Why aren't my DNS queries forwarded to the DNS servers set on my Client VPN endpoint?

3 minute read

I want to know why DNS queries aren’t forwarded to the DNS servers set on my AWS Client VPN endpoint.

Short description

If you connect a client to a Client VPN endpoint with a target DNS server, then typically the queries are forwarded to that DNS server. In some cases, the DNS queries for NSLOOKUP might be forwarded to the client machine's local DNS server instead.

This behavior is because of faulty binding order in Windows (including Windows 2000/XP/7). The faulty binding causes OpenVPN clients to use the default network adapter's DNS settings rather than the VPN adapter's settings. To resolve this issue, change the binding order in Windows Registry to prefer the TAP-Windows Adapter V9.

If you're using a Windows 10 machine, then proceed to the Windows 10 command section of this article. The other methods don't apply to Windows 10.

Resolution

Modify the interface metric value for the interfaces to change the binding order. Use one of the following methods.

Modify the interface metric value using Microsoft Command Prompt or PowerShell

1. Connect to the Client VPN endpoint using the AWS Client VPN service.

2. Open Command Prompt or PowerShell in Administrator mode.

3. Run ipconfig /all to get a list of Ethernet adapters.

4. Note the Ethernet interface number with an exact description of "TAP-Windows Adapter V9".

5. Run this command:

netsh interface ipv4 set interface "Ethernet 4" metric="1"

Note: In the command, use the ethernet adapter interface number that you noted in step 4. If the command ran successfully, you receive an "Ok" code. Then, the DNS queries are forwarded to the DNS configured on the Client VPN endpoint.

Modify the interface metric value using Control Panel in Windows

1. Open Control Panel.

2. Choose Network and Internet, and then choose Network Connections.

3. Right-click the TAP-Windows Adapter V9 tap adapter.

4. Choose Properties, and then choose Internet Protocol Version 4.

5. Choose Properties, and then choose Advanced.

6. Clear the Automatic Metric box.

7. Enter 1 for Interface Metric.

8. Choose OK.

Windows 10 command

For Windows 10 machines, configure the interface metric with the Set-NetIPInterface PowerShell command:

Set-NetIPInterface -InterfaceIndex 4 -InterfaceMetric 1

InterfaceIndex is the interface number and InterfaceMetric is the metric value.

After you implement the workaround, run this command to check the preferred DNS servers:

netsh interface ip show config

Topics

Networking & Content Delivery

Relevant content

Cannot resolve host of RDS endpoint in private subnet via VPN client endpoint
Noah
asked a year ago
AWS VPN Client endpoint resolve private dns
Dopod
asked 6 months ago
AWS VPN service outage due to DNS not resolve
Accepted Answer
AWS-User-8733268
asked 2 years ago
How do you configure VPC Client VPN Endpoint DNS to resolve on internet
Accepted Answer
Brandon
asked 3 months ago
AWS VPN Client on macOS - DNS not resolving
chamath-vetstoria
asked 2 years ago
How does DNS work with my AWS Client VPN endpoint?
AWS OFFICIALUpdated 2 months ago
How do I associate a target network with a Client VPN endpoint?
AWS OFFICIALUpdated a month ago
How do I configure a Client VPN using the AWS CLI?
AWS OFFICIALUpdated 3 years ago
How do I resolve resource records in my private hosted zone using Client VPN?
AWS OFFICIALUpdated a year ago
Why can't I connect to a peered VPC when using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway?
EXPERT
Karthikiran Ilango
published 3 months ago