New DNS Features don't appear to work

Ok, So i’ve just tested Nrpt from a totally clean “out of the box” laptop and i can’t resolve using Nrpt Rules,

if i apply the DNS servers IP’s and suffix to the ZeroTier adapter it works as expected

Not sure what’s going on with your configuration. All is working from where I stand:

PS C:\WINDOWS\system32> get-dnsclientnrptrule

Name                             : {9C276D8D-0F2E-46AA-ABB3-8A4CD51C4290}
Version                          : 2
Namespace                        : {.dnstest.zt}
IPsecCARestriction               :
DirectAccessDnsServers           :
DirectAccessEnabled              : False
DirectAccessProxyType            :
DirectAccessProxyName            :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   :
NameServers                      :
DnsSecEnabled                    : False
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         :
DnsSecValidationRequired         :
NameEncoding                     : Disable
DisplayName                      :
Comment                          : d5e04297a1dd5aea

PS C:\WINDOWS\system32> ping www.dnstest.zt

Pinging www.dnstest.zt [] with 32 bytes of data:
Reply from bytes=32 time=106ms TTL=64
Reply from bytes=32 time=109ms TTL=64
Reply from bytes=32 time=104ms TTL=64
Reply from bytes=32 time=108ms TTL=64

Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 104ms, Maximum = 109ms, Average = 106ms
PS C:\WINDOWS\system32

Hi Grant,

I think i may have found the root of the issue, since we last spoke i’ve tested on a number of machines, a mixture of OOB windows pro, home and Server 2012, 2016 and 2019

None of them were able to resolve DNS, however, that’s not to say it can’t work, i think we’re just missing a step, a step that only appears to need to be set once, so could have been set on yours a long time ago possibly as a part of another process or configuration

Please could you post the results of the following two commands as i think one of them may hold the key

Get-DnsClientNrptPolicy -Effective

This is what i see from Get-DnsClientNrptGlobal
PS C:\Windows\system32> Get-DnsClientNrptGlobal

EnableDAForAllNetworks QueryPolicy SecureNameQueryFallback

Disable Disable Disable

And i get no results at all from Get-DnsClientNrptPolicy -Effective



Here’s what I get from those commands:

PS C:\WINDOWS\system32> Get-DnsClientNrptGlobal

EnableDAForAllNetworks QueryPolicy SecureNameQueryFallback
---------------------- ----------- -----------------------
Disable                Disable     Disable

PS C:\WINDOWS\system32> Get-DnsClientNrptPolicy -Effective

Namespace                        : .dnstest.zt
QueryPolicy                      : QueryIPv6Only
SecureNameQueryFallback          : FallbackPrivate
DirectAccessIPsecCARestriction   :
DirectAccessProxyName            :
DirectAccessDnsServers           :
DirectAccessEnabled              : False
DirectAccessProxyType            :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   :
NameServers                      :
DnsSecIPsecCARestriction         :
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         :
DnsSecValidationRequired         :
NameEncoding                     :

Hi Grant,

My “Get-DnsClientNrptGlobal” results are the same but my “Get-DnsClientNrptPolicy -Effective” result is empty

The Nrpt rules seem to be predominantly based around the windows direct access features, is this something that you currently use?

It’s clear that something in windows needs to be configured for it to use the Nrpt rules but it’s not a default setting as even an “Out of the box” OS won’t activate them, i suspect that this will be the same for a high percentage of users

In the interim i have created a small windows service that monitors and applies DNS settings directly to the adapter based on the results from a “listnetworks” command against the zerotier-cli tool but it’s an additional install which i’d prefer to avoid

If you would like to test further i’d be happy to help and can provide you access to a clean windows install to test on,



All we’re doing is using the appropriate system calls to configure the DNS for a search domain. It works out of the box on a fresh Windows install for us. I’m not sure what’s different on your end.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

I’m having the exact same issue as Chris was having here: New DNS Features don't appear to work

Get-DnsClientNrptRule shows the rule active however Get-DnsClientNrptPolicy -Effective is blank and DNS is not resolving.

Is there anything that can be done for me to help troubleshoot this issue?


Hi @dandickson,
I re-opened this thread and moved your post into it.

@zt-travis, much apreciated

@chris.salter did you get any further on troubleshooting this issue? I ran rsop and nothing jumps out at me as blocking the dns policy however it’s not working on my domain joined workstations. I am able to make it function on a sandbox system that is a clean install outside the domain.

I am using a legacy .local domain name but i have tried with other tld’s outside my own domain name and get the same behaviour.


No, i gave up asking

I just ended up creating a small windows service that reads the config of any currently connected networks and if dns is enabled applies the DNS settings directly to the adapter

I’ll be happy to post the source code if required

@chris.salter I would very much appreciate that, I was going to knock something up in Powershell and have it run on the task scheduler but if you have something already written i’d appreciate the code.

I know I can make the feature work on a fresh OOB Windows 10 Pro VM that isn’t domain joined, i’ll build out an OOB AD environment next week to see if this is an issue that relates to GPO, or if this is an issue that relates to a fundamental flaw in understanding of how DNS policies can be used in an AD environment.

@zt-grant @chris.salter

Quick update, I built a sandbox AD and workstation setup.

A fresh OOB directory with default GPO and a fresh domain joined Windows 10 20H2 workstation are working as intended, this seems to be an issue elsewhere.

I’ll try to narrow it down, is there any debug level output for the windows zerotier client?


1 Like

Nothing I can think of that would be helpful. Per ZeroTier’s view, it sets everything correctly. It’s something in windows GPOs that appears to be preventing the setting from activating, as you have shown in your test with a sandboxed AD setup.

I agree, it’s definitely not an issue with ZeroTier, I have it narrowed down to a single GPO with about 100 settings defined, i’m stepping through each setting to see which one breaks the functionality so it can be better documented.

@zt-grant @chris.salter

I’m not 100% sure, but I ran out of testing time today, I think it’s the following GPO: Computer Configuration>Administrative Templates>Network>Network Connectivity Status Indicator>Specify global DNS

It’s not enough to set it to Not Configured, in my testing I had to manually edit the Registry.pol with LGPO and remove the leftover block:

SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig


I’ll finish up testing tomorrow and update here once i’m sure.

@zt-grant @chris.salter

I confirmed the above policy causes the issue, if you unset the policy in GPO you also need to run a registry cleanup and remove the key:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient



I have the same issue where I have done everything to enable DNS servers on the Zerotier side but it isn’t working. I checked our GPO and we aren’t specifying a Global DNS and I checked that registry key and it is empty.
I have the same issue where Get-DnsClientNrptPolicy - Effective returns nothing while Get-DnsClientNrptRule shows the config pushed by Zerotier.

@chris.salter I’m interested in your source code. Need a solution to this and ZeroTier doesn’t seem very interested in resolving the problem.