github.com not reachable from alpine image

[marcofranssen]

Using the latest alpine 3.13 I'm unable to reach github.

Have tried this on Docker for Mac and a ubuntu 20.04 with rootless docker.

See here some things I tried to reach that succeeded.

docker run --rm -it alpine:3.13
/ # nslookup google.com
Server:		192.168.65.1
Address:	192.168.65.1:53

Non-authoritative answer:
Name:	google.com
Address: 2a00:1450:4001:801::200e

Non-authoritative answer:
Name:	google.com
Address: 142.250.185.110

/ # nslookup go.uber.org
Server:		192.168.65.1
Address:	192.168.65.1:53

Non-authoritative answer:
go.uber.org	canonical name = ghs.googlehosted.com
Name:	ghs.googlehosted.com
Address: 142.250.185.243

Non-authoritative answer:
go.uber.org	canonical name = ghs.googlehosted.com
Name:	ghs.googlehosted.com
Address: 2a00:1450:4013:c03::79

See here github.com which fails.

docker run --rm -it alpine:3.13
/ # nslookup github.com
Server:		192.168.65.1
Address:	192.168.65.1:53

Non-authoritative answer:
*** Can't find github.com: No answer

Non-authoritative answer:
Name:	github.com
Address: 140.82.121.4

For completeness I also checked with debian:buster-slim which succeeds.

docker run --rm -it debian:buster-slim
root@ed738f47333e:/# apt update && apt install -y dnsutils
root@ed738f47333e:/# nslookup github.com
Server:		192.168.65.1
Address:	192.168.65.1#53

Non-authoritative answer:
Name:	github.com
Address: 140.82.121.4

[ghost]

Duplicate of #151 but given the significance maybe makes sense to report twice 🤣

[Logiqx]

I've got a similar problem with alpine:3.13 which doesn't exist in alpine:3.12

/ # mike@MIKE-ENVY:~/projects/work/wca-db$ docker run -it --rm alpine:3.13

/ # ping www.worldcubeassociation.org
ping: bad address 'www.worldcubeassociation.org'

/ # nslookup www.worldcubeassociation.org
Server:         192.168.65.4
Address:        192.168.65.4:53

Non-authoritative answer:
Name:   www.worldcubeassociation.org
Address: 34.208.140.116

*** Can't find www.worldcubeassociation.org: No answer

The above snippet is the most basic illustration of my issue.

In reality this is causing problems within a Python script that can be illustrated as follows:

mike@MIKE-ENVY:~/projects/work/wca-db$ docker run -it --rm python:3.9-alpine3.13
Python 3.9.2 (default, Feb 19 2021, 17:33:48)
[GCC 10.2.1 20201203] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib.request
>>> zip_url = "https://www.worldcubeassociation.org/results/misc/WCA_export.sql.zip"
>>> req = urllib.request.Request(zip_url, headers={'User-Agent': 'Mozilla'})
>>> infile = urllib.request.urlopen(req, timeout = 900)

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/urllib/request.py", line 1346, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "/usr/local/lib/python3.9/http/client.py", line 1255, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/local/lib/python3.9/http/client.py", line 1301, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.9/http/client.py", line 1250, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.9/http/client.py", line 1010, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.9/http/client.py", line 950, in send
    self.connect()
  File "/usr/local/lib/python3.9/http/client.py", line 1417, in connect
    super().connect()
  File "/usr/local/lib/python3.9/http/client.py", line 921, in connect
    self.sock = self._create_connection(
  File "/usr/local/lib/python3.9/socket.py", line 822, in create_connection
    for res in getaddrinfo(host, port, 0, SOCK_STREAM):
  File "/usr/local/lib/python3.9/socket.py", line 953, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.9/urllib/request.py", line 214, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/local/lib/python3.9/urllib/request.py", line 517, in open
    response = self._open(req, data)
  File "/usr/local/lib/python3.9/urllib/request.py", line 534, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "/usr/local/lib/python3.9/urllib/request.py", line 494, in _call_chain
    result = func(*args)
  File "/usr/local/lib/python3.9/urllib/request.py", line 1389, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "/usr/local/lib/python3.9/urllib/request.py", line 1349, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [Errno -3] Try again>
>>> req = urllib.request.Request(zip_url)
>>> infile = urllib.request.urlopen(req, timeout = 900)
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/urllib/request.py", line 1346, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "/usr/local/lib/python3.9/http/client.py", line 1255, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/local/lib/python3.9/http/client.py", line 1301, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.9/http/client.py", line 1250, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.9/http/client.py", line 1010, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.9/http/client.py", line 950, in send
    self.connect()
  File "/usr/local/lib/python3.9/http/client.py", line 1417, in connect
    super().connect()
  File "/usr/local/lib/python3.9/http/client.py", line 921, in connect
    self.sock = self._create_connection(
  File "/usr/local/lib/python3.9/socket.py", line 822, in create_connection
    for res in getaddrinfo(host, port, 0, SOCK_STREAM):
  File "/usr/local/lib/python3.9/socket.py", line 953, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.9/urllib/request.py", line 214, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/local/lib/python3.9/urllib/request.py", line 517, in open
    response = self._open(req, data)
  File "/usr/local/lib/python3.9/urllib/request.py", line 534, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "/usr/local/lib/python3.9/urllib/request.py", line 494, in _call_chain
    result = func(*args)
  File "/usr/local/lib/python3.9/urllib/request.py", line 1389, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "/usr/local/lib/python3.9/urllib/request.py", line 1349, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [Errno -3] Try again>
>>>

Both ping, nslookup and my Python code work fine in alpine:3.12 but not alpine:3.13

I'm using Docker Desktop 3.2.1 on Windows 10 with WSL2.

[gaby]

I'm having the same issue. DNS is broken on Alpine 3.13

CC. @ncopa @sourcecode-glitch @CosmicToast

[jokay]

May this be a problem only for Docker rootless setups?

As I can confirm the problem on a Docker rootless setup but it works on a default Docker setup.

Docker rootless (20.10.5)

user@host:~$ docker run --rm alpine:3.13 wget https://api.nuget.org/v3/index.json
wget: bad address 'api.nuget.org'

Docker default (19.03.11)

user@host:~$ docker run --rm alpine:3.13 wget https://api.nuget.org/v3/index.json
Connecting to api.nuget.org (152.199.23.209:443)
saving to 'index.json'
index.json           100% |********************************|  8543  0:00:00 ETA
'index.json' saved

[golgotow]

Hello,

is any fix in plan for this ?

Best regards

[ncopa]

I'd be happy to fix it if someone could tell what the problem is.

To my understanding the problem is busybox nslookup? There are a bunch of "me-too" comments that mentions ping and stub resolver from python. (which to my understanding is slightly different thing)

Now for the original problem, with busybox nslookup:

ncopa-desktop:~$ docker run --rm -it alpine:3.13
/ # nslookup google.com
Server:		172.21.1.1
Address:	172.21.1.1:53

Non-authoritative answer:
Name:	google.com
Address: 142.250.74.142

Non-authoritative answer:
Name:	google.com
Address: 2a00:1450:400f:804::200e

/ # nslookup github.com
Server:		172.21.1.1
Address:	172.21.1.1:53

Non-authoritative answer:
Name:	github.com
Address: 140.82.121.3

Non-authoritative answer:
*** Can't find github.com: No answer

/ # echo $?
0

nslookup actually returns 0 which means success and it does give the answer Address: 140.82.121.3.

Would be good to know:

• kernel version
• docker version
• libseccomp version

Also, busybox nslookup is a slimmed down, or limited version of nslookup. If it is not broken, just not good enough, then you can install bind-tools for a full featured nslookup.

[ncopa]

does it work with nslookup from bind-tools?

[rochacon]

I'm was having similar problems running Alpine 3.13 containers inside Kubernetes. While using an external DNS (e.g. 1.1.1.1) everything worked fine, but when using the internal DNS, CoreDNS, aplications would crash with resolution errors. I noticed that CoreDNS was responding for AAAA records with NXDOMAIN error. With this, even nslookup would fail (apk, PHP, Python etc. all errored too).

After double checking my CoreDNS settings and versions, and making sure it would respond correctly for both A and AAAA records, the problem was no longer present.

It seems to me the issue happens when DNS servers responds with NXDOMAIN for AAAA records, then musl (?) will return the query as "not resolved", resulting in the failures we're experiencing (even tho an A record was returned). When AAAA queries respond with No answer I do not see the same issues.

[gsmethells]

-FROM python:3.7-alpine3.11
+FROM python:3.7-alpine3.13

and now it cannot wget www

#5 12.40 (79/80) Installing imagemagick-dev (7.0.10.57-r0)
#5 12.48 (80/80) Installing .build-deps (20210506.184850)
#5 12.48 Executing busybox-1.32.1-r6.trigger
#5 12.49 Executing glib-2.66.8-r0.trigger
#5 12.50 No schema files found: doing nothing.
#5 12.51 OK: 305 MiB in 115 packages
#5 12.61 wget: bad address 'www.medstrat.com'
#5 12.61 tar: invalid magic
#5 12.61 tar: short read
------
failed to solve with frontend dockerfile.v0: failed to build LLB: executor failed running [/bin/sh -c apk add --no-cache --virtual .build-deps g++ make glib-dev expat-dev jpeg-dev zlib-dev tiff-dev imagemagick-dev     && wget -O- https://www.medstrat.com/3rdparty/vips-${VIPS_VERSION}.tar.gz | tar xzC /tmp     && cd /tmp/vips-${VIPS_VERSION}     && ./configure     && make install     && cd /tmp     && rm -rf /tmp/vips-${VIPS_VERSION}     && apk del --no-cache .build-deps]: runc did not terminate sucessfully

[lrascao]

@rochacon

After double checking my CoreDNS settings and versions, and making sure it would respond correctly for both A and AAAA records, the problem was no longer present.

can you please elaborate? what changes did you make to CoreDNS settings?

[5nafu]

After double checking my CoreDNS settings and versions, and making sure it would respond correctly for both A and AAAA records, the problem was no longer present.

I am not quite sure that this is really related to CoreDNS (or I did not understand it correctly), as the busybox nslookup will give both IPv6 and IPv4 adresses on some other hosts:

alpine:3.13

/ # nslookup github.com
Server:	192.168.65.1
Address:	192.168.65.1:53

** server can't find github.com: NXDOMAIN

Non-authoritative answer:
Name:	github.com
Address: 140.82.121.4
Name:	github.com
Address: 140.82.121.4

/ # nslookup google.com
Server:	192.168.65.1
Address:	192.168.65.1:53

Non-authoritative answer:
Name:	google.com
Address: 2a00:1450:4005:802::200e
Name:	google.com
Address: 2a00:1450:4005:802::200e

Non-authoritative answer:
Name:	google.com
Address: 142.250.181.206
Name:	google.com
Address: 142.250.181.206

/ # wget https://github.com
wget: bad address 'github.com'
/ # wget https://google.com
Connecting to google.com (216.58.213.206:443)
Connecting to www.google.com (172.217.19.68:443)
saving to 'index.html'
index.html           100% |***********************************************************************************************************************************************| 14400  0:00:00 ETA
'index.html' saved

alpine:3.12

/ # nslookup github.com
Server:	192.168.65.1
Address:	192.168.65.1:53

** server can't find github.com: NXDOMAIN

Non-authoritative answer:
Name:	github.com
Address: 140.82.121.4
Name:	github.com
Address: 140.82.121.4

/ # nslookup google.com
Server:	192.168.65.1
Address:	192.168.65.1:53

Non-authoritative answer:
Name:	google.com
Address: 2a00:1450:4005:803::200e
Name:	google.com
Address: 2a00:1450:4005:803::200e

Non-authoritative answer:
Name:	google.com
Address: 142.250.181.206
Name:	google.com
Address: 142.250.181.206

/ # wget https://github.com
Connecting to github.com (140.82.121.4:443)
saving to 'index.html'
index.html           100% |***********************************************************************************************************************************************|  208k  0:00:00 ETA
'index.html' saved
/ # rm index.html
/ # wget https://google.com
Connecting to google.com (216.58.213.206:443)
Connecting to www.google.com (216.58.213.228:443)
saving to 'index.html'
index.html           100% |***********************************************************************************************************************************************| 13609  0:00:00 ETA
'index.html' saved

@ncopa, to answer your question, The use case is any download while building container images based on alpine might fails when downloading additional parts. The list of domains I came across contains for example github.com and dl-3.alpinelinux.org.

In our case we are using the dind:rootless container in a kubernetes setup:

$ uname -a
Linux 096ee58fe6f6 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 Linux
$ docker --version
Docker version 19.03.12, build 48a66213fe
$  dpkg -l libseccomp2
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name              Version                Architecture Description
+++-=================-======================-============-============================================
ii  libseccomp2:amd64 2.5.1-1ubuntu1~20.04.1 amd64        high level interface to Linux seccomp filter

[marcofranssen]

I'm pretty sure it is not related to CoreDNS.

I'm facing the issue in Docker-for-Mac, Barebone rootless docker on ubuntu as well when running in a k8s cluster. These do not all use a CoreDNS setup.

Any other image is not facing this issue. e.g. Ubuntu, debian, busybox.

[rochacon]

It is not related to CoreDNS specifically, but to the DNS server returning the incorrect error code for a non existing record, e.g. NXDOMAIN errors instead of NODATA. In my case it was related to CoreDNS since this is the DNS server I'm using, I believe Docker-for-Mac has its own DNS server too, although I'm not sure and don't have a mac to test this.

Could you post the output for the following commands?

nslookup -type=A google.com
nslookup -type=AAAA google.com

nslookup -type=A google.com 8.8.8.8
nslookup -type=AAAA google.com 8.8.8.8

These should test DNS resolutions against both DNS providers: default (nameserver entry in /etc/resolv.conf) and Google's public one. I believe at least one of the records on the default DNS server will return NXDOMAIN.

@lrascao I missed the notification for your message, sorry. CoreDNS versions prior to 1.7 had some issues with autopath + cache plugins, a workaround was to "disable" IPv6 resolution by returning a fixed response for every AAAA request, I still had this setting on my CoreDNS Corefile since I do not have IPv6 enabled on my environment. Removing the workaround and making sure CoreDNS is up-to-date was the change I made that solved the resolution issues with Alpine 3.13 for me.

[marcofranssen]

Google works fine, Github is having issues on AAAA (ipv6). Or when the type is not provided.

$ docker run --rm -it alpine sh
/ # nslookup -type=A google.com
Server:		192.168.65.5
Address:	192.168.65.5:53

Non-authoritative answer:
Name:	google.com
Address: 216.58.214.14

/ # nslookup -type=AAAA google.com
Server:		192.168.65.5
Address:	192.168.65.5:53

Non-authoritative answer:
Name:	google.com
Address: 2a00:1450:400e:802::200e

/ # nslookup -type=AAAA google.com 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8:53

Non-authoritative answer:
Name:	google.com
Address: 2a00:1450:400e:802::200e

/ # nslookup -type=A google.com 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8:53

Non-authoritative answer:
Name:	google.com
Address: 216.58.214.14

/ # nslookup -type=A github.com
Server:		192.168.65.5
Address:	192.168.65.5:53

Non-authoritative answer:
Name:	github.com
Address: 140.82.121.4

/ # nslookup -type=AAAA github.com
Server:		192.168.65.5
Address:	192.168.65.5:53

Non-authoritative answer:
*** Can't find github.com: No answer

/ # nslookup -type=AAAA github.com 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8:53

Non-authoritative answer:
*** Can't find github.com: No answer

/ # nslookup github.com
Server:		192.168.65.5
Address:	192.168.65.5:53

Non-authoritative answer:
Name:	github.com
Address: 140.82.121.4

Non-authoritative answer:
*** Can't find github.com: No answer

[rochacon]

Sorry @marcofranssen I forgot to add the exit code to the commands, I believe all those returned 0 (success), right? nslookup github.com ; echo $?

Adding to the history here, I believe this is related to https://gitlab.alpinelinux.org/alpine/aports/-/issues/11879 which should be fixed on https://git.musl-libc.org/cgit/musl/commit/?id=5cf1ac2443ad0dba263559a3fe043d929e0e5c4c (released on musl-1.2.1).

Could it be possible that the affected images are still using an older version of musl? apk list | grep musl-

[marcofranssen]

Indeed responds with a 0 exitcode. However musl is already at 1.2.2 in latest alpine.

$ docker run --rm -it alpine sh
/ # nslookup github.com ; echo $?
Server:		192.168.65.5
Address:	192.168.65.5:53

Non-authoritative answer:
Name:	github.com
Address: 140.82.121.4

Non-authoritative answer:
*** Can't find github.com: No answer

0
/ # apk list | grep musl-
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
musl-1.2.2-r0 x86_64 {musl} (MIT) [installed]
musl-utils-1.2.2-r0 x86_64 {musl} (MIT BSD GPL2+) [installed]

[weyou]

Got the same problem on 3.13.

weyou@omv:~$ docker run -ti --rm alpine:3.13 sh
/ # nslookup -type=A github.com
Server:         172.16.20.1
Address:        172.16.20.1:53

Non-authoritative answer:
Name:   github.com
Address: 192.30.255.113

/ # nslookup -type=AAAA github.com
Server:         172.16.20.1
Address:        172.16.20.1:53

** server can't find github.com: REFUSED

/ # ping github.com
ping: bad address 'github.com'
/ # ping -4 github.com
PING github.com (192.30.255.112): 56 data bytes
64 bytes from 192.30.255.112: seq=1 ttl=46 time=302.787 ms
64 bytes from 192.30.255.112: seq=2 ttl=46 time=302.894 ms
64 bytes from 192.30.255.112: seq=3 ttl=46 time=302.345 ms
64 bytes from 192.30.255.112: seq=4 ttl=46 time=304.398 ms
^C
--- github.com ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 302.345/303.106/304.398 ms
/ # ping -6 github.com
ping: bad address 'github.com'

/ # nc github.com 80
nc: bad address 'github.com'

/ # traceroute github.com
traceroute: bad address 'github.com'
/ # traceroute -6 github.com
traceroute: bad address 'github.com'
/ # traceroute -4 github.com
traceroute to github.com (192.30.255.112), 30 hops max, 46 byte packets
 1  10.30.0.1 (10.30.0.1)  0.023 ms  0.023 ms  0.021 ms
 2   ...

It looks like all network tools prefer using the "-6" option in this version.

[Logiqx]

A quick update which might add a little further insight. The issue that I've encountered personally appears to be when accessing specific domains via IPv6 with Alpine 3.13 upwards; I've tested Alpine 3.13, 3.14 and 3.15. Alpine 3.12 and earlier releases do not have this specific issue.

The problem only affects some of my environments (e.g. Windows 10 running Docker Desktop with an Alpine 3.13/3.14/3.15 base image for my project). Some of my other environments work absolutely fine (e.g. Amazon Linux using Alpine 3.13/3.14/3.15 base images or my Windows machine using alternative base images such as Ubuntu / Debian). Alpine 3.12 and earlier still work fine on my Windows 10 machine.

It's all the same problem but for me it is when accessing www.worldcubeassociation.org

I have a simple Python script that downloads a zip file from that website but on my Windows laptop it fails due to what appears to be name resolution issue; original stack trace is included in my earlier comment but occurs in Alpine 3.13, 3.14 and 3.15.

To allow myself to upgrade to Python 3.10 + Alpine 3.15, I've implemented a dirty hack in my Python project to force IPv4 when running on Windows. I test the project code on my Windows machine (i.e. IPv4) then deploy to AWS which bypasses the hack and thus uses IPv6 (if available).

For anyone interested you can see the Python code that downloads the zip file from www.worldcubeassociation.org and the hack to force IPv4 on Windows: https://github.com/Logiqx/wca-db/tree/master/python

The fix suggested by dogi (installing the ip6tables package) does not work for my project.

[j4ym0]

I have run into this issue a few times on Alpine 3.12+ images using Docker for Windows, building multi-arch images with buildx, or even just running the base image. I would get curl: (6) Could not resolve host: codeload.github.com

My workaround is adding --retry 5 to my curl command. Now although it initially fails with 'could not resolve host' by the 3rd attempt it is successful.

I found that this helps, not sure why. Maybe it added another way to resolve the address.
I added ipv6 support to the docker config file in Settings -> Docker Engine (on windows)

  "fixed-cidr-v6": "2001:db8:1::/64",
  "ipv6": true,

This then would allow curl and wget to resolve the host the first time, but only if there was no redirect (301, 302) from the original domain, but can be resolved again using --retry. Adding the ip6tables package did not help in all cases.

I don't think this is an ipv4 / ipv6 issue, to me it seems to be an issue with the resolver and repeated requests will resolve the address. Now whether this lies in the Alpine image or in Docker I am not sure.

[limingxinleo]

mark

[decriptor]

I've been running into roughly the same problem. In my I'm trying to install a dotnet tool (dotnet-monitor) and I couldn't resolve api.nuget.org

I tried:

nslookup api.nuget.org - failed

nslookup api.nuget.org 172.24.112.1
Server:         172.24.112.1
Address:        172.24.112.1:53

Non-authoritative answer:
*** Can't find api.nuget.org: Parse error

Non-authoritative answer:
*** Can't find api.nuget.org: Parse error

nslookup api.nuget.org 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8:53

Non-authoritative answer:
api.nuget.org   canonical name = nugetapiprod.trafficmanager.net
nugetapiprod.trafficmanager.net canonical name = apiprod-mscdn.azureedge.net
<SNIP - for brevity sake>

I ended up manually adding my local dns to /etc/resolv.conf and things seem to be working just fine.

nameserver 172.24.112.1
nameserver 192.168.1.1

172.24.112.1 <- this is there by default. So, whatever that points to seems to cause problems?

[tobiasehlert]

I'm experiencing the same issue and I am running busybox in a Docker rootless, when running towards the default Docker rootless DNS resolving part.

When pointing out an external DNS in the nslookup command, it actually works in Docker rootless.

When running in "normal" Docker, both commands below work.

# using 1.1.1.1
docker run --rm golang:alpine /bin/busybox nslookup -debug github.com 1.1.1.1

# using default
docker run --rm golang:alpine /bin/busybox nslookup -debug github.com

Output is like this:

# using 1.1.1.1
Server:		1.1.1.1
Address:	1.1.1.1:53

Query #0 completed in 6ms:
Non-authoritative answer:
Name:	github.com
Address: 140.82.121.4

Query #1 completed in 6ms:
Non-authoritative answer:

# using default
Server:		192.168.65.1
Address:	192.168.65.1:53

Query #0 completed in 1ms:
Non-authoritative answer:
Name:	github.com
Address: 140.82.121.4
Name:	github.com
Address: 140.82.121.4

Query #1 completed in 1ms:
** server can't find github.com: NXDOMAIN

[mj520]

apk add bind-tools
curl、nslookup 、php ... ok

[Crapshit]

@mj520 this does not help us, because our application still fails in DNS resolution.

In our case we are also receiving NXDOMAIN / SERVFAIL for AAAA type records from our Consul cluster.

[timblaktu]

I have run into this issue a few times on Alpine 3.12+ images using Docker for Windows, building multi-arch images with buildx, or even just running the base image. I would get curl: (6) Could not resolve host: codeload.github.com

My workaround is adding --retry 5 to my curl command. Now although it initially fails with 'could not resolve host' by the 3rd attempt it is successful.

@j4ym0 on 3.16, retrying wget 10 times doesn't fix the DNS issue after upgrading from BusyBox wget using apk add --no-cache wget:

 > [iamlive download 2/2] RUN     wget --tries=10 --retry-connrefused --retry-on-host-error -O iamlive.tar.gz "https://github.com/iann0036/iamlive/releases/download/v0.49.0/iamlive-v0.49.0-linux-amd64.tar.gz" &&     tar -xzf iamlive.tar.gz:                                                                                                                                                 #0 0.425 --2022-11-09 14:26:27--  https://github.com/iann0036/iamlive/releases/download/v0.49.0/iamlive-v0.49.0-linux-amd64.tar.gz
#0 0.446 Resolving github.com (github.com)... failed: Name does not resolve.
#0 0.578 wget: unable to resolve host address 'github.com'
#0 0.578 Retrying.
#0 0.578
#0 1.579 --2022-11-09 14:26:29--  (try: 2)  https://github.com/iann0036/iamlive/releases/download/v0.49.0/iamlive-v0.49.0-linux-amd64.tar.gz
#0 1.579 Resolving github.com (github.com)... failed: Name does not resolve.
#0 1.582 wget: unable to resolve host address 'github.com'
#0 1.582 Retrying.
#0 1.582
.
.
.
#0 45.78 --2022-11-09 14:27:13--  (try:10)  https://github.com/iann0036/iamlive/releases/download/v0.49.0/iamlive-v0.49.0-linux-amd64.tar.gz
#0 45.78 Resolving github.com (github.com)... failed: Name does not resolve.
#0 45.79 wget: unable to resolve host address 'github.com'
#0 45.79 Giving up.
#0 45.79

I'm on Debian 11 on WSL2.

[issenn]

same issue.

After the docker daemon runs for a period of time, alpine's network will be broken.
Maybe it's a docker problem, but if I can't restart the docker, and I can't test alpine.

/ #  ping -4 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
^C
--- 10.0.0.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
/ # traceroute github.com
traceroute to github.com (20.205.243.166), 30 hops max, 46 byte packets
 1  172.17.0.1 (172.17.0.1)  0.076 ms  0.007 ms  0.003 ms
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *

/ # apk add iputils
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
48BB57250C7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:320:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.17/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
48BB57250C7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:320:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.17/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/community: No such file or directory
ERROR: unable to select packages:
  iputils (no such package):
    required by: world[iputils]