Why aren't my DNS queries forwarded to the DNS servers set on my Client VPN endpoint?

3 minute read

I want to know why DNS queries aren’t forwarded to the DNS servers set on my AWS Client VPN endpoint.

Short description

When you connect a client to a Client VPN endpoint with a target DNS server, Client VPN forwards queries to the target DNS server. If Client VPN forwards DNS queries to the client machine's local server instead of your Client VPN endpoint's server, then your binding order is faulty.

On machines that run Windows with faulty binding order, OpenVPN clients use the default network adapter's DNS settings instead of your VPN adapter's settings.

Resolution

Modify your interface’s interface metric value to change Windows Registry’s binding order to prefer the TAP-Windows Adapter V9 terminal access point adapter.

Note: Your interface’s interface metric property value determines Windows Registry's binding order. Lower interface metric values receive higher priority when your network selects an interface to route through.

To modify the interface metric property value, use Microsoft Command Prompt or PowerShell, or you can use the Control Panel in Windows.

Use Microsoft Command Prompt or PowerShell to modify the interface metric value

Complete the following steps:

Use the Client VPN service to connect to the Client VPN endpoint.
Open Command Prompt or PowerShell in Administrator mode.

Run ipconfig /all to get a list of adapters on your machine.
-or-
Run the following Get-NetIPInterface command:

Get-NetIPInterface -AddressFamily IPv4 |  
Sort-Object -Property InterfaceMetric |  
Format-Table -Property InterfaceIndex, InterfaceAlias, @{Label="InterfaceDescription"; Expression={(Get-NetAdapter -InterfaceIndex $_.InterfaceIndex).InterfaceDescription}}, InterfaceMetric, ConnectionState

Note the interface number that corresponds with the TAP-Windows Adapter V9 adapter.

Run the command that corresponds with your operating system (OS).
Windows 11:

netsh interface ipv4 set interface example-interface-number metric=1

Windows 10 and 11:

Set-NetIPInterface --InterfaceIndex example-interface-number --InterfaceMetric 1

Note: Replace example-interface-number with the interface number that you noted in step 3.

Run the following command to check the preferred DNS servers:

netsh interface ip show config

Use Control Panel in Windows to modify the interface metric value

Complete the following steps:

Open Control Panel.
Choose Network and Internet, and then choose Network Connections.
Right-click the TAP-Windows Adapter V9 tap adapter.
Choose Properties, and then choose Internet Protocol Version 4.
Choose Properties, and then choose Advanced.
Clear the Automatic Metric box.
Enter 1 for Interface Metric.
Choose OK.

Topics: Networking & Content Delivery
Tags: AWS Client VPN AWS Virtual Private Network (VPN)
Language: English

AWS OFFICIALUpdated 10 months ago

4 Comments

Can you replicate this in MacOS

Mark Lester Perez

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

EXPERT

AWS Official

replied 2 years ago

For Windows 10 (and 11 at this point), you should run this first to see what your interfaces are:


# This gets all IPv4 interfaces, sorts them by their InterfaceMetric value, then formats them as a table while looking up their description 
Get-NetIPInterface -AddressFamily IPv4 | 
    Sort-Object -Property InterfaceMetric | 
    Format-Table -Property InterfaceIndex, InterfaceAlias, @{Label="InterfaceDescription"; Expression={(Get-NetAdapter -InterfaceIndex $_.InterfaceIndex).InterfaceDescription}}, InterfaceMetric, ConnectionState

You should see something similar to this:

InterfaceIndex InterfaceAlias               InterfaceDescription                       InterfaceMetric ConnectionState
-------------- --------------               --------------------                       --------------- ---------------
            13 Local Area Connection        TAP-Windows Adapter V9 for OpenVPN Connect               1    Disconnected
             8 Ethernet 2                   Realtek USB GbE Family Controller                        5    Disconnected
             3 Ethernet                     Intel(R) Ethernet Connection (16) I219-LM               25       Connected
            21 Ethernet 3                   AWS VPN Client TAP-Windows Adapter V9                   25       Connected

A lower InterfaceMetric gives higher priority when selecting an interface to route through.

Jeff G

replied 2 years ago

Thank you, it worked for us on Windows 11 for AWS VPN Client v4.1.0 and v5.0.x.

Suresh Kumar Golkonda

replied a year ago

Relevant content

Forward queries to public DNS servers if Private Hosted Zone doesn't have specific record
rePost-User-2148365
asked 3 years ago
AWS VPN Client endpoint resolve private dns
Dopod
asked 3 years ago
AWS Client VPN name resolution for eks endpoint on mac
Anton
asked 6 months ago
DNS resolution for AWS VPN clients
alansilver
asked 5 years ago
DNS issues with Client VPN connection
Accepted Answer
Jason
asked 2 years ago
How does DNS work with my AWS Client VPN endpoint?
AWS OFFICIALUpdated a year ago
How do I resolve resource records in my private hosted zone using Client VPN?
AWS OFFICIALUpdated 4 years ago
How do I troubleshoot CNAME record resolution issues when I use a conditional forwarder in my Windows DNS server?
AWS OFFICIALUpdated 2 years ago
How do I configure a Route 53 Resolver outbound endpoint to resolve DNS records hosted on a remote network from resources in my VPC?
AWS OFFICIALUpdated a year ago
Securing Remote Access with AWS Client VPN Client Routes Enforcement
EXPERT
Vatsal
published 2 months ago