are assigned:
Enable Use detected DNS servers to use the Access Server host's DNS settings.
Or specify custom DNS server IP addresses.
Click Save and Restart.
What this does
These DNS servers resolve client DNS queries, either directly or via the DNS proxy, depending on the selected mode.
In Default Domain Suffix, enter a domain (for example,
company.local).Click Save and Restart.
What this does
This setting helps Windows clients resolve short hostnames to fully qualified domain names (FQDNs).
For example, if you have openvpn.com as the domain suffix, when you access awspc3, this resolves to awspc3.openvpn.com.
Important
Split DNS requires enabling split tunnel, and for Access Server 3.1.0 and newer, these conditions need to be met:
DNS Server Proxy is set to Auto, and
No domain routing rules are applied to the user.
If the user has domain routing rules (at the global, group, or user level), Access Server doesn't push DNS zones to the client.
In DNS Resolution Zones, click Add another DNS resolution zone.
Enter the domain (for example,
internal.company.com).Click Save and Restart.
What this does
Split DNS ensures that only the specified domains are resolved using the DNS servers configured in the DNS Servers section, while all other domains use the default DNS behavior.
Tip
Some clients (such as Windows) may only respect the first domain listed.
Access Server 3.1.0 introduces built-in domain-based routing using a DNS engine. This allows you to route traffic by domain name without redirecting all traffic or maintaining large lists of IP addresses for content delivery networks (CDNs).
Here's how it works:
VPN clients use the Access Server's internal DNS engine.
Specific domains are resolved to private IPs reserved for routing through the VPN tunnel.
Access Server NATs traffic destined for the actual destination using
nftables.You can define domains to route (or exclude from routing) on a global, group, or per-user basis.
This allows you to route traffic by domain name without requiring full-tunnel routing.
Example
Route traffic for a SaaS application (such as salesforce.com) through the VPN while allowing other traffic to go directly to the internet.
Note
Changes to DNS or domain routing settings may require users to reconnect.
Next steps
For configuring domain-based routing rules and advanced DNS proxy behavior, see: