Fix DNS resolution in WSL2

fix-wsl2-dns-resolution.md

Permanent WSL DNS Fix (WSL 2.2.1+)

If you're encountering ping github.com failing inside WSL with a Temporary failure in name resolution, you're not alone — this has been a long-standing issue, especially when using VPNs or corporate networks.

This issue is now fixed robustly with DNS tunneling, which preserves dynamic DNS behavior and avoids limitations like WSL’s former hard cap of 3 DNS servers in /etc/resolv.conf.

DNS tunneling is enabled by default in WSL version 2.2.1 and later, meaning that if you're still seeing DNS resolution issues, the first and most effective fix is simply to upgrade WSL. Upgrading WSL updates the WSL platform itself, but does not affect your installed Linux distributions, apps, or files.

To upgrade WSL, follow these steps,

# Run all of the following in a Windows terminal (PowerShell, Command Prompt, etc.)

# 1. Check your current WSL version
wsl --version

# 2. Close all open *WSL windows* — any Linux terminals running via WSL (Ubuntu, Debian, etc.)

# 3. Shut down the WSL subsystem
wsl --shutdown

# 4. Upgrade WSL
wsl --upgrade

# 5. Verify the upgrade was successful (version should now be >= 2.2.1)
wsl --version

# 6. Open your WSL terminal and test
ping github.com

# 🎉 If it works, drop a comment on this Gist and tell us how happy you are.

If needed, explicitly enable tunneling by creating (source):

# C:\Users\<YourUsername>\.wslconfig
[wsl2]
dnsTunneling=true

That’s it. No more messing with /etc/resolv.conf. No more weird hacks!

---

🧟 Previous Workarounds (for WSL < 2.2.1 or locked-down systems)

Preserved for historical transparency and for users unable to upgrade WSL.

# In WSL
cd /etc
echo "[network]" | sudo tee wsl.conf
echo "generateResolvConf = false" | sudo tee -a wsl.conf

# Back in Windows
wsl --terminate <DistroName>  # or use wsl --shutdown

# Back in WSL
sudo rm -f /etc/resolv.conf
echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf
echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.conf
sudo chattr +i /etc/resolv.conf

If you're using a VPN like Cisco AnyConnect:

Get-NetAdapter | Where-Object { $_.InterfaceDescription -Match "Cisco AnyConnect" } | Set-NetIPInterface -InterfaceMetric 6000

---

🙌 Credit & Sources

Big thanks to,

• @ThePlenkov/(comment) — the first to publicly document the DNS tunneling fix in .wslconfig (WSL 2.2.1+)
• @skudbucket — for confirming and spreading awareness
• @MartinCaccia, @yukosgiti, @machuu, @AlbesK — for documenting earlier workarounds
• GitHub Issue #4277
• GitHub Issue #4246
• Legacy fix from #4285
• WSL DNS Tunneling Docs
• WSL Config Docs
• WSL 2.2.1 Release Notes

---

If you're still using manual resolv.conf hacks in 2024+, you're solving a problem that's already been solved.

Using WSL 2, after:

* Adding `generateResolvConf = false` in `/etc/wsl.conf`.

* Shutdown WSL by issuing `wsl --shutdown`

* Unlink resolv.conf `unlink /etc/resolv.conf`

I was able to create /etc/resolv.conf and add nameserver 8.8.8.8. There was no need for a firewall rule in Windows or the use of chattr +i in my case.

I had to repeat all this weird behavior, due a Windows 11 update and I couldn't make any updates again. So with your information about only using unlink /etc/resolv.conf doesn't work att all, because after you close and reopen the distro, the /etc/resolv.conf doesn't exist anymore. Also the command wsl --shutdown doesn't make sense because it will close the distro and when you reopen the /etc/resolv.conf is already deleted. So, only with the sudo chattr -f +i /etc/resolv.conf prevents it from been deleted. Done this to all of my distros and all is working well.
chattr +i is useful for protection from accidental deletion by root. Also an immutable file cannot be renamed or moved from one directory to another.
For the chattr -f see this my comment https://gist.github.com/coltenkrauter/608cfe02319ce60facd76373249b8ca6?permalink_comment_id=4466805#gistcomment-4466805

Using WSL 2, after:

* Adding `generateResolvConf = false` in `/etc/wsl.conf`.

* Shutdown WSL by issuing `wsl --shutdown`

* Unlink resolv.conf `unlink /etc/resolv.conf`

I was able to create /etc/resolv.conf and add nameserver 8.8.8.8. There was no need for a firewall rule in Windows or the use of chattr +i in my case.

I had to repeat all this weird behavior, due a Windows 11 update and I couldn't make any updates again. So with your information about only using unlink /etc/resolv.conf doesn't work att all, because after you close and reopen the distro, the /etc/resolv.conf doesn't exist anymore. Also the command wsl --shutdown doesn't make sense because it will close the distro and when you reopen the /etc/resolv.conf is already deleted. So, only with the sudo chattr -f +i /etc/resolv.conf prevents it from been deleted. Done this to all of my distros and all is working well. chattr +i is useful for protection from accidental deletion by root. Also an immutable file cannot be renamed or moved from one directory to another. For the chattr -f see this my comment https://gist.github.com/coltenkrauter/608cfe02319ce60facd76373249b8ca6?permalink_comment_id=4466805#gistcomment-4466805

I should've mentioned I am running Windows 10. My bad!

resolv.conf worked for me but after 10s DNS stops working again. I'm so confused

resolv.conf worked for me but after 10s DNS stops working again. I'm so confused

Please describe all the steps you did.

Thankyou
More recent resolution worked for me.

thank you,More recent resolution worked for me.

You are the best after 2 hours searching for a solution. you solve it in simple way thank you

DNS on WSL2 STILL JUST BREAKS: CLOSING THOUSANDS OF BUG REPORTS ON THIS 10 YEAR OLD BUG (WHICH IS NOT FIXED) IS WEIRD!

I have implemented that hard coded DNS solution (above) and it is a lot better, but WSL2 still looses it's DNS even if you disconnect briefly and reconnect your IPsec VPN. Once that happens still have to reboot. (I am running WSL2 on top end Dell laptop with up-to-date bios and Windows 10.)

When running ordinary applications under Windows or on a Linux PC, any disconnection of the network and reconnection allows all applications to reconnect to the network no problem; not so with WSL! When running WSL, DNS resolution is lost even with a brief disconnection or the lease time on the network driver laps and reconnects, after that you can’t connect or even ping devices unless you reboot!

Even with millions of complaints, and thousands of bug reports, this bug has been persistent for almost a decade and NOT FEXED IN JULY 2023! This is so serious many developers avoid all Docker development under WSL and Windows. When Windows programmers write Linux network code, what could possibly go wrong?

WSL team members even close bug reports rather than combine the data from thousands of similar reports. When reports are closed so that others can’t comment the geniuses have magically fixed the major bug right? NOT! The use of Docker Desktop makes it 100 times worse, but fortunately Docker Desktop is NOT Docker and many people run WSL2 without Docker Desktop.

Damn, I was following this instruction but somehow I broke my wsl.
My ~ folder has changed and I can't find my files. It seems it is now logging in as a root user, i don't think it was doing that before

Damn, I was following this instruction but somehow I broke my wsl. My ~ folder has changed and I can't find my files. It seems it is now logging in as a root user, i don't think it was doing that before

I fixed it!

Just enter: ubuntu config --default-user YOUR_USERNAME

The user was still there! It was just logging in always as root now for some reason.

Here is my solution for this problem. Basically I have accumulated everything mentioned above:
https://gist.github.com/ThePlenkov/6ecf2a43e2b3898e8cd4986d277b5ecf

• script removes all nameservers in /etc/resolv.conf and replaces them with actual IPs from powershell

sudo sed -i '/nameserver/d' /etc/resolv.conf
powershell.exe -Command '(Get-DnsClientServerAddress -AddressFamily IPv4).ServerAddresses | ForEach-Object { "nameserver $_" }' | tr -d '\r' | sudo tee -a /etc/resolv.conf > /dev/null

• script is configured as a boot command which is available in Win 11. If it's applicable for you - it helps a lot

@ThePlenkov That worked for me, thanks!

@ThePlenkov Superb. Great instruction, efficient solution!

@ThePlenkov

Excellent, thanks so much.

That's all you need:

echo -e "[network]\ngenerateResolvConf = false\n" | sudo tee /etc/wsl.conf
echo -e "nameserver 8.8.8.8\n" | sudo tee /etc/resolv.conf

No reboots, no restarts, no line-by-line appending, no messing with non-existent Cisco AnyConnect interfaces. Just those two lines and you're good to go.

Again, this is Linux, not Windows. You don't need to reboot/restart just because you changed your nameserver...

Thanks, this answer is really clean and on point.

Thanks for the help. This worked for me.

BILLION DOLLAR MICROSOFT WSL BUG FIXED AFTER 13 YEARS = WSL DNS Network Failure with VPNs resulted in A TOTAL REWRITE OF WSL2 by October 2023 - PING FAILED IN WSL

Expect this WSL2 broken DNS related issues (above) to be fixed from October 2023.
N.B. Now you have to change all your WSL Linux Network configs to match the totally new design.
Eventually fixed mentioned here

• FIXED - very good notes by Craig Loewen

Why be so angry? When I said it cost MICROSOFT BILLIONS over 13 years you laughed at me. I was right - TOTALLY VINDICATED - THIS BUG STUNG THEIR BIGGEST CUSTOMERS THE MOST SO THAT WSL WAS REJECTED! The extent to which WSL was rejected by ALL the biggest companies is staggering! Hell they all used VPNs and Docker! Thousands of the SAME bug reports GOT CLOSED BY GENIUSES that can't fix the bug or bother to reproduce it and FALSELY CLAIM "UNABLE TO REPRODUCE". The bug was there for 13 years breaking WSL1 and Microsoft biggest customers who use compulsory VPNs which broke WSL2 networking DNS and a primary symptom was Ping failures.

• This bug occurred RANDOMLY because WSL2 Network/Subnet settings WERE DELIBERATLY RANDOM - RIGHT IN THE DESIGN! NO JOKE!
• Most bugs are fixed by minor upgrades but this bug was fully rooted in the design, they had to rip WSL NETWORK GARBAGE CODE out and start over!
• The bug was TOTALLY IGNORED BY GENEUSES FOR OVER A DECADE! GENIUSES KEPT ON AND ON CLOSING BUG REPORTS!
• I started to realise that this bug revealed MONSTER SECURITY HOLES IN WSL NETOWRKS making it totally insecure. NOW THEY DID NOT IGNORE ME, STOPPED RIDICULING ME!
• So in 2023 they rewrote the hole of WSL2 Network configuration which was more than a mess: it was a pile ...

ORIGINAL SYMPTOMS of WSL2 Networks Breaking with VPNs RANDOMLY WORKING

ROOT CAUSE - BECAUSE WSL1 & WSL2 RANDOMLY SELECT SUBNETS, SO THE CORPORATIONS VPN (firewall) REJECTS SOME OF THEM - RANOMLY - NOT THE CORPORATIONS FAULT!

DNS on WSL2 WITH VPNs JUST BREAKS: CLOSING THOUSANDS OF BUG REPORTS ON THIS 10 YEAR OLD BUG (WHICH IS NOT FIXED FOR SUCH A LONG TIME) IS WEIRD!

Some 20 solutions claim to work but the root cause of why the bug keeps getting closed and then reopened is that WSL2 network WORKS RANDOMLY - THIS IS BY DESIGN BECAUSE WSL2 RANDOMLY SELECTS A SUBNET!!!!!!!!!!!!!!!! thus WSL2 still looses it's DNS even if you disconnect briefly and reconnect your IPsec VPN ( RANDOM SUBNET IS CHOSEN ). Once the wrong random subnet is REJECTED by the corporations VPN you still have to reboot. (I am running WSL2 on top end Dell laptop with up-to-date bios and Windows 10.)

When running ordinary applications under Windows or on a Linux PC, any disconnection of the network and reconnection allows all applications to reconnect to the network no problem; not so with WSL! When running WSL, DNS resolution is lost even with a brief disconnection or the lease time on the network driver laps and reconnects, after that you can’t connect or even ping devices unless you reboot!

Even with millions of complaints, and thousands of bug reports, this bug has been persistent for almost a decade and NOT FEXED IN JULY 2023! This is so serious many developers avoid all Docker development under WSL and Windows. When Windows programmers write Linux network code, what could possibly go wrong?

WSL team members even close bug reports rather than combine the data from thousands of similar reports. When reports are closed so that others can’t comment the geniuses have magically fixed the major bug right? NOT! The use of Docker Desktop makes it 100 times worse, but fortunately Docker Desktop is NOT Docker and many people run WSL2 without Docker Desktop.

@KonanTheLibrarian this solution works in WSL2 with vpn very smoothly (especially on win11). https://gist.github.com/ThePlenkov/6ecf2a43e2b3898e8cd4986d277b5ecf

But in general I share your frustration. I'd also prefer if generateResolvConf is fixed by taking the right DNS, also including VPN connections.

You might also want to add dns key into docker json config (worked for me)

It works!!!
Just follow the 1~13 steps

The provided steps worked great, thank-you! I utilized Google’s DNS (8.8.8.8/8.8.4.4) and the fix worked like a charm. 🤘

The "More recent resolution" worked.
Didn't run step 13 though.

For the benefits WSL provide, what a mess this issue is... Thank for the solution.

I like this approach.

Makes /root/resolv.conf.sh executable using wsl.conf boot command
Deletes the /etc/resolv.conf file on start-up
Runs the script /etc/resolv.conf.sh and populated with DNS servers from the script.
Change the servers as desired: DNS_SERVERS=("9.9.9.9" "1.1.1.1" "8.8.8.8")
Outputs a log file to /root/resolv.conf.log

vi /etc/wsl.conf

[boot]
command = /bin/bash chmod +x /root/resolv.conf.sh; /bin/bash /root/resolv.conf.sh > /root/resolv.conf.log 2>&1
systemd=true

[network]
generateResolvConf = false

vi /root/resolv.conf.sh

#!/bin/bash

# Specify the DNS servers
DNS_SERVERS=("9.9.9.9" "1.1.1.1" "8.8.8.8")

# Log file path
LOG_FILE="/root/resolv.conf.log"

# Delete the existing /etc/resolv.conf
sudo rm /etc/resolv.conf

# Create or update the /etc/resolv.conf file
for server in "${DNS_SERVERS[@]}"; do
    echo "nameserver $server" | sudo tee -a /etc/resolv.conf
done

# Log the changes to the specified log file
echo "DNS servers updated: $(date)" | sudo tee -a "$LOG_FILE"

I like this approach.

Makes /root/resolv.conf.sh executable using wsl.conf boot command Deletes the /etc/resolv.conf file on start-up Runs the script /etc/resolv.conf.sh and populated with DNS servers from the script. Change the servers as desired: DNS_SERVERS=("9.9.9.9" "1.1.1.1" "8.8.8.8") Outputs a log file to /root/resolv.conf.log

vi /etc/wsl.conf

[boot]
command = /bin/bash chmod +x /root/resolv.conf.sh; /bin/bash /root/resolv.conf.sh > /root/resolv.conf.log 2>&1
systemd=true

vi /boot/resolv.conf.sh

#!/bin/bash

# Specify the DNS servers
DNS_SERVERS=("9.9.9.9" "1.1.1.1" "8.8.8.8")

# Log file path
LOG_FILE="/root/resolv.conf.log"

# Delete the existing /etc/resolv.conf
sudo rm /etc/resolv.conf

# Create or update the /etc/resolv.conf file
for server in "${DNS_SERVERS[@]}"; do
    echo "nameserver $server" | sudo tee -a /etc/resolv.conf
done

# Log the changes to the specified log file
echo "DNS servers updated: $(date)" | sudo tee -a "$LOG_FILE"

Works great! Just a typo in the path of the script /boot/resolv.conf.sh should be /root/resolv.conf.sh, right?

Yes /root - Good Catch, TY. I have fixed my response.

…

On Sat, Jan 6, 2024, 5:54 PM Samuel Andrés ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ I like this approach. Makes /root/resolv.conf.sh executable using wsl.conf boot command Deletes the /etc/resolv.conf file on start-up Runs the script /etc/resolv.conf.sh and populated with DNS servers from the script. Change the servers as desired: DNS_SERVERS=("9.9.9.9" "1.1.1.1" "8.8.8.8") Outputs a log file to /root/resolv.conf.log vi /etc/wsl.conf [boot] command = /bin/bash chmod +x /root/resolv.conf.sh; /bin/bash /root/resolv.conf.sh > /root/resolv.conf.log 2>&1 systemd=true vi /boot/resolv.conf.sh #!/bin/bash # Specify the DNS servers DNS_SERVERS=("9.9.9.9" "1.1.1.1" "8.8.8.8") # Log file path LOG_FILE="/root/resolv.conf.log" # Delete the existing /etc/resolv.conf sudo rm /etc/resolv.conf # Create or update the /etc/resolv.conf file for server in "${DNS_SERVERS[@]}"; do echo "nameserver $server" | sudo tee -a /etc/resolv.conf done # Log the changes to the specified log file echo "DNS servers updated: $(date)" | sudo tee -a "$LOG_FILE" Works great! Just a typo in the path of the script /boot/resolv.conf.sh should be /root/resolv.conf.sh, right? — Reply to this email directly, view it on GitHub <https://gist.github.com/coltenkrauter/608cfe02319ce60facd76373249b8ca6#gistcomment-4820557> or unsubscribe <https://github.com/notifications/unsubscribe-auth/BCVOZIZNS7TQPT4PBQOZY23YNHPZZBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TQOJSGYYTONNHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

What is this solution to? I am switching back to windows+WSL after abandoning it (due to various networking nags), and I remember from a few years ago that I had to toggle this resolv.conf between public DNS servers and corporate DNS server when the windows host is off VPN.

@bayeslearner
The solution from @teeesss fixes the issue of failing DNS because of conflicts with the IP directions randomly assigned and instead using public DNS. Just make sure to have this in /etc/wsl.conf:

[network]
generateResolvConf = false

Here is my solution for this problem. Basically I have accumulated everything mentioned above: https://gist.github.com/ThePlenkov/6ecf2a43e2b3898e8cd4986d277b5ecf

• script removes all nameservers in /etc/resolv.conf and replaces them with actual IPs from powershell

sudo sed -i '/nameserver/d' /etc/resolv.conf
powershell.exe -Command '(Get-DnsClientServerAddress -AddressFamily IPv4).ServerAddresses | ForEach-Object { "nameserver $_" }' | tr -d '\r' | sudo tee -a /etc/resolv.conf > /dev/null

• script is configured as a boot command which is available in Win 11. If it's applicable for you - it helps a lot

This works for me! Thank you so much!

Here is my solution for this problem. Basically I have accumulated everything mentioned above: https://gist.github.com/ThePlenkov/6ecf2a43e2b3898e8cd4986d277b5ecf

• script removes all nameservers in /etc/resolv.conf and replaces them with actual IPs from powershell

sudo sed -i '/nameserver/d' /etc/resolv.conf
powershell.exe -Command '(Get-DnsClientServerAddress -AddressFamily IPv4).ServerAddresses | ForEach-Object { "nameserver $_" }' | tr -d '\r' | sudo tee -a /etc/resolv.conf > /dev/null

• script is configured as a boot command which is available in Win 11. If it's applicable for you - it helps a lot

thanks it worked for me

Didn't work like a charm. Thank so much