Skip to main content

How can we help you?

Search

help Knowledge Base
forum Community
checklist Release Notes
event Events

UWP VPN apps show “No such host is known” with the Windows Roaming Client

Minetta Gould
  • Updated

    In this article

Use this article to resolve DNS lookup errors that prevent UWP-based VPN apps from connecting while the Windows Roaming Client is active in Classic DNS Filtering mode.

This issue only applies to Classic DNS Filtering, which uses a Loopback Proxy (127.0.0.2) for DNS resolution. UWP VPN apps may not be able to send DNS queries to the loopback interface due to Windows sandboxing behavior.

This issue does not apply to DNS PreCheck, which uses Transparent Proxy interception at the kernel level and does not rely on loopback DNS settings.

UWP VPN applications may fail to connect and display errors such as:

  • No such host is known
  • Unable to resolve host

This issue does not occur when:

  • The Windows roaming client service is stopped
  • A desktop (non-UWP) VPN client is used instead

UWP (Universal Windows Platform) apps run in a sandboxed environment and are restricted to resolving DNS through the interface generating the query. The Windows roaming client listens on 127.0.0.2 using the loopback interface, which prevents some UWP VPN apps from reaching the roaming client DNS proxy.

This Windows behavior cannot be changed through the roaming client, since loopback DNS is required for client operation.

Resolution options

Option 1: Update to Windows 11

Windows 11 includes improvements to UWP application handling that prevent this issue in most environments.

Option 2: Create an NRPT rule for the VPN domain

Use a Name Resolution Policy Table (NRPT) rule to send DNS queries for a specific domain to an alternate resolver. This bypasses the Windows roaming client only for the configured namespace.

NRPT rules can be configured using:

  • Windows PowerShell
  • Group Policy Management Editor under Computer Configuration > Policies > Windows Settings > Name Resolution Policy

🚨 Important: NRPT limitations

NRPT rules only affect applications that use the built-in Windows DNS resolver.

Applications that manage DNS internally do not respect NRPT rules, including browsers configured to use encrypted DNS.

Common examples:

  • Chrome with DNS-over-HTTPS (DoH) enabled
  • Firefox with DoH or DNS-over-TLS (DoT) enabled

For these applications, disable DoH or DoT or configure the application to use the system resolver.

Add an NRPT rule using PowerShell

  1. Open PowerShell as Administrator
  2. Run the following script and replace the placeholder values
# Bypass the roaming client for a specific domain suffix by using alternate DNS resolvers

# Set DNS server IP addresses
$DnsServers = @(
    "Enter resolver IP here"
)

# Define the domain suffix and rule name
$params = @{
    Namespace   = "Enter domain suffix here"
    NameServers = $DnsServers
    DisplayName = "Enter rule name here"
}

try {
    Add-DnsClientNrptRule @params
}
catch {
    "Adding NRPT rule failed with the following message: $_"
}

Verify the rule

Run the following command to confirm the rule exists:

Get-DnsClientNrptRule

After applying an NRPT rule, the VPN app should resolve the required domains and connect successfully while the Windows roaming client remains active.

Was this article helpful?
1 out of 4 found this helpful
Return to top

Comments

0 comments

Article is closed for comments.