-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VPNKit DNS server returns NXDOMAIN for SRV records #509
Comments
I am running into the same problem, but with AAAA records instead. And in particular, it seems to break DNS resolution for IPv4-hosts for Alpine Linux containers started inside a I was going to open a new issue and found this one at the last minute, so here's my writeup/analysis for it: Steps to reproduceThe easiest way I have found to reproduce the issue is as follows:
Further testsSome further tests tell us more about the nature of the problem, and why I believe it's related to VPNKit:
Potential cause: NXDOMAIN for AAAA recordsI believe that the problem is that when you run an AAAA query for a domain without any AAAA records inside rootlesskit+vpnkit, you get an invalid NXDOMAIN response: $ sudo docker exec -it -u 0 dind apk add bind-tools
$ sudo docker exec -it dind rootlesskit --net=vpnkit dig ipv4.tlund.se AAAA | grep status
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60429 While if you run it without vpnkit or with slirp4netns, you get a NOERROR response:
It appears that the musl DNS resolver will fail the resolution once it sees that NXDOMAIN response for the AAAA records, failing the entire resolution. I have not yet had time to figure out why we're getting a NXDOMAIN response after we add VPNKit (or what the specs say about those weird cases), but at first glance it seems like it should return NOERROR instead. |
At least for AAAA queries, the NXDOMAIN appears to come from those two lines: vpnkit/src/hostnet/hostnet_dns.ml Lines 449 to 450 in dc331cb
|
Hello from the future! I've arrived at the same conclusion after running into the same issue moby/moby#47628. But I don't know OCaml to help fix it. The code should distinguish between an empty NOERROR vs a NXDOMAIN returned from upstream. |
VPNKit DNS server returns NXDOMAIN for SRV records
OTOH slirp4netns DNS works as expected:
VPNKit version: v0.4.0
RootlessKit version: v0.10.0
Originally reported by @hawicz in moby/libnetwork#2574
The text was updated successfully, but these errors were encountered: