diff --git a/build/dependencies.yaml b/build/dependencies.yaml
index bb6641e1bfd..e698559452b 100644
--- a/build/dependencies.yaml
+++ b/build/dependencies.yaml
@@ -18,7 +18,7 @@ dependencies:
 
   # agnhost: bump this one first
   - name: "agnhost"
-    version: "2.29"
+    version: "2.30"
     refPaths:
     - path: test/images/agnhost/VERSION
       match: \d.\d
diff --git a/test/images/agnhost/VERSION b/test/images/agnhost/VERSION
index 072e651358f..81b133a0d27 100644
--- a/test/images/agnhost/VERSION
+++ b/test/images/agnhost/VERSION
@@ -1 +1 @@
-2.29
+2.30
diff --git a/test/images/agnhost/agnhost.go b/test/images/agnhost/agnhost.go
index a02f398ac7d..6e7ffeb3c25 100644
--- a/test/images/agnhost/agnhost.go
+++ b/test/images/agnhost/agnhost.go
@@ -51,7 +51,7 @@ import (
 func main() {
 	rootCmd := &cobra.Command{
 		Use:     "app",
-		Version: "2.29",
+		Version: "2.30",
 	}
 
 	rootCmd.AddCommand(auditproxy.CmdAuditProxy)
diff --git a/test/images/agnhost/openidmetadata/openidmetadata.go b/test/images/agnhost/openidmetadata/openidmetadata.go
index 9672873b0e0..8d7a9783481 100644
--- a/test/images/agnhost/openidmetadata/openidmetadata.go
+++ b/test/images/agnhost/openidmetadata/openidmetadata.go
@@ -23,12 +23,17 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"net"
 	"net/http"
+	"net/url"
+	"runtime"
+	"time"
 
 	oidc "github.com/coreos/go-oidc"
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2"
 	"gopkg.in/square/go-jose.v2/jwt"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/rest"
 )
 
@@ -80,6 +85,12 @@ func main(cmd *cobra.Command, args []string) {
 	log.Printf("OK: got issuer %s", unsafeClaims.Issuer)
 	log.Printf("Full, not-validated claims: \n%#v", unsafeClaims)
 
+	if runtime.GOOS == "windows" {
+		if err := ensureWindowsDNSAvailability(unsafeClaims.Issuer); err != nil {
+			log.Fatal(err)
+		}
+	}
+
 	iss, err := oidc.NewProvider(ctx, unsafeClaims.Issuer)
 	if err != nil {
 		log.Fatal(err)
@@ -162,3 +173,27 @@ func withOAuth2Client(context.Context) (context.Context, error) {
 		})
 	return ctx, nil
 }
+
+// DNS can be available sometime after the container starts due to the way
+// networking is set up for Windows nodes with dockershim as the container runtime.
+// In this case, we should make sure we are able to resolve the issuer before
+// invoking oidc.NewProvider.
+// See https://github.com/kubernetes/kubernetes/issues/99470 for more details.
+func ensureWindowsDNSAvailability(issuer string) error {
+	log.Println("Ensuring Windows DNS availability")
+
+	u, err := url.Parse(issuer)
+	if err != nil {
+		return err
+	}
+
+	return wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) {
+		ips, err := net.LookupHost(u.Host)
+		if err != nil {
+			log.Println(err)
+			return false, nil
+		}
+		log.Printf("OK: Resolved host %s: %v", u.Host, ips)
+		return true, nil
+	})
+}