New DNS Features don't appear to work

No, i gave up asking

I just ended up creating a small windows service that reads the config of any currently connected networks and if dns is enabled applies the DNS settings directly to the adapter

I’ll be happy to post the source code if required

@chris.salter I would very much appreciate that, I was going to knock something up in Powershell and have it run on the task scheduler but if you have something already written i’d appreciate the code.

I know I can make the feature work on a fresh OOB Windows 10 Pro VM that isn’t domain joined, i’ll build out an OOB AD environment next week to see if this is an issue that relates to GPO, or if this is an issue that relates to a fundamental flaw in understanding of how DNS policies can be used in an AD environment.

@zt-grant @chris.salter

Quick update, I built a sandbox AD and workstation setup.

A fresh OOB directory with default GPO and a fresh domain joined Windows 10 20H2 workstation are working as intended, this seems to be an issue elsewhere.

I’ll try to narrow it down, is there any debug level output for the windows zerotier client?


1 Like

Nothing I can think of that would be helpful. Per ZeroTier’s view, it sets everything correctly. It’s something in windows GPOs that appears to be preventing the setting from activating, as you have shown in your test with a sandboxed AD setup.

I agree, it’s definitely not an issue with ZeroTier, I have it narrowed down to a single GPO with about 100 settings defined, i’m stepping through each setting to see which one breaks the functionality so it can be better documented.

@zt-grant @chris.salter

I’m not 100% sure, but I ran out of testing time today, I think it’s the following GPO: Computer Configuration>Administrative Templates>Network>Network Connectivity Status Indicator>Specify global DNS

It’s not enough to set it to Not Configured, in my testing I had to manually edit the Registry.pol with LGPO and remove the leftover block:

SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig


I’ll finish up testing tomorrow and update here once i’m sure.

@zt-grant @chris.salter

I confirmed the above policy causes the issue, if you unset the policy in GPO you also need to run a registry cleanup and remove the key:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient



I have the same issue where I have done everything to enable DNS servers on the Zerotier side but it isn’t working. I checked our GPO and we aren’t specifying a Global DNS and I checked that registry key and it is empty.
I have the same issue where Get-DnsClientNrptPolicy - Effective returns nothing while Get-DnsClientNrptRule shows the config pushed by Zerotier.

@chris.salter I’m interested in your source code. Need a solution to this and ZeroTier doesn’t seem very interested in resolving the problem.


got this note from another user:

That is true it does show the NRPT but does not become Effective. I found the solution by adding a GPO that pushes the NRPT to the machines that I use ZeroTier with and resolved the problem. Apparently, Windows 10 Pro and above doesn’t allow NRPT to become effective in a domain and must have a GPO to apply the configuration.

I have the same issue: Local NRPT rules don’t work when the machine in question is domain-joined. This article mentions the same problem. I didn’t find any documentation from Microsoft that confirms this behavior. But this is a show stopper for me as a significant number of our users have domain-joined machines.

I wonder if the use of NRPT rules is the best option for Windows? Why not simply configure a DNS server on the virtual ethernet interface - that’s what MS does for remote access connections as well and seems to work better.

All, I’ve found a way around this, although it’s a bit hacky and may cause issues down the line. It confirms @zt-travis note in post 30.

If your machines are all domain joined, you can push a NRPT rule via GPO. Go to Computer Config → Policies → Windows Settings → Name Resolution Policy.

We set our up for our ad domain suffix (ad.domain.tld), the prefix of our servers (SHF-SRV) and the subnet our servers sit on (192.168.99.*). So far I’ve applied it to all laptops, irrespective of whether it has ZT installed or not, and not seen any issues but YMMV.

1 Like

can’t resolve DNS names, at least by default, but I don’t know the details.
Do flow rules matter too?

but it´s no option to create GPO, or am i missing something.
if the device is (for example) not connected via zerotier and outside our organization (for example free wifi), it would try to use our internal nameservers, isn´t it?

Hi Chris,
I have the same problem with DNS resolution when the clients are domain members.
Can you help me and send me your source code?

Kind regards

This also does not work for me on a Windows 11 machine that is not even on a domain.
If I do the FQDN, it works fine but if I try to ping only the hostname, it doesn’t. It does on a Mac and Linux, though.


Same with Windows 11, some new solutions about this ?

By enforcing the NRPT rule via GPO, it works as expected for Windows 11 Pro clients which was my main issue.

I would just need to remember I have such a GPO the day I’ll migrate servers and change dns resolution… :sweat_smile: