Windows OS Interface Automatic Metric Feature and DNS Resolver Selection
The Automatic Metric feature in Windows operating system allows for identification of the cost of a specific route associated with a network interface. The metric itself can be determined via statistics of link speed, number of hops or time delays.
The Automatic Metric feature should be a point of consideration for situations where specific DNS resolvers are required to be used for specific locations, network interface or VPN connections.
Scenario 1
Organization 1 has a hybrid working mode for its employees and allows them to work from offices or from home. The standard device issue is a Windows 11 Enterprise machine. Both Wired and Wireless connection options are available in the offices. Employees would require to connect to the organization VPN to be able to access certain internal network resources while working from home.
Organization 1 has setup dc1.org1.internal as the main DNS resolver. This setup works well for employee devices in the office as the configuration is tied to the network setting for the location. Organization 1 however requires employees devices working from home to also use the internal DNS resolver while connected through the VPN connection.
The Automatic Metric feature could complicate this requirement due to how the operating system choose the which interface+DNS resolver to send request through. The possible network and DNS configuration for a device for an employee working from home could look like the below table with Automatic Metric in default mode
| Interface | Automatic Metric | DNS Resolver |
|---|---|---|
| Wired | 15 | dns.isp.com |
| Wireless | 20 | dns.isp.com |
| VPN | 25 | dc1.org1.internal |
The operating system will prioritize the DNS resolver attached to the Wired interface due to calculated lowest metric (Lower is better)
In order to force the use of the intended resolver, the organization IT administrators would need to either set the Wired and Wireless interface metric manually to be higher than the VPN or change the VPN interface metric to be a low number.
| Interface | Manual Metric | DNS Resolver |
|---|---|---|
| Wired | 15 | dns.isp.com |
| Wireless | 20 | dns.isp.com |
| VPN | 5 | dc1.org1.internal |
This configuration will then allow the DNS resolver attached to the VPN interface configuration to be utilized instead.
Notes:
- Certain VPN providers or setup already do adjust the connection metric to allow for this intended workflow however this can be an additional step to troubleshoot problems
- Certain organizations deploy separate on-device DNS related resolvers, SASE or Secure Web Gateway clients. This will be an added consideration to whether a certain internal or external entries are handled.
References
Automatic Metric for IPV4 Routes - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/automatic-metric-for-ipv4-routes