I upgraded the firmware on my 2860 a few months back and found that DNS requests were being blocked when connected as Remote Dial-in VPN (L2TP) users.

I can ping the DNS server, but any DNS requests are blocked. There is no such problem from a computer on the server's network.

I have upgraded the firmware to the latest version but it didn't help. I added a firewall rule to explicitly allow TCP/UDP port 53 through and to log to syslog but no DNS requests over VPN are logged.

Has anything changed in the recent firmware releases that could have caused this? Is there a change in the default firewall settings that I need to change?

I just tried this on my 2860n running 3.8.9.3_VT3

Connected from a laptop running Windows 10 Pro to my Huwaei P9's Wifi hotspot. Then used Draytek's SmartVPN Client (5.0.0) to establish an L2TP/IPsec VPN from laptop to Vigor, via mobile network.

Everything worked as expected.

Assuming your problem clients are PCs ...

Could it be the PC's firewall? ... it might categorise the VPN differently to a normal LAN connection (i.e. the HOME/WORK/PUBLIC setting, that pops up when you least expect it)

what happens if you invoke 'nslookup' and query (for example) 'news.bbc.co.uk.' ?

The only issue I had with the SmartVPN from a Windows client was that even if "Use default gateway on remote network" was selected I found DNS requests would not go down the VPN. The answer for me was to manually enter an "Interface metric" for the DraytekVPN of lower numeric value (higher priority) than the default WifI/Ethernet adapter.

I'm not actually using the SmartVPN Client, I'm using the built-in Windows 10 VPN to establish an L2TP/IPsec connection.

I know the problem is firmware related because I once downgraded the firmware and the problem went away. When I upgraded again, the problem returned.

I'll do some nslookup tests and post the results.