Why aren't my DNS queries forwarded to the DNS servers set on my Client VPN endpoint?

3 minute read

I want to know why DNS queries aren’t forwarded to the DNS servers set on my AWS Client VPN endpoint.

Short description

If you connect a client to a Client VPN endpoint with a target DNS server, then typically the queries are forwarded to that DNS server. In some cases, the DNS queries for NSLOOKUP might be forwarded to the client machine's local DNS server instead.

This behavior is because of faulty binding order in Windows (including Windows 2000/XP/7). The faulty binding causes OpenVPN clients to use the default network adapter's DNS settings rather than the VPN adapter's settings. To resolve this issue, change the binding order in Windows Registry to prefer the TAP-Windows Adapter V9.

If you're using a Windows 10 machine, then proceed to the Windows 10 command section of this article. The other methods don't apply to Windows 10.


Modify the interface metric value for the interfaces to change the binding order. Use one of the following methods.

Modify the interface metric value using Microsoft Command Prompt or PowerShell

1.    Connect to the Client VPN endpoint using the AWS Client VPN service.

2.    Open Command Prompt or PowerShell in Administrator mode.

3.    Run ipconfig /all to get a list of Ethernet adapters.

4.    Note the Ethernet interface number with an exact description of "TAP-Windows Adapter V9".

5.    Run this command:

netsh interface ipv4 set interface "Ethernet 4" metric="1"

Note: In the command, use the ethernet adapter interface number that you noted in step 4. If the command ran successfully, you receive an "Ok" code. Then, the DNS queries are forwarded to the DNS configured on the Client VPN endpoint.

Modify the interface metric value using Control Panel in Windows

1.    Open Control Panel.

2.    Choose Network and Internet, and then choose Network Connections.

3.    Right-click the TAP-Windows Adapter V9 tap adapter.

4.    Choose Properties, and then choose Internet Protocol Version 4.

5.    Choose Properties, and then choose Advanced.

6.    Clear the Automatic Metric box.

7.    Enter 1 for Interface Metric.

8.    Choose OK.

Windows 10 command

For Windows 10 machines, configure the interface metric with the Set-NetIPInterface PowerShell command:

Set-NetIPInterface -InterfaceIndex 4 -InterfaceMetric 1

InterfaceIndex is the interface number and InterfaceMetric is the metric value.

After you implement the workaround, run this command to check the preferred DNS servers:

netsh interface ip show config
AWS OFFICIALUpdated 2 months ago