Access Server: Push DNS Options for IPv6 Packets Through the VPN Tunnel

Description: This article shows you how to configure Access Server to push DNS options for IPv6 traffic through the VPN tunnel.

Prerequisite

Ensure Access Server is configured to manage IPv6 traffic. If you haven't set this up, refer to this guide: Access Server: Enable and configure IPv6 to transport IPv6 packets through the VPN tunnel.

Configure and push IPv6 DNS Servers

Step 1: Disable pushing IPv4 DNS settings

1. Sign in to the Admin Web UI.
2. Click Configuration > VPN Settings.
3. Under DNS Settings, select YES for Do not alter clients' DNS server settings.
4. Click Save Settings and Update Running Server.

Step 2: Configure and push IPv6 DNS servers

1. Click Configuration > Advanced VPN.
2. In Additional OpenVPN Config Directives (Advanced) > Server Config Directives, add:
   

   push "dhcp-option DNS 2001:db8::8888"

   (This example uses an IPv6 documentation-reserved DNS server 2001:db8::8888.)
   
3. Click Save Settings and Update Running Server.

Test the setup

1. Connect a VPN client to Access Server.
2. Verify the client received an IPv6 address (e.g., fd00:abcd::1 from a documentation-reserved prefix).
3. Run ipconfig /all on Windows to confirm the DNS server:
   

   PS C:\Users\Brandon ipconfig /all
   
   Unknown adapter Local Area Connection:
   
      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
      Physical Address. . . . . . . . . : AA-BB-CC-DD-EE-FF
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      IPv6 Address. . . . . . . . . . . : fd00:abcd:1234:9c2::8002(Preferred)
      Link-local IPv6 Address . . . . . : fe80::593:ffb4:554f:5b5b%6(Preferred)
      IPv4 Address. . . . . . . . . . . : 192.0.2.15(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . :
      DHCPv6 IAID . . . . . . . . . . . : 100728657
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-30-EC-95-90-E8-68-10-51-17
      DNS Servers . . . . . . . . . . . : 2001:db8::53
      NetBIOS over Tcpip. . . . . . . . : Enabled
   

   ✅Here you see the DNS server 2001:db8::53 pushed to the client.
4. Test the DNS resolution with nslookup:
   

   nslookup ipv6.example.com

   Output should show:
   

   Server:  test-dns.example
   Address:  2001:db8::53
   
   Non-authoritative answer:
   Name:    ipv6.example.net
   Address: 2001:db8:4006:808::200e
   Aliases: ipv6.example.com
   

   ✅ The hostname ipv6.example.com resolves correctly using the IPv6 DNS server.
5. Test ping to the hostname:
   

   ping ipv6.example.com

   ✅ Output should show
   

   Pinging ipv6.example.net [2001:db8:4006:81f::200e] with 32 bytes of data:
   Reply from 2001:db8:4006:81f::200e: bytes=1500 time=30ms TTL=54
   Reply from 2001:db8:4006:81f::200e: bytes=1500 time=30ms TTL=54
   Reply from 2001:db8:4006:81f::200e: bytes=1500 time=29ms TTL=54
   Reply from 2001:db8:4006:81f::200e: bytes=1500 time=30ms TTL=54
   Reply from 2001:db8:4006:81f::200e: bytes=1500 time=31ms TTL=54
   
   Ping statistics for 2001:db8:4006:81f::200e:
       Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),
   Approximate round trip times in milli-seconds:
       Minimum = 29ms, Maximum = 31ms, Average = 30ms
   

   ✅ The ping succeeds with no packet loss.
6. On Access Server, confirm DNS queries with tcpdump.
   

   tcpdump -eni any host ipv6.example.com

   ✅ Output should show
   

   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
   listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
   
   16:45:36.609053 In  ethertype IPv6 (0x86dd), length 97: fd00:abcd:1234:9c2::8002.56206  2001:db8::53.53: 27466+ A? ipv6.example.com. (33)
   16:45:36.609094 Out 56:a8:90:da:50:24 ethertype IPv6 (0x86dd), length 97: 2001:db8:400:d0::1.56206  2001:db8::53.53: 27466+ A? ipv6.example.com. (33)
   16:45:36.609339 In  ethertype IPv6 (0x86dd), length 97: fd00:abcd:1234:9c2::8002.55021  2001:db8::53.53: 38774+ AAAA? ipv6.example.com. (33)
   16:45:36.609357 Out 56:a8:90:da:50:24 ethertype IPv6 (0x86dd), length 97: 2001:db8:400:d0::1.55021  2001:db8::53.53: 38774+ AAAA? ipv6.example.com. (33)
   16:45:36.618900 In  fe:00:00:00:01:01 ethertype IPv6 (0x86dd), length 146: 2001:db8::53.53  2001:db8:400:d0::1.55021: 38774 2/0/0 CNAME ipv6.example.net., AAAA 2001:db8:4006:823::200e (82)
   16:45:36.618943 Out ethertype IPv6 (0x86dd), length 146: 2001:db8::53.53  fd00:abcd:1234:9c2::8002.55021: 38774 2/0/0 CNAME ipv6.example.net., AAAA 2001:db8:4006:823::200e (82)
   

   ✅ The DNS query and reply for ipv6.example.com are visible in the packet capture.

Push Split-DNS when using DNS Resolution Zones

Access Server supports split DNS, the principle of resolving only certain zones (domains) through a DNS server pushed by the VPN server and the rest through your already present local DNS servers.

Step 1: Disable existing DNS resolution zones

1. Sign in to the Admin Web UI.
2. Click Configuration > VPN Settings.
3. Under DNS resolution zones (optional), remove any configured domains. (Any domains entered here will overwrite the domains we're configuring in the next step.
4. Click Save Settings and Update Running Server.

Step 2: Configure split-DNS

1. Click Configuration > Advanced VPN.
2. In Additional OpenVPN Config Directives (Advanced) > Server Config Directives,add:
   

   push "dhcp-option DNS 2001:db8::8888"
   push "dhcp-option DOMAIN ipv6.google.com"

   
3. Click Save Settings and Update Running Server.

✅ In this example, the domain ipv6.example.com resolves only through 2001:db8::8888. Other domains use local DNS servers.

Verify Split-DNS

1. Connect a VPN client.
2. Check the adapter settings with ipconfig /all:
   

   ipconfig /all

   The output displays:
   

   PS C:\Users\Brandon ipconfig /all
   
   Unknown adapter Local Area Connection:
   
      Connection-specific DNS Suffix  . :  
      Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
      Physical Address. . . . . . . . . : AA-BB-CC-DD-EE-FF
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      IPv6 Address. . . . . . . . . . . : fd00:abcd:1234:9c2::8002(Preferred)
      Link-local IPv6 Address . . . . . : fe80::593:ffb4:554f:5b5b%6(Preferred)
      IPv4 Address. . . . . . . . . . . : 192.0.2.15(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . :
      DHCPv6 IAID . . . . . . . . . . . : 100728657
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-30-EC-95-90-E8-68-10-51-17
      DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                          fec0:0:0:ffff::2%1
                                          fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . . : Enabled
       

   ✅ Here, you see the system-assigned IPv6 DNS servers (fec0::/10 reserved for site-local use) in the adapter, but OpenVPN's DNS for the configured split-DNS domain will take effect via name resolution policy.
3. Check the name resolution policy with netsh namespace show effectivepolicy:
   

   netsh namespace show effectivepolicy

   The output displays:
   

   DNS Effective Name Resolution Policy Table Settings
   Settings for .ipv6.example.com
   ----------------------------------------------------------------------------
   Generic (DNS Servers) : 2001:db8::53
   

   ✅ The DNS resolution policy shows that queries for ipv6.example.com are directed to the pushed IPv6 DNS server 2001:db8::53.

Note: The VPN adapter shows default local DNS servers (fec0::/10). These three IPv6 addresses are self-assigned DNS server addresses, not pushed by Access Server but automatically assigned by the operating system for link-local resolution. These won’t interfere with the configured split-DNS for ipv6.example.com, which uses the policy-defined DNS server 2001:db8::53.

Push a default domain suffic for IPv6

Access Server supports setting a default suffix so Windows clients can resolve host names to fully qualified domain names (FQDN). This feature is helpful for a network using a Windows Domain or Active Directory server.

For IPv6 domains, follow the steps below.

Step 1: Disable existing default domain suffix

1. Sign in to the Admin Web UI.
2. Click Configuration > VPN Settings.
3. Under Default Domain Suffix (optional), remove any existing suffix. Any suffix configured there will overwrite the domains we will be configuring to be resolved by our IPv6 DNS server.
4. Click Save Settings and Update Running Server.

Step 2: Configure a default domain suffix

1. Click Configuration > Advanced VPN.
2. In Additional OpenVPN Config Directives (Advanced) > Server Config Directives add:
   

   push "dhcp-option DNS 2001:db8::8888"
   push "dhcp-option ADAPTER_DOMAIN_SUFFIX example.com"

   
   
   
3. Click Save Settings and Update Running Server.

Verify the default domain suffix

1. Connect a VPN client.
2. Check the adapter settings with ipconfig /all:
   

   ipconfig /all

   The output displays:
   

   PS C:\Users\Brandon ipconfig /all
   
   Unknown adapter Local Area Connection:
   
      Connection-specific DNS Suffix  . :  example.com
      Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
      Physical Address. . . . . . . . . : AA-BB-CC-DD-EE-FF
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      IPv6 Address. . . . . . . . . . . : fd00:abcd:1234:9c2::8002(Preferred)
      Link-local IPv6 Address . . . . . : fe80::593:ffb4:554f:5b5b%6(Preferred)
      IPv4 Address. . . . . . . . . . . : 192.0.2.15(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . :
      DHCPv6 IAID . . . . . . . . . . . : 100728657
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-30-EC-95-90-E8-68-10-51-17
      DNS Servers . . . . . . . . . . . : 2001:db8::53
   NetBIOS over Tcpip. . . . . . . . . : Enabled
   

   ✅ Here, you can see that the Connection-specific DNS Suffix is example.com, pushed from Access Server.
3. Test name resolution with a short hostname using ping, and Windows automatically appends the DNS domain suffix, completing it as ipv6.example.com:

   ping ipv6

   The output displays:

   Pinging ipv6.example.com [2001:db8:1234:5678::200e] with 32 bytes of data:
   Reply from 2001:db8:1234:5678::200e: bytes=1500 time=30ms TTL=54
   Reply from 2001:db8:1234:5678::200e: bytes=1500 time=30ms TTL=54
   Reply from 2001:db8:1234:5678::200e: bytes=1500 time=29ms TTL=54
   Reply from 2001:db8:1234:5678::200e: bytes=1500 time=30ms TTL=54
   Reply from 2001:db8:1234:5678::200e: bytes=1500 time=31ms TTL=54
   
   Ping statistics for 2001:db8:1234:5678::200e:
       Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),
   Approximate round trip times in milli-seconds:
       Minimum = 29ms, Maximum = 31ms, Average = 30ms
     

   ✅ This confirms that the DNS suffix was successfully applied, allowing you to use short hostnames with automatic completion to fully qualified domain names.

If you have additional questions, please submit a ticket.