[client] Windows Client Uses Default DNS Server Instead of Custom DNS Configuration in Netbird #1773

Closed
opened 2025-11-20 06:06:26 -05:00 by saavagebueno · 2 comments
Owner

Originally created by @Cikaros on GitHub (Apr 3, 2025).

I am experiencing an issue where a Windows client within the Netbird environment is not respecting the custom DNS server configuration, reverting to the default DNS server instead. Here are the details of my setup and the observed behavior:

Configuration:

Custom DNS server IP: 10.10.1.100:53
Custom DNS suffix: .xxx.local
Default Netbird DNS server IP (assumed): 100.32.255.254:53
Default Netbird DNS suffix: .netbird.local
Expected Behavior:

Windows client should use the custom DNS server (10.10.1.100) for queries related to the .xxx.local namespace.
Observed Behavior:

On macOS, the custom DNS server configuration is correctly deployed and functional.
On Windows, while netbird status --detail shows the custom DNS server is configured correctly, querying via PowerShell (Get-DnsClientNrptPolicy) reveals the NameServers field lists 100.32.255.254 instead of the intended custom DNS.
PowerShell Output:

Namespace                        : .32.100.in-addr.arpa
QueryPolicy                      :
SecureNameQueryFallback          :
DirectAccessIPsecCARestriction   :
DirectAccessProxyName            :
DirectAccessDnsServers           :
DirectAccessEnabled              :
DirectAccessProxyType            : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   : False
NameServers                      : 100.32.255.254
DnsSecIPsecCARestriction         :
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         : False
DnsSecValidationRequired         : False
NameEncoding                     : Utf8WithoutMapping

Namespace                        : .netbird.local
QueryPolicy                      :
SecureNameQueryFallback          :
DirectAccessIPsecCARestriction   :
DirectAccessProxyName            :
DirectAccessDnsServers           :
DirectAccessEnabled              :
DirectAccessProxyType            : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   : False
NameServers                      : 100.32.255.254
DnsSecIPsecCARestriction         :
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         : False
DnsSecValidationRequired         : False
NameEncoding                     : Utf8WithoutMapping

Namespace                        : .xxx.local
QueryPolicy                      :
SecureNameQueryFallback          :
DirectAccessIPsecCARestriction   :
DirectAccessProxyName            :
DirectAccessDnsServers           :
DirectAccessEnabled              :
DirectAccessProxyType            : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   : False
NameServers                      : 100.32.255.254
DnsSecIPsecCARestriction         :
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         : False
DnsSecValidationRequired         : False
NameEncoding                     : Utf8WithoutMapping

Originally created by @Cikaros on GitHub (Apr 3, 2025). I am experiencing an issue where a Windows client within the Netbird environment is not respecting the custom DNS server configuration, reverting to the default DNS server instead. Here are the details of my setup and the observed behavior: Configuration: Custom DNS server IP: 10.10.1.100:53 Custom DNS suffix: .xxx.local Default Netbird DNS server IP (assumed): 100.32.255.254:53 Default Netbird DNS suffix: .netbird.local Expected Behavior: Windows client should use the custom DNS server (10.10.1.100) for queries related to the .xxx.local namespace. Observed Behavior: On macOS, the custom DNS server configuration is correctly deployed and functional. On Windows, while netbird status --detail shows the custom DNS server is configured correctly, querying via PowerShell (Get-DnsClientNrptPolicy) reveals the NameServers field lists 100.32.255.254 instead of the intended custom DNS. PowerShell Output: ``` Namespace : .32.100.in-addr.arpa QueryPolicy : SecureNameQueryFallback : DirectAccessIPsecCARestriction : DirectAccessProxyName : DirectAccessDnsServers : DirectAccessEnabled : DirectAccessProxyType : NoProxy DirectAccessQueryIPsecEncryption : DirectAccessQueryIPsecRequired : False NameServers : 100.32.255.254 DnsSecIPsecCARestriction : DnsSecQueryIPsecEncryption : DnsSecQueryIPsecRequired : False DnsSecValidationRequired : False NameEncoding : Utf8WithoutMapping Namespace : .netbird.local QueryPolicy : SecureNameQueryFallback : DirectAccessIPsecCARestriction : DirectAccessProxyName : DirectAccessDnsServers : DirectAccessEnabled : DirectAccessProxyType : NoProxy DirectAccessQueryIPsecEncryption : DirectAccessQueryIPsecRequired : False NameServers : 100.32.255.254 DnsSecIPsecCARestriction : DnsSecQueryIPsecEncryption : DnsSecQueryIPsecRequired : False DnsSecValidationRequired : False NameEncoding : Utf8WithoutMapping Namespace : .xxx.local QueryPolicy : SecureNameQueryFallback : DirectAccessIPsecCARestriction : DirectAccessProxyName : DirectAccessDnsServers : DirectAccessEnabled : DirectAccessProxyType : NoProxy DirectAccessQueryIPsecEncryption : DirectAccessQueryIPsecRequired : False NameServers : 100.32.255.254 DnsSecIPsecCARestriction : DnsSecQueryIPsecEncryption : DnsSecQueryIPsecRequired : False DnsSecValidationRequired : False NameEncoding : Utf8WithoutMapping ```
saavagebueno added the questiondns labels 2025-11-20 06:06:26 -05:00
Author
Owner

@nazarewk commented on GitHub (Apr 3, 2025):

The Netbird client runs the DNS through its local DNS forwarder running on:

  • Windows & MacOS: 100.XXX.255.254 (the last available address in your /16 network),
  • Linux: the Peer's Netbird IP address directly,

This is why you are seeing 100.32.255.254 registered with the operating system.

The queries will still end up reaching to the desired nameserver. It will simply happen after passing through local DNS forwarder and possibly another Routing Peer for the Network.

@nazarewk commented on GitHub (Apr 3, 2025): The Netbird client runs the DNS through its local DNS forwarder running on: - Windows & MacOS: `100.XXX.255.254` (the last available address in your `/16` network), - Linux: the Peer's Netbird IP address directly, This is why you are seeing `100.32.255.254` registered with the operating system. The queries will still end up reaching to the desired nameserver. It will simply happen after passing through local DNS forwarder and possibly another Routing Peer for the Network.
Author
Owner

@Cikaros commented on GitHub (Apr 3, 2025):

Understood, I just discovered during the domain name resolution test using PowerShell that:
Resolve-DnsName can resolve normally
nslookup.exe cannot resolve normally, and the browser results are the same.

@Cikaros commented on GitHub (Apr 3, 2025): Understood, I just discovered during the domain name resolution test using PowerShell that: `Resolve-DnsName` can resolve normally `nslookup.exe` cannot resolve normally, and the browser results are the same.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1773