Hardening DNS Resolution for Amazon WorkSpaces Personal

Desktop & Application Streaming Blog

This article discusses how to harden DNS resolution for Amazon WorkSpaces Personal, a managed Desktop-as-a-Service (DaaS) solution. It explains that WorkSpaces have two network interfaces: one in the service-owned Management Network and one in the customer-owned VPC. Due to Windows' Smart Multi-Homed Name Resolution (SMHNR), DNS queries from WorkSpaces may be sent to resolvers in the Management Network, which could raise security concerns for customers.

Specifically, the article covers:

The architecture of WorkSpaces with two network interfaces
The role of SMHNR in causing DNS queries to the Management Network
Solution 1: Using Windows Defender Firewall to block DNS traffic to the Management Network
Solution 2: Deploying a Name Resolution Policy rule to route all DNS queries to the customer's network
Steps to configure both solutions using Group Policy Objects
Cleanup steps to remove the configured rules and GPOs

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Apr 6
2026

Amazon WorkSpaces Personal now supports unique DNS names for PrivateLink

May 29
2025

Managing DNS resolution with Amazon VPC Lattice and VPC resources

Feb 6
2026

Amazon WorkSpaces Secure Browser now supports custom domain

Dec 18
2025

Amazon WorkSpaces now supports IPv6

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Hardening DNS Resolution for Amazon WorkSpaces Personal

Related articles