/
How to Resolve DNS Conflicts with VPN Solutions for Barracuda VPN and Microsoft Always On VPN

How to Resolve DNS Conflicts with VPN Solutions for Barracuda VPN and Microsoft Always On VPN

Mar 13, 2026

This article explains how to resolve DNS conflicts between certain VPN clients and SecureEdge web filtering. Many VPN clients, including the Barracuda NAC/ VPN client for CloudGen Firewall and Microsoft Always On VPN, apply DNS servers to the client machine and intercept DNS requests matching the DNS suffix in the profile. DNS-based web filtering solutions, such as Barracuda SecureEdge, rely on a similar technique to forward all web traffic DNS requests.

Yet the most secure solution is SecureEdge Private Access, which replaces VPN technology with a modern Zero Trust Access (ZTA/ZTNA) approach that enables a single agent for web filtering and remote access. For more information, see Zero Trust Access. However, if you want to retain your existing VPN solution, either for a phased migration or to use SecureEdge solely for web filtering, the two solutions can coexist with minimal adjustments.

The VPN solution must use a split tunnel configuration because full tunnel solutions intercept all DNS requests.

Tested VPN Solutions with This Method

Vendor

Solution

 

Vendor

Solution

 

Barracuda NAC/VPN clients

Configure global breakout domains

 

Microsoft Always On VPN

Configure global breakout domains

 

To implement Barracuda SecureEdge Access for web filtering while retaining your existing VPN agent, follow the instructions in this article.

Step 1. SecureEdge Manager Configuration

The first step is to configure SecureEdge to ignore your internal domains. This ensures that requests for, for example, server1.youdomain.local, are not handled by the SecureEdge Agent on your devices.

  1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

  2. The chosen Tenant/Workspace is displayed in the top menu bar.

  3. From the drop-down menu, select the workspace your SecureEdge Access should be configured for.

  4. Go to Access > Settings

  5. Expand the Settings menu on the left and select Enrollment.

  6. The Enrollment Settings page opens.

  7. In the Device settings section, specify a value for the following:

    • Global breakout domains – Add your local domains (e.g., Active Directory domains managed by your VPN client) as individual global breakout domains.

      global-breakout.png

  8. Ensure these domains are not listed as “Forwarded domains” in Infrastructure > Settings > General.

  9. Ensure none of these domains appear as a “Network DNS suffix” in Infrastructure > Settings > Access Agent Network.

  10. If you have Internet Access or Premium Access licenses, SecureEdge can attempt to backhaul your client’s connection to your VPN server.

    • To prevent this, add your DNS server address to Security > Web Filter > Agent Breakout.

      agent-breakout.png

 

Step 2. SecureEdge Client Configuration

By default, the SecureEdge Access Agent is installed in the most secure state possible, in which SecureEdge checks all DNS requests to prevent DNS poisoning and bypassing. However, this technology conflicts with many VPN agents, which rely on viewing DNS requests to steer requests with certain suffixes to the name servers on the tunnel. 

To allow both to co-exist, adjust a flag for the SecureEdge Access agent.

Manual Process

  1. On the SecureEdge client, run Regedit.

  2. Go to HKLM > Software > Barracuda > SecureEdge Agent.

  3. Locate the “DisableDnsRestrict” DWORD, right-click, and select Modify.

  4. Change the Value Data from 0 to 1.

    valu-data.png

     

  5. Click OK.

  6. Restart the machine.

Automated Process

Windows

Set the parameter MSI property name to DISABLE_DNS_RESTRICT. Setting this to 1 disables the Agent's built-in DNS Leak Protection. Use this if another third-party VPN or web filtering software on the device also intercepts DNS. Note: Use this option cautiously because it can bypass DNS-based web filtering, allowing access to websites configured as blocked.

For more information, see https://documentation.campus.barracuda.com/wiki/spaces/SEP/pages/56262844

In addition, you can use tools like Intune to bulk update clients or apply configuration changes during agent rollout. For more information, see How to Configure Unattended Enrollment on a Windows Device Using Microsoft Intune.

 

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.