Fix DNS resolution in WSL2

fix-wsl2-dns-resolution.md

Permanent WSL DNS Fix (WSL 2.2.1+)

If you're encountering ping github.com failing inside WSL with a Temporary failure in name resolution, you're not alone — this has been a long-standing issue, especially when using VPNs or corporate networks.

This issue is now fixed robustly with DNS tunneling, which preserves dynamic DNS behavior and avoids limitations like WSL’s former hard cap of 3 DNS servers in /etc/resolv.conf.

DNS tunneling is enabled by default in WSL version 2.2.1 and later, meaning that if you're still seeing DNS resolution issues, the first and most effective fix is simply to upgrade WSL. Upgrading WSL updates the WSL platform itself, but does not affect your installed Linux distributions, apps, or files.

To upgrade WSL, follow these steps,

# Run all of the following in a Windows terminal (PowerShell, Command Prompt, etc.)

# 1. Check your current WSL version
wsl --version

# 2. Close all open *WSL windows* — any Linux terminals running via WSL (Ubuntu, Debian, etc.)

# 3. Shut down the WSL subsystem
wsl --shutdown

# 4. Upgrade WSL
wsl --upgrade

# 5. Verify the upgrade was successful (version should now be >= 2.2.1)
wsl --version

# 6. Open your WSL terminal and test
ping github.com

# 🎉 If it works, drop a comment on this Gist and tell us how happy you are.

If needed, explicitly enable tunneling by creating (source):

# C:\Users\<YourUsername>\.wslconfig
[wsl2]
dnsTunneling=true

That’s it. No more messing with /etc/resolv.conf. No more weird hacks!

---

🧟 Previous Workarounds (for WSL < 2.2.1 or locked-down systems)

Preserved for historical transparency and for users unable to upgrade WSL.

# In WSL
cd /etc
echo "[network]" | sudo tee wsl.conf
echo "generateResolvConf = false" | sudo tee -a wsl.conf

# Back in Windows
wsl --terminate <DistroName>  # or use wsl --shutdown

# Back in WSL
sudo rm -f /etc/resolv.conf
echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf
echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.conf
sudo chattr +i /etc/resolv.conf

If you're using a VPN like Cisco AnyConnect:

Get-NetAdapter | Where-Object { $_.InterfaceDescription -Match "Cisco AnyConnect" } | Set-NetIPInterface -InterfaceMetric 6000

---

🙌 Credit & Sources

Big thanks to,

• @ThePlenkov/(comment) — the first to publicly document the DNS tunneling fix in .wslconfig (WSL 2.2.1+)
• @skudbucket — for confirming and spreading awareness
• @MartinCaccia, @yukosgiti, @machuu, @AlbesK — for documenting earlier workarounds
• GitHub Issue #4277
• GitHub Issue #4246
• Legacy fix from #4285
• WSL DNS Tunneling Docs
• WSL Config Docs
• WSL 2.2.1 Release Notes

---

If you're still using manual resolv.conf hacks in 2024+, you're solving a problem that's already been solved.

+1 Thanks for sharing !

@ten0s 4.4.4.4 is not Google DNS. Correct ones are 8.8.8.8 8.8.4.4

The Boot setting works for me.👍

The solution doesn't work for me.
But when I switch to WSL1, DNS is working well.
Does anyone have a solution?

boot setting given by jonshipmannwmg above works for me in Windows 11. Also, works to manually recreate /etc/resolv.conf each time you boot if you don't do the [boot]. Not sure about windows 10.

Based on this gist I created this simple code:

https://github.com/epomatti/wsl2-dns-fix-config

Thank you very much.
I love WSL2, but it still has so many annoying issues. Worked for Ubuntu-22.04

Based on this gist I created this simple code:

thnks!!!, this works for me, I downloaded the code manually and after run this DNS works in WSL 2 Ubuntu-18.04 Win11

@gustavo-lara-molina nice! happy to help

Based on this gist I created this simple code:

https://github.com/epomatti/wsl2-dns-fix-config

My Environment:

• Corporate environment (remote VPN).
• Windows 10 host
• WSL2
• Ubuntu 22.04 LTS

Steps:

1. Added the following to /etc/wsl.conf.

[network]
generateResolvConf = false

2. Backed up then deleted /etc/resolv.conf.
3. Created a new /etc/resolv.confusing the DNS servers from my VPN connection.
4. Ran: chattr +i /etc/resolv.conf (Using the last line from run.sh script in the gist above.)

I've restarted WSL several times and my changes are persisting.

This original solution worked perfectly. Before, the only solution seemed to be recreating .ssh keys on every startup, which doesn't make sense, but it had worked twice. Hopefully, this solution will be persistent across reboots. Thank you!

I should say, the main place I noticed the error was trying to push commits. I just finished the last step and went to push and it worked flawlessly.

1. Find out nameserver with windows powershell (during VPN Session and without) using nslookup
2. USe sudo touch /etc/wsl.conf and sudo vim /etc/wsl.conf to add:

[network]                                                                        
generateResolvConf = false

3. Restart wsl (Windows powershell) using wsl --shutdown
4. Open WSL and remove using rm -f /etc/resolv.conf
5. Add new file sudo touch /etc/resolv.conf and sudo vim /etc/resolv.conf with:

nameserver X.X.X.X

nameserver Y.Y.Y.Y

6. Restart wsl (Windows powershell) using wsl --shutdown
7. Open WSL and remove using wget google.com and test some you corporate domain.

6. Restart wsl (Windows powershell) using wsl --shutdown
7. Open WSL and remove using wget google.com and test some you corporate domain.

Is there a special reason for the final reboot?

Setting the nameserver works without reboot thus the steps 6 and 7 are usually not required.

Yes, original solution worked for me to. Thanks :)

DNS resolution is getting fixed after upgrade to Windows 11, before that it won't work well

Modified script that worked for me.

sudo touch /etc/resolv.conf
chmod 777 /etc/resolv.conf
printf 'nameserver 8.8.8.8\nnameserver 4.4.4.4' > /etc/resolv.conf

@ghenadiibatalski I recently did a fresh install of everything on Windows 11 with WSL2 and ubuntu 22, no such luck. It has the same issues as I had on Windows 10.

The [boot] command works well, though I modified it a bit to include the bridge IP that is potentially recreated during WSL restarts. After adding this bit into /etc/wsl.conf, exit wsl and restart it by using wsl --shutdown in a terminal. Re-open your wsl instance afterward, and it will have generated the updated /etc/resolv.conf file with the combined nameservers.

[boot]
    command = "printf \"nameserver 1.1.1.1\n$(cat /etc/resolv.conf)\nnameserver 8.8.8.8\nnameserver 1.0.0.1\n\" > /etc/resolv.conf"

When the resolv.conf is recreated during wsl2 boot, it has the bridge IP in it as the nameserver, and I wanted to retain that for other reasons. Feel free to move $(cat /etc/resolv.conf) around based on your needs. In my case, I only need one main, working DNS toward the top of the list so that things like brew and terraform can work properly.

Others who have several other DNS configs for VPN adapters, etc., may need those auto generated settings as well.

Description of how it works

1. A subprocess reads the contents of the newly created file at boot, which has the bridge IP in it by default. $(cat /etc/resolv.conf)
2. The printf command injects the result of that after the first nameserver, and before the other two (configure as needed)
3. The value to print is surrounded with double quotes, so that variable substitution can happen. These are already in double quotes due to command = "<full command>", so they are escaped: \"
4. The results of what is printed are written back to /etc/resolv.conf.

Update 2023-08-09

I just realized I had the command writing to resolve.conf, not resolv.conf like I had in bullet point 4, above. I updated the script to use the correct file name resolv.conf.

Due to this comment being buried by newer comments, I've moved it to a separate gist here: https://gist.github.com/ps2goat/f885ad790178ed9e8012b0681a0ef61d

As this is the first that comes up on google when searching "wsl dns server not working" I'd like to add the solution described here: microsoft/WSL#5256 (comment)
It was the problem for me -> vEthernet blocked by windows defender

Awesome, thanks for sharing.
I am no longer using WSL2 – please let me know if you'd like me to update the gist or add any comments that might help others out.

[boot]
command = "printf 'nameserver 8.8.8.8\nnameserver 4.4.4.4' > /etc/resolve.conf"

This worked for me on Windows 11

Add this to the /etc/wsl.conf file:

[boot]
command = "printf 'nameserver 8.8.8.8\nnameserver 4.4.4.4' > /etc/resolve.conf"

This worked for me on Windows 11

The solution proposed works but I prefere to leave the resolv.conf self generated and add a rule to firewall.
Using powershell:
New-NetFirewallRule -DisplayName "WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

To get the InterfaceAlias use ipconfig /all

Original resolution worked for on Windows 11

The solution proposed works but I prefere to leave the resolv.conf self generated and add a rule to firewall. Using powershell: New-NetFirewallRule -DisplayName "WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

To get the InterfaceAlias use ipconfig /all

This worked for me

The solution proposed works but I prefere to leave the resolv.conf self generated and add a rule to firewall. Using powershell: New-NetFirewallRule -DisplayName "WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

To get the InterfaceAlias use ipconfig /all

Another vote for this one! This method is necessary if you have local DNS rules that you want to share with WSL - if you change the nameserver to an external DNS like 8.8.8.8, it will bypass your local DNS entirely. By using the Windows network interface as a nameserver, WSL will share the local DNS with Windows.

The solution proposed works but I prefere to leave the resolv.conf self generated and add a rule to firewall. Using powershell: New-NetFirewallRule -DisplayName "WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

To get the InterfaceAlias use ipconfig /all

Worked for internet domains, but not for intranet when connected into VPN. Does anyone know why?

The solution proposed works but I prefere to leave the resolv.conf self generated and add a rule to firewall. Using powershell: New-NetFirewallRule -DisplayName "WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

To get the InterfaceAlias use ipconfig /all

Thist work for me for internet and internal corporate names over VPN. But you have to use FQDNs inside WSL2 because the distribution does not know a dns search domain.

The "recent solution" worked for me, thanks!

Is there any way to automate that? Now I need to run Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000 every time I connect VPN. Thanks for helping.

Is there any way to automate that? Now I need to run Get-NetAdapter | Where-Object {$_.InterfaceDescription -Match "Cisco AnyConnect"} | Set-NetIPInterface -InterfaceMetric 6000 every time I connect VPN. Thanks for helping.

see this https://gist.github.com/pyther/b7c03579a5ea55fe431561b502ec1ba8