Why aren't my DNS queries forwarded to the DNS servers set on my Client VPN endpoint?

Short description

While your client is connected to a Client VPN endpoint with target DNS servers configured, you might notice that DNS queries for NSLOOKUP are forwarded to the client machine’s local DNS server. These queries aren't forwarded as expected to the DNS servers configured on the endpoint. This behavior is due to a faulty binding order in Windows (including Windows 2000/XP/7). The faulty binding causes OpenVPN clients to use the default network adapter’s DNS settings rather than the VPN adapter’s settings. To resolve this issue, change the binding order in Windows Registry to prefer the TAP-Windows Adapter V9.

Resolution

Change the binding order by modifying the interface metric value for the interfaces. You can modify the interface metric using the AWS Command Line Interface (AWS CLI) or Control Panel in Windows.

Modify the interface metric value using the AWS CLI

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

1.    Connect to the Client VPN endpoint using the AWS Client VPN service.

2.    Open Command Prompt or PowerShell in Administrator mode.

3.    Run ipconfig /all to get a list of Ethernet adapters.

4.    Note the Ethernet interface number with an exact description of "TAP-Windows Adapter V9".

5.    Run the following command:

netsh interface ipv4 set interface "Ethernet 4" metric="1"

Note: Be sure to use the appropriate Ethernet adapter interface number while executing the previous command.

After running the command, you receive an "Ok" code that indicates a successful implementation. If you run NSLOOKUPs now, you can see that the DNS queries are forwarded to the DNS servers configured on the Client VPN endpoint.

Modify the interface metric value using Control Panel in Windows

1.    Open Control Panel.

2.    Choose Network and Internet, and then choose Network Connections.

3.    Right-click the TAP-Windows Adapter V9 tap adapter.

4.    Choose Properties, and then choose Internet Protocol Version 4.

5.    Choose Properties, and then choose Advanced.

6.    Clear the Automatic Metric box.

7.    Enter 1 for Interface Metric.

8.    Choose OK.

Important: The previous two methods apply only to Windows 2000/XP/7 systems. For Windows 10 machines, configure the interface metric using the Set-NetIPInterface PowerShell command.

Set-NetIPInterface -InterfaceIndex 4 -InterfaceMetric 1

"InterfaceIndex" is the interface number and "InterfaceMetric" denotes the metric value.

After implementing the workaround, run the following command to check the preferred DNS servers:

netsh interface ip show config