diff --git a/scripts/build/.variables b/scripts/build/.variables
index d37c945893c6..53afc14a21d3 100755
--- a/scripts/build/.variables
+++ b/scripts/build/.variables
@@ -102,6 +102,15 @@ if [ "$CGO_ENABLED" = "1" ] && [ "$GO_LINKMODE" = "static" ]; then
     # compiling statically with CGO enabled requires osusergo and netgo to be set.
     GO_BUILDTAGS="$GO_BUILDTAGS osusergo netgo"
 fi
+# XXX: Disable netgo on Windows and use Windows system resolver instead.
+#
+# go1.19 and newer added support for netgo on Windows (https://go.dev/doc/go1.19#net),
+# which may not respect VPN adaptors (such as Twingate) due to resolver ordering,
+# resulting in queries being sent through the local network adapter instead of the
+# VPN tunnel. See https://github.com/docker/cli/issues/6665
+if [ "$(go env GOOS)" = "windows" ]; then
+    GO_BUILDTAGS=$(echo "$GO_BUILDTAGS" | sed 's/\(^\| \)netgo\( \|$\)/\1/g')
+fi
 if [ -n "$GO_STRIP" ]; then
     # if stripping enabled and building with llvm < 12 against darwin/amd64
     # platform, it will fail with: