DNS Resolution with ClientVPN



I've the following setup:

  • we have a Client VPN
  • there's a hosted zone as we want to have some private names resolution
  • Client VPN is configured to have DNS Server set to correct address from the VPC so that private hostnames can be resolved using the hosted zone
  • split tunnel is enabled
  • the whole setup is configured in eu-central-1
  • I use Windows 11 laptop

There're no problems with the connection to the VPC from our local computers, but it seems that the DNS hostnames are always resolved by AWS DNS Server, which not always returns addresses of servers closest to me. So just to give you an example: I am located in Poland, and when I resolve youtube address without the ClientVPN I get the PL server address, but with Client VPN I get German address. I also tried to add second DNS Server (like to the Client VPN configuration, but it doesn't change anything. Any suggestions ?

2 Answers


With regards to your youtube example in which you resolve DNS via internal AWS forwarders, youtube will most likely see the source as the closest egress point from AWS to the "internet". This is most likely in the Frankfurt region so this scenario sounds accurate with how youtube is routing you to their servers in Germany and not Poland when the request is fulfilled via you VPC DNS server.

As for what to do to address this? If no DNS server is supplied on the client vpn, it will default to the DNS configured on the local machine. With split tunneling enabled, this should do to your local/internal non-AWS DNS server to provide hostname resolution. In this scenario, you will likely want to be able to resolve private AWS VPC hosts. In this case I would look into using your local DNS resolver (ie: so that youtube provides the resolution that you want) and also use AWS Route53 resolver endpoints so you can resolve private AWS VPC hosts. Some links are below, hope this helps!

What is Route53 Resolver

Getting Started with Route53 Resolver

Additional Information on AWS Client VPN DNS

answered a year ago


Thanks for the answer. I do not fully understand how Route53 resolver can help me in this case - addresses from the hosted zone are resolved correctly at the moment, the problem is that all DNS queries are handled by AWS DNS Server, which may return not optimal results for some of the addresses. So what I'd like to achieve is that only those private addresses are resolved by AWS, the rest fallbacks to the local DNS configuration.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions