DNS resolution not working for Windows VMs in VMware Cloud on AWS when VM IP is statically assigned
Article ID: 320371
Updated On:
Products
VMware Cloud on AWS
Issue/Introduction
Symptoms:
- This issue can be observed with Windows VMs in VMware Cloud on AWS who have their IP address statically/manually assigned, and their DNS server IP points to the Compute Gateway DNS Proxy: 169.254.3.1 or to your DNS server directly.
- DNS name resolution is not functional for these VMs.
- The same issue can affect a windows DNS server running in VMware Cloud on AWS when its IP is statically/manually assigned. This will cause DNS resolution to fail for ALL VMs in VMware Cloud on AWS using the Compute Gateway DNS Proxy (which is assigned by DHCP when the logical network has DHCP Enabled), as the DNS server will not be able to respond to the Compute Gateway DNS proxy with the DNS results.
Cause
The Compute Gateway uses an IP address from the APIPA IP Range (169.254.3.1) and this IP acts a DNS Proxy for workload VMs when a DNS Server is configured in the Compute Gateway.
Windows Guest VM's don't route APIPA addresses (169.254.x.x) to the default gateway. That means that when the VM attempts to send traffic to the 169.254.3.1 IP, it is not sent out the network interface.
This works for VMs that are assigned their IP using DHCP, because the Compute Gateway includes a static route for 169.254.3.1 in the DHCP request so that the windows VM knows how to correctly route the traffic. However, when the VM is configured manually (not using DHCP), this static route does not exist.
Windows Guest VM's don't route APIPA addresses (169.254.x.x) to the default gateway. That means that when the VM attempts to send traffic to the 169.254.3.1 IP, it is not sent out the network interface.
This works for VMs that are assigned their IP using DHCP, because the Compute Gateway includes a static route for 169.254.3.1 in the DHCP request so that the windows VM knows how to correctly route the traffic. However, when the VM is configured manually (not using DHCP), this static route does not exist.
Resolution
This is a known issue affecting VMware Cloud on AWS and currently there is no resolution. Refer the workaround section for more details.
Workaround:
To workaround this issue, a static route must be manually created so the Windows VM knows how to route traffic to the Compute Gateway DNS Proxy:
- Add a Static persistent route in the guest VM using the following command:
- Where the default GW IP is the GW IP of the network in which the VM resides
route add 169.254.3.1 mask 255.255.255.255 192.168.1.1 -p
Note: When using the Compute Gateway DNS Proxy for DNS resolution on Guest VMs, firewall rules for DNS do not need to be specifically configured on the Compute Gateway firewall.
- However, if you configure your own DNS server directly on a Guest VM, you will need to ensure all firewall rules are opened to allow DNS traffic through Compute Gateway to the DNS servers on TCP and UDP ports 53, with a source IP of the guest VMs and a destination of the DNS server IPs.
- allowing udp port 53 out from 192.168.1.0/24 to 8.8.8.8 and 8.8.4.4
- allowing tcp port 53 out from 192.168.1.0/24 to 8.8.8.8 and 8.8.4.4
Feedback
Yes
No
Powered by
