Fix DNS resolution in WSL2

fix-wsl2-dns-resolution.md

Permanent WSL DNS Fix (WSL 2.2.1+)

If you're encountering ping github.com failing inside WSL with a Temporary failure in name resolution, you're not alone — this has been a long-standing issue, especially when using VPNs or corporate networks.

This issue is now fixed robustly with DNS tunneling, which preserves dynamic DNS behavior and avoids limitations like WSL’s former hard cap of 3 DNS servers in /etc/resolv.conf.

DNS tunneling is enabled by default in WSL version 2.2.1 and later, meaning that if you're still seeing DNS resolution issues, the first and most effective fix is simply to upgrade WSL. Upgrading WSL updates the WSL platform itself, but does not affect your installed Linux distributions, apps, or files.

To upgrade WSL, follow these steps,

# Run all of the following in a Windows terminal (PowerShell, Command Prompt, etc.)

# 1. Check your current WSL version
wsl --version

# 2. Close all open *WSL windows* — any Linux terminals running via WSL (Ubuntu, Debian, etc.)

# 3. Shut down the WSL subsystem
wsl --shutdown

# 4. Upgrade WSL
wsl --upgrade

# 5. Verify the upgrade was successful (version should now be >= 2.2.1)
wsl --version

# 6. Open your WSL terminal and test
ping github.com

# 🎉 If it works, drop a comment on this Gist and tell us how happy you are.

If needed, explicitly enable tunneling by creating (source):

# C:\Users\<YourUsername>\.wslconfig
[wsl2]
dnsTunneling=true

That’s it. No more messing with /etc/resolv.conf. No more weird hacks!

---

🧟 Previous Workarounds (for WSL < 2.2.1 or locked-down systems)

Preserved for historical transparency and for users unable to upgrade WSL.

# In WSL
cd /etc
echo "[network]" | sudo tee wsl.conf
echo "generateResolvConf = false" | sudo tee -a wsl.conf

# Back in Windows
wsl --terminate <DistroName>  # or use wsl --shutdown

# Back in WSL
sudo rm -f /etc/resolv.conf
echo "nameserver 1.1.1.1" | sudo tee /etc/resolv.conf
echo "nameserver 8.8.8.8" | sudo tee -a /etc/resolv.conf
sudo chattr +i /etc/resolv.conf

If you're using a VPN like Cisco AnyConnect:

Get-NetAdapter | Where-Object { $_.InterfaceDescription -Match "Cisco AnyConnect" } | Set-NetIPInterface -InterfaceMetric 6000

---

🙌 Credit & Sources

Big thanks to,

• @ThePlenkov/(comment) — the first to publicly document the DNS tunneling fix in .wslconfig (WSL 2.2.1+)
• @skudbucket — for confirming and spreading awareness
• @MartinCaccia, @yukosgiti, @machuu, @AlbesK — for documenting earlier workarounds
• GitHub Issue #4277
• GitHub Issue #4246
• Legacy fix from #4285
• WSL DNS Tunneling Docs
• WSL Config Docs
• WSL 2.2.1 Release Notes

---

If you're still using manual resolv.conf hacks in 2024+, you're solving a problem that's already been solved.

@skudbucket @ThePlenkov — I have updated this gist to reflect the DNS tunneling fix in 2.2.1+. Clear upgrade steps, legacy hacks moved down. Followed your phrasing with some tweaks. Thanks for raising the bar here. Let me know if you'd like any adjustments.

@skudbucket @ThePlenkov — I have updated this gist to reflect the DNS tunneling fix in 2.2.1+. Clear upgrade steps, legacy hacks moved down. Followed your phrasing with some tweaks. Thanks for raising the bar here. Let me know if you'd like any adjustments.

Thanks for updating it @coltenkrauter ! My only nit is that it might be helpful to some people to be explicit that the commands should be run in a Windows terminal, not a WSL/Linux terminal - probably obvious to many, especially if they understand what the commands do/how the fix works, but especially for people who are a bit out of their depth I imagine it could save them some headache. Overall looks great though, and I appreciate you taking the time to provide this Gist which even before the updates was very helpful

@skudbucket @ThePlenkov — I have updated this gist to reflect the DNS tunneling fix in 2.2.1+. Clear upgrade steps, legacy hacks moved down. Followed your phrasing with some tweaks. Thanks for raising the bar here. Let me know if you'd like any adjustments.

Thanks for updating it @coltenkrauter ! My only nit is that it might be helpful to some people to be explicit that the commands should be run in a Windows terminal, not a WSL/Linux terminal - probably obvious to many, especially if they understand what the commands do/how the fix works, but especially for people who are a bit out of their depth I imagine it could save them some headache. Overall looks great though, and I appreciate you taking the time to provide this Gist which even before the updates was very helpful

Good call – just updated. Look better? Any other thoughts?

Good call – just updated. Look better? Any other thoughts?

Looks great!

If you're deleting resolv.conf, then you can't get WSL IP address in Windows,
which is good thing for connecting to "vcxsrv" gui

What is strange in my situation, is that
ping github.com works well,
but sudo apt-get update can't resolve domain addresses

My workaround file # C:\Users\<YourUsername>\.wslconfig
looks like this

[experimental]
autoMemoryReclaim=gradual  # gradual | dropcache | disabled
networkingMode=NAT         # mirrored | NAT | None 
dnsTunneling=true
firewall=true
autoProxy=true
[wsl2]
guiApplications=false     #https://forum.xfce.org/viewtopic.php?id=16906

If you're deleting resolv.conf, then you can't get WSL IP address in Windows, which is good thing for connecting to "vcxsrv" gui

What is strange in my situation, is that ping github.com works well, but sudo apt-get update can't resolve domain addresses

My workaround file # C:\Users\<YourUsername>\.wslconfig looks like this

[experimental]
autoMemoryReclaim=gradual  # gradual | dropcache | disabled
networkingMode=NAT         # mirrored | NAT | None 
dnsTunneling=true
firewall=true
autoProxy=true
[wsl2]
guiApplications=false     #https://forum.xfce.org/viewtopic.php?id=16906

running VPN？

If you're deleting resolv.conf, then you can't get WSL IP address in Windows, which is good thing for connecting to "vcxsrv" gui
What is strange in my situation, is that ping github.com works well, but sudo apt-get update can't resolve domain addresses
My workaround file # C:\Users\<YourUsername>\.wslconfig looks like this

[experimental]
autoMemoryReclaim=gradual  # gradual | dropcache | disabled
networkingMode=NAT         # mirrored | NAT | None 
dnsTunneling=true
firewall=true
autoProxy=true
[wsl2]
guiApplications=false     #https://forum.xfce.org/viewtopic.php?id=16906

running VPN？

Yes, I have to run OpenVPN-based VPN in host system.

May be I okay with idea to add WSL machine to exclusions,
but I don't know how to do it

If you're deleting resolv.conf, then you can't get WSL IP address in Windows, which is good thing for connecting to "vcxsrv" gui
What is strange in my situation, is that ping github.com works well, but sudo apt-get update can't resolve domain addresses
My workaround file # C:\Users\<YourUsername>\.wslconfig looks like this

[experimental]
autoMemoryReclaim=gradual  # gradual | dropcache | disabled
networkingMode=NAT         # mirrored | NAT | None 
dnsTunneling=true
firewall=true
autoProxy=true
[wsl2]
guiApplications=false     #https://forum.xfce.org/viewtopic.php?id=16906

running VPN？

Yes, I have to run OpenVPN-based VPN in host system.

May be I okay with idea to add WSL machine to exclusions, but I don't know how to do it

networkingMode ,try mirrored

If you're deleting resolv.conf, then you can't get WSL IP address in Windows, which is good thing for connecting to "vcxsrv" gui
What is strange in my situation, is that ping github.com works well, but sudo apt-get update can't resolve domain addresses
My workaround file # C:\Users\<YourUsername>\.wslconfig looks like this

[experimental]
autoMemoryReclaim=gradual  # gradual | dropcache | disabled
networkingMode=NAT         # mirrored | NAT | None 
dnsTunneling=true
firewall=true
autoProxy=true
[wsl2]
guiApplications=false     #https://forum.xfce.org/viewtopic.php?id=16906

running VPN？

Yes, I have to run OpenVPN-based VPN in host system.
May be I okay with idea to add WSL machine to exclusions, but I don't know how to do it

networkingMode ,try mirrored

Mirrored networking mode is not supported, falling back to NAT. Windows version 19045. 5073 doesn't have required components.

My CMD is showing Microsoft Windows [Version 10.0.19045.5073]