DNS issues in WSL2

[OneBlue]

Version

Multiple Windows builds are affected

WSL Version

• WSL 2
• WSL 1

This issue is here to merge DNS related issues in WSL2.

Symptoms include:

• DNS resolution failing with Temporary failure in name resolution
• DNS resolution timing out

This issue does not cover scenarios where /etc/resolv.conf is manually edited.

If you're hitting this, please upvote / comment and upload logs

[stijnherreman]

@OneBlue I've posted repro steps in #8236 for one of the causes.

[lbarbaglia]

Hi,
I'm having the exact same issue so I've collected some logs in case it can help:
WslLogs-2022-05-10_16-27-14.zip

Even modifying the /etc/resolv.conf is not working anymore.

[CraigHutchinson]

I am getting this issue on fresh installation of Windows 11 with WSL2 Ubuntu image, really annoying issue!

[WSL] sudo apt update = ... Temporary failure resolving 'archive.ubuntu.com' ...
[WSL] cat /etc/resolv.conf = ... nameserver 172.23.48.1
[WSL] ping 172.23.48.1 = From 172.23.62.236 icmp_seq=3 Destination Host Unreachable
[WSL] ping google.com = ping: google.com: Temporary failure in name resolution
[Windows] ping 172.23.48.1 = Reply from 172.23.48.1: bytes=32 time<1ms TTL=128

Attached are the logs.
WslLogs-2022-05-17_10-17-13.zip

NOTE: ON Windows 11 I got this error when running the capture so they may be incomplete?

[r2evans]

@CraigHutchinson , your comment appears to mimic what I'm seeing, where the problem is somehow in the routing and not just the name resolution. Have you found any workarounds?

[MikaelUmaN]

#4285 was already tracking this. I consider this issue the /dupe #4285

[BtbN]

There were multiple open issues, all about the functionally same issue. Hence, as the initial description says, this exists to merge and declutter them.

[dlaudams]

There were multiple open issues, all about the functionally same issue. Hence, as the initial description says, this exists to merge and declutter them.

If this leads to a fix, this is a great outcome.

However the way it was handled may alienate the community. i.e., closing all the related issues without discussion or a clear reason provided in those issues.

[unowiz]

It might be to do with Windows Defender settings. resolv.conf and wsl.conf based approach didn't work for me.
sudo apt update && sudo apt upgrade worked immediately after I turned off the Private network firewall. Once the update completed, I've put the firewall for private network back on.

On Windows 11, Go to Windows Security (from system tray, right click on Windows Security icon and select "View security dashboard" or simply search for "Firewall and network protection" after you press the windows key). Within the Firewall and network protection page, you should see Domain network (if domain connected), Private network, Public network. Go for the private network an turn it off temporarily as a workaround. Hope this helps.

[Shellishack]

I may have found another way to fix this. Originally I had this problem after using a proxy software. I just edited resolv.conf. It worked well until I realized that I also couldn't ping to Windows from WSL.

For some reason, the vEthernet (WSL) adapter on my PC was treated as a public network. Disabling public firewall or turning off the option "block all incoming connections, including those in the list of allowed applications" in Control Panel fixed everything. I also attempted to change its connection profile to private using PowerShell, but Get-NetConnectionProfile can't even find it while both ipconfig and Get-NetIPconfiguration can display some limited info about it.

[zugazagoitia]

It might be to do with Windows Defender settings. resolv.conf and wsl.conf based approach didn't work for me. sudo apt update && sudo apt upgrade worked immediately after I turned off the Private network firewall. Once the update completed, I've put the firewall for private network back on.

On Windows 11, Go to Windows Security (from system tray, right click on Windows Security icon and select "View security dashboard" or simply search for "Firewall and network protection" after you press the windows key). Within the Firewall and network protection page, you should see Domain network (if domain connected), Private network, Public network. Go for the private network an turn it off temporarily as a workaround. Hope this helps.

This seems to be a fix for me too, Windows Firewall must be blocking DNS queries originating inside the WSL VM from reaching the DNS server at the host.

[Ray-Barker]

Tried to disable Windows Defender Firewall on Windows 10, doesn't help.
Tried manually editing /etc/resolv.conf in my Ubuntu 20.04 WSL2 by adding 8.8.8.8 and 1.1.1.1, it helps, but these servers don't work in our VPN.
What helped me as a workaround was adding my router's IP as a nameserver to resolv.conf since it has DNS server capability.
But I would like a more generalized solution.

[mbwhite]

Windows 10 with Ubuntu 20 in WSL2 : got some reproducible failures today for the first time; and it's confirmed something I've suspected but never been able to prove.. that there might be a connection with running the docker daemon.

Everything is working correctly (as fas as DNS goes), start the docker daemon (just a plain sudo dockerd ) afterwards, the 'temporary failure' error occurs.

Logs attached.
WslLogs-2022-06-08_16-56-39.zip

[jikuja]

For me #7555 gave really good pointers for fixing the issue.

Fixes that works for me:

• Disabling defender for public profile fixes DNS issue
• or removal of vEthernet(WSL) network connection on public profile settings also fixes the DNS issue

I cannot recommend either of those to anyone because the first solution just breaks security and the second one might open some vulnerabilites.

[AlexHunterCodes]

My vEthernet (WSL) connection on a fresh Windows 11 install came with a Public profile too. I normally have "Blocks all incoming connections, including those in the list of allowed apps" enabled in the Windows Defender Firewall for untrusted networks, but I had to disable it to fix DNS resolution in WSL2.

The WSL2 Hyper-V virutal switch is an internal one and is not shared with your host adapter, so theoretically it shouldn't be a security issue for this network to be assigned a Private profile instead of a Public one.

That said, I don't see how I can change it since the adapter doesn't show up in Network and Sharing Centre or Settings, and it doesn't show up in the registry (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles) either.

[BtbN]

Can you change it via Set-NetConnectionProfile in an elevated PowerShell prompt?

[slonopotamus]

@jasonyang-ee try this: #8365 (comment)

Upd: oh, I misread your comment. I thought you disabled firewall, but you instead kept it enabled while resetting its settings to default. Cool that it helped.

[grrava]

I just reinstalled Ubuntu and now it works... Made no changes to anything else so I guess something got fixed?

[craigloewen-msft]

Hi folks, we have put out a new update that aims to address networking issues in WSL. In your .wslconfig file you can set experimental.networkingMode=mirrored, as well as some other key settings that should improve your network compatibility! Please try them out and let us know what you think.

More info on this release and the changes can be found here in the blog post.

Please note: You need to be on a Windows Insiders version to use the new networking settings (Any channel of Windows Insiders will do, including release preview). If you see the "These are not supported" messages it means that your current Windows version doesn't have support, and you will need to upgrade. These features will eventually be coming to Windows 11 22H2.

[matkozak]

Hi @craigloewen-msft,

This news is much appreciated. Will these features be eventually supported in Windows 10 as well?

[wtrewby]

Hi folks, we have put out a new update that aims to address networking issues in WSL. In your .wslconfig file you can set experimental.networkingMode=mirrored, as well as some other key settings that should improve your network compatibility! Please try them out and let us know what you think.

More info on this release and the changes can be found here in the blog post.

Please note: You need to be on a Windows Insiders version to use the new networking settings (Any channel of Windows Insiders will do, including release preview). If you see the "These are not supported" messages it means that your current Windows version doesn't have support, and you will need to upgrade. These features will eventually be coming to Windows 11 22H2.
(from #8365 (comment))

Upgrading to pre-release version and adding the experimental networking mode sorted this out for me - thanks!

[kochinc]

Hi folks, we have put out a new update that aims to address networking issues in WSL. In your .wslconfig file you can set experimental.networkingMode=mirrored, as well as some other key settings that should improve your network compatibility! Please try them out and let us know what you think.

More info on this release and the changes can be found here in the blog post.

Please note: You need to be on a Windows Insiders version to use the new networking settings (Any channel of Windows Insiders will do, including release preview). If you see the "These are not supported" messages it means that your current Windows version doesn't have support, and you will need to upgrade. These features will eventually be coming to Windows 11 22H2.

Thank you. Now I don't have to turn off the firewall for WSL2 to resolve names. I recalled there were only lo and eth0 listed with 'ip addr' command. After the pre-release update, 'ip addr' command shows all network interfaces including Wi-Fi and VPNs.

[craigloewen-msft]

These new networking features are now available on the latest version of Win11 22H2!

@matkozak this work is currently not planned to go back to Win10.

Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run cmd.exe /c ver and ensure that your build number is 22621.2428 or higher (Including the minor build number which is after the . as this was a backport!)

[slonopotamus]

According to that page, KB5031354 has absolutely nothing to do with WSL2.

[hack3rman]

Confirmed KB5031354 fixed the WSL2 DNS issue for me.

[Kyle2142]

Just in case it helps anyone, I had previously used the generateResolvConf = false config and after backup/restore to a different windows installation, it seems like it broke. Disabling this re-created /etc/resolv.conf (why did I have /wsl/resolv.conf?) and made DNS work again. Win11 not having the adapter listed threw me off though

[amadeann]

This may be completely unrelated, but maybe it works for some people (worked for me). I am using NordVPN, and with the "Stay invisible on LAN" setting ON, I get "Temporary failure in name resolution" error. When I switch if off, things work as expected. So if other solutions don't work for you, and you're using a VPN (NordVPN or other), you may try and debug issues on that end.

[slonopotamus]

"Stay invisible on LAN"

This is just a fancy way to say "we'll inject random rules in your system firewall and break things". Absolutely identical to block-outside-dns OpenVPN option.

[keith-horton]

Sorry for the DNS issues. We have updated our troubleshooting documentation with Firewall configuration compatibility issues, and a workaround for an OS bug. https://github.com/MicrosoftDocs/WSL/blob/main/WSL/troubleshooting.md#troubleshooting-dns-in-wsl

It has suggestions for various VPNs as well.

[j0nimost]

My real challenge was that /etc/resolv.conf was a link file pointing to /mnt/wsl/resolv.conf. I deleted the file link
you can check if it is a link using this (#4285 (comment))

Run:
$ ls -la /etc/resolv.conf
if you see an output like this:
lrwxrwxrwx 1 root root 20 Dec 14 16:08 /etc/resolv.conf -> /mnt/wsl/resolv.conf

It's a link file you can resolve this issue using the following steps

• Delete the link sudo rm /etc/resolv.conf
• Recreate the file sudo touch /etc/resolv.conf
• Open editor of choice; I used nano sudo nano /etc/resolv.conf
• Add the following

# [network]
# generateResolvConf = false
nameserver 1.1.1.1 # Cloudflare public DNS

• Exit and Save and you should have an internet connection

Unfortunately, this solution is not sticky. You have to redo it every time WSL2 looses connection.

[bpohoriletz]

if none of above worked for you check if DNS resolution works with TCP with
dig +tcp google.com
if it does - follow this answer to force DNS via TCP and see if it solved the issue with
ping google.com. Use ping not dig since dig ignores options

[supahfox]

I'm having the same issue
These are my logs WslLogs-2024-01-31_12-05-41.zip

WSL version: 2.0.14.0
Kernel version: 5.15.133.1-1

[asunekants]

These new networking features are now available on the latest version of Win11 22H2!

@matkozak this work is currently not planned to go back to Win10.

Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run cmd.exe /c ver and ensure that your build number is 22621.2428 or higher (Including the minor build number which is after the . as this was a backport!)

Is it at all possible to reconsider this decision?
I'm struggling with this issue in a corporate environment that at the moment is restricted to Windows 10 for a regulatory reason that I don't quite understand, and having this on Windows 10 would make my life a lot easier;
I'm certain that I'm not alone in that.

Thank you very much!

[gtedavid]

Hi, I don't know if this helps on this issue, because it seems to be happening to quite a few people and I wanted to avoid opening an issue just for this, as I have found a temporary workaround.

https://gist.github.com/coltenkrauter/608cfe02319ce60facd76373249b8ca6?permalink_comment_id=5017885#gistcomment-5017885
I unfortunately don't know what was the configuration of /etc/resolve.conf before the issue appeared

I may have a VPN (paid licence), but it isn't used that often - unknown if that played a role in the DNS resolution failing