DNS & VPN Performance Issues
Problem Description
Section titled “Problem Description”DNS resolution fast on LAN, extremely slow over WireGuard VPN.
Root Causes
Section titled “Root Causes”1. Incorrect AD DNS Design
Section titled “1. Incorrect AD DNS Design”Wrong Configuration:
DC pointing to each other as primary DNS+ Root Hints enabled alongside Forwarders= Circular dependencies causing delaysCorrect Configuration:
# Each DC points to itselfSet-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 127.0.0.1
# Forwarders only on Forest Root DC# Child DC has no external forwarders2. DNS Egress Blocked
Section titled “2. DNS Egress Blocked”Server VLAN blocked from Internet, but DNS forwarders need to reach external DNS.
Solution: Allow DNS from Forest Root DC only:
FW_ALLOW_ZRH-DC-ZRH-01_DNS_EGRESS- Source: 10.30.30.10- Destination: 1.1.1.1, 8.8.8.8- Port: 53- Position: BEFORE block rule3. Root Hints Interference
Section titled “3. Root Hints Interference”Root Hints enabled causing fallback delays.
Solution:
Get-DnsServerRootHint | Remove-DnsServerRootHint -ForceSet-DnsServerForwarder -UseRootHint $false