DNS server mixes AUTHORITY/ADDITIONAL section into ANSWER section while responding to queries

[Neurone]

Environment

Windows build number: Microsoft Windows [Version 10.0.19041.450]
Your Distribution version: Ubuntu 18.04
Whether the issue is on WSL 2 and/or WSL 1: WSL2 Linux version 4.19.104-microsoft-standard (oe-user@oe-host) (gcc version 8.2.0 (GCC)) #1 SMP Wed Feb 19 06:37:35 UTC 2020

Steps to reproduce

Query the TXT record of a domain, for example:

➜  ~ dig txt ultradns.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> txt ultradns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17666
;; flags: qr rd ad; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ultradns.com.                  IN      TXT

;; ANSWER SECTION:
ultradns.com.           0       IN      TXT     "MS=ms21611534"
ultradns.com.           0       IN      TXT     "vvRWDjirF1kB3svP5yCIHlovQ99/rxi+VEivELNFqBvdbPZGOgtqL4qOFWfAQ0uB1o2tXEs/Ex6sgBJxaot6ig=="
ultradns.com.           0       IN      TXT     "v=spf1 exists:%{i}._i.%{d}._d.espf.agari.com include:%{d}.79.spf-protect.agari.com -all"
ultradns.com.           0       IN      TXT     "Security Issues Contact: 1-650-228-2391"
ari.beta.aridns.net.au. 0       IN      A       37.209.194.2
ari.alpha.aridns.net.au. 0      IN      A       37.209.192.2
ari.delta.aridns.net.au. 0      IN      A       37.209.198.2
ari.gamma.aridns.net.au. 0      IN      A       37.209.196.2
pdns196.ultradns.co.uk. 0       IN      A       156.154.69.196
pdns196.ultradns.com.   0       IN      A       156.154.64.196
pdns196.ultradns.org.   0       IN      A       156.154.67.196
pdns196.ultradns.info.  0       IN      A       156.154.68.196
ari.beta.aridns.net.au. 0       IN      AAAA    2001:dcd:2::2
ari.alpha.aridns.net.au. 0      IN      AAAA    2001:dcd:1::2
ari.delta.aridns.net.au. 0      IN      AAAA    2001:dcd:4::2
ari.gamma.aridns.net.au. 0      IN      AAAA    2001:dcd:3::2
pdns196.ultradns.co.uk. 0       IN      AAAA    2610:a1:1017::e8
pdns196.ultradns.biz.   0       IN      AAAA    2610:a1:1015::e8
pdns196.ultradns.com.   0       IN      AAAA    2001:502:f3ff::e8
pdns196.ultradns.net.   0       IN      AAAA    2610:a1:1014::e8
pdns196.ultradns.org.   0       IN      AAAA    2001:502:4612::e8
pdns196.ultradns.info.  0       IN      AAAA    2610:a1:1016::e8

;; Query time: 0 msec
;; SERVER: 192.168.16.1#53(192.168.16.1)
;; WHEN: Tue Aug 25 10:56:19 CEST 2020
;; MSG SIZE  rcvd: 1117

➜  ~ dig txt bing.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> txt bing.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4005
;; flags: qr rd ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;bing.com.                      IN      TXT

;; ANSWER SECTION:
bing.com.               0       IN      TXT     "facebook-domain-verification=09yg8uzcfnqnlqekzsbwjxyy8rdck7"
bing.com.               0       IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"
bing.com.               0       IN      TXT     "v=msv1 t=6097A7EA-53F7-4028-BA76-6869CB284C54"
dns1.p09.nsone.net.     0       IN      A       198.51.44.9
dns2.p09.nsone.net.     0       IN      A       198.51.45.9
dns3.p09.nsone.net.     0       IN      A       198.51.44.73
dns4.p09.nsone.net.     0       IN      A       198.51.45.73

;; Query time: 70 msec
;; SERVER: 192.168.16.1#53(192.168.16.1)
;; WHEN: Tue Aug 25 02:12:06 CEST 2020
;; MSG SIZE  rcvd: 359

Please note that DNS server 192.168.16.1 comes from the Hyper-V Virtual Network Adapter and it is dynamically and automatically configured by WSL/ICS/Windows, so the exact DNS server's IP changes every time Windows restarts.

➜  ~ cat /etc/resolv.conf
# This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:
# [network]
# generateResolvConf = false
nameserver 192.168.16.1

Here the link to the collected log and feedback item: https://aka.ms/AA9dnzo

Expected behavior

Correct DNS response like the examples below, where the ANSWER section contains only the ANSWER section and not also some info from the AUTHORITY/ADDITIONAL sections.

The following query is done using the current authoritative DNS server for ultradns.com

➜  ~ dig @pdns196.ultradns.com txt ultradns.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> @pdns196.ultradns.com txt ultradns.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61852
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 10, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ultradns.com.                  IN      TXT

;; ANSWER SECTION:
ultradns.com.           300     IN      TXT     "MS=ms21611534"
ultradns.com.           300     IN      TXT     "Security Issues Contact: 1-650-228-2391"
ultradns.com.           300     IN      TXT     "v=spf1 exists:%{i}._i.%{d}._d.espf.agari.com include:%{d}.79.spf-protect.agari.com -all"
ultradns.com.           300     IN      TXT     "vvRWDjirF1kB3svP5yCIHlovQ99/rxi+VEivELNFqBvdbPZGOgtqL4qOFWfAQ0uB1o2tXEs/Ex6sgBJxaot6ig=="

;; AUTHORITY SECTION:
ultradns.com.           3600    IN      NS      pdns196.ultradns.biz.
ultradns.com.           3600    IN      NS      pdns196.ultradns.co.uk.
ultradns.com.           3600    IN      NS      pdns196.ultradns.org.
ultradns.com.           3600    IN      NS      pdns196.ultradns.com.
ultradns.com.           3600    IN      NS      pdns196.ultradns.info.
ultradns.com.           3600    IN      NS      pdns196.ultradns.net.
ultradns.com.           3600    IN      NS      ari.beta.aridns.net.au.
ultradns.com.           3600    IN      NS      ari.gamma.aridns.net.au.
ultradns.com.           3600    IN      NS      ari.alpha.aridns.net.au.
ultradns.com.           3600    IN      NS      ari.delta.aridns.net.au.

;; Query time: 25 msec
;; SERVER: 156.154.64.196#53(156.154.64.196)
;; WHEN: Tue Aug 25 10:51:48 CEST 2020
;; MSG SIZE  rcvd: 623

The following query is done using my ISP's DNS.

➜  ~ dig @192.168.1.254 txt bing.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> @192.168.1.254 txt bing.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23185
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 8, ADDITIONAL: 17

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c07dcc091ba95b504d06372d5f44576986e68d091921e2ec (good)
;; QUESTION SECTION:
;bing.com.                      IN      TXT

;; ANSWER SECTION:
bing.com.               3600    IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"
bing.com.               3600    IN      TXT     "v=msv1 t=6097A7EA-53F7-4028-BA76-6869CB284C54"
bing.com.               3600    IN      TXT     "facebook-domain-verification=09yg8uzcfnqnlqekzsbwjxyy8rdck7"

;; AUTHORITY SECTION:
bing.com.               127543  IN      NS      dns2.p09.nsone.net.
bing.com.               127543  IN      NS      ns4-204.azure-dns.info.
bing.com.               127543  IN      NS      ns1-204.azure-dns.com.
bing.com.               127543  IN      NS      dns4.p09.nsone.net.
bing.com.               127543  IN      NS      ns2-204.azure-dns.net.
bing.com.               127543  IN      NS      dns3.p09.nsone.net.
bing.com.               127543  IN      NS      ns3-204.azure-dns.org.
bing.com.               127543  IN      NS      dns1.p09.nsone.net.

;; ADDITIONAL SECTION:
dns1.p09.nsone.net.     25148   IN      A       198.51.44.9
dns2.p09.nsone.net.     25148   IN      A       198.51.45.9
dns3.p09.nsone.net.     25160   IN      A       198.51.44.73
dns4.p09.nsone.net.     25160   IN      A       198.51.45.73
ns1-204.azure-dns.com.  343     IN      A       40.90.4.204
ns2-204.azure-dns.net.  937     IN      A       64.4.48.204
ns3-204.azure-dns.org.  2681    IN      A       13.107.24.204
ns4-204.azure-dns.info. 343     IN      A       13.107.160.204
dns1.p09.nsone.net.     25148   IN      AAAA    2620:4d:4000:6259:7::9
dns2.p09.nsone.net.     25148   IN      AAAA    2a00:edc0:6259:7::9
dns3.p09.nsone.net.     25160   IN      AAAA    2620:4d:4000:6259:7::90
dns4.p09.nsone.net.     25160   IN      AAAA    2a00:edc0:6259:7::90
ns1-204.azure-dns.com.  343     IN      AAAA    2603:1061::cc
ns2-204.azure-dns.net.  937     IN      AAAA    2620:1ec:8ec::cc
ns3-204.azure-dns.org.  2681    IN      AAAA    2a01:111:4000::cc
ns4-204.azure-dns.info. 343     IN      AAAA    2620:1ec:bda::cc

;; Query time: 23 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Tue Aug 25 02:12:26 CEST 2020
;; MSG SIZE  rcvd: 830

The following query is done using Google's public DNS server.

➜  ~ dig @8.8.8.8 txt bing.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> @8.8.8.8 txt bing.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60678
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;bing.com.                      IN      TXT

;; ANSWER SECTION:
bing.com.               3599    IN      TXT     "facebook-domain-verification=09yg8uzcfnqnlqekzsbwjxyy8rdck7"
bing.com.               3599    IN      TXT     "v=msv1 t=6097A7EA-53F7-4028-BA76-6869CB284C54"
bing.com.               3599    IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"

;; Query time: 37 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Aug 25 02:15:13 CEST 2020
;; MSG SIZE  rcvd: 226

Actual behavior

➜  ~ dig txt bing.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> txt bing.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4005
;; flags: qr rd ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;bing.com.                      IN      TXT

;; ANSWER SECTION:
bing.com.               0       IN      TXT     "facebook-domain-verification=09yg8uzcfnqnlqekzsbwjxyy8rdck7"
bing.com.               0       IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"
bing.com.               0       IN      TXT     "v=msv1 t=6097A7EA-53F7-4028-BA76-6869CB284C54"
dns1.p09.nsone.net.     0       IN      A       198.51.44.9
dns2.p09.nsone.net.     0       IN      A       198.51.45.9
dns3.p09.nsone.net.     0       IN      A       198.51.44.73
dns4.p09.nsone.net.     0       IN      A       198.51.45.73

;; Query time: 70 msec
;; SERVER: 192.168.16.1#53(192.168.16.1)
;; WHEN: Tue Aug 25 02:12:06 CEST 2020
;; MSG SIZE  rcvd: 359

➜  ~ dig txt ultradns.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> txt ultradns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17666
;; flags: qr rd ad; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ultradns.com.                  IN      TXT

;; ANSWER SECTION:
ultradns.com.           0       IN      TXT     "MS=ms21611534"
ultradns.com.           0       IN      TXT     "vvRWDjirF1kB3svP5yCIHlovQ99/rxi+VEivELNFqBvdbPZGOgtqL4qOFWfAQ0uB1o2tXEs/Ex6sgBJxaot6ig=="
ultradns.com.           0       IN      TXT     "v=spf1 exists:%{i}._i.%{d}._d.espf.agari.com include:%{d}.79.spf-protect.agari.com -all"
ultradns.com.           0       IN      TXT     "Security Issues Contact: 1-650-228-2391"
ari.beta.aridns.net.au. 0       IN      A       37.209.194.2
ari.alpha.aridns.net.au. 0      IN      A       37.209.192.2
ari.delta.aridns.net.au. 0      IN      A       37.209.198.2
ari.gamma.aridns.net.au. 0      IN      A       37.209.196.2
pdns196.ultradns.co.uk. 0       IN      A       156.154.69.196
pdns196.ultradns.com.   0       IN      A       156.154.64.196
pdns196.ultradns.org.   0       IN      A       156.154.67.196
pdns196.ultradns.info.  0       IN      A       156.154.68.196
ari.beta.aridns.net.au. 0       IN      AAAA    2001:dcd:2::2
ari.alpha.aridns.net.au. 0      IN      AAAA    2001:dcd:1::2
ari.delta.aridns.net.au. 0      IN      AAAA    2001:dcd:4::2
ari.gamma.aridns.net.au. 0      IN      AAAA    2001:dcd:3::2
pdns196.ultradns.co.uk. 0       IN      AAAA    2610:a1:1017::e8
pdns196.ultradns.biz.   0       IN      AAAA    2610:a1:1015::e8
pdns196.ultradns.com.   0       IN      AAAA    2001:502:f3ff::e8
pdns196.ultradns.net.   0       IN      AAAA    2610:a1:1014::e8
pdns196.ultradns.org.   0       IN      AAAA    2001:502:4612::e8
pdns196.ultradns.info.  0       IN      AAAA    2610:a1:1016::e8

;; Query time: 0 msec
;; SERVER: 192.168.16.1#53(192.168.16.1)
;; WHEN: Tue Aug 25 10:56:19 CEST 2020
;; MSG SIZE  rcvd: 1117

Info from the AUTHORITY/ADDITIONAL sections are mixed in the ANSWER section: this behaviour currently creates issues to other programs that need to process the answer.

For example, in this issue geth cannot unmarshal the DNS message because it's greater then 512 bytes.

Geth is written in go, and go DNS client follows the RFC 1035 specification. This specification states that via UDP the maximum allowed message size is 512 bytes.

The program works fine with all other DNS servers because ANSWER configured in the DNS server is correctly less then 512 bytes, but it fails with WSL that - with the addition of other information - creates an ANSWER section too big.

This strange behavior potentially impacts every RFC 1035 compliant library, and at least it impatcs every program written in go-lang and that uses the native DNS client library.

As a final note, I don't know if it is related to the same problem or if it can provide some clues, you can also notice a warning message appearing at the beginning of the DNS response:

;; WARNING: recursion requested but not available

[therealkenc]

Thanks for the detailed report. I can't repro here, but I am pretty sure that's only because my ISP isn't coughing up any AUTHORITY/ADDITIONAL upstream. Please collect logs and backlink the feedback item. Your analysis looks awfully sound on its own merits, but having traces for the devs to look at is better than not.

[Neurone]

Sure. I updated the issue adding a query to an authoritative DNS - so you can see by your own even if your ISP does not act like mine - and I added the link to the feedback item. I also updated the new IP of the resolver (now 192.168.16.1) to reflect the recording of the feeedback.

[timriker]

This happens for me too. Any fix in the works? This gets in the way of DNS administration.

This happens for zones that are authoritative for your upstream DNS server. I see it on VPN for the office, but not when I'm not on VPN.

[florentchauveau]

This is still happening with build 10.0.19042.610.

Really surprised to see so few people affected by this.

The "ADDITIONAL SECTION" is added to the "ANSWER SECTION". This makes things really bad when you are managing thousands of targets with Ansible...

[boogie-byte]

I am affected by this issue as well.

Windows build number: 10.0.19042.685
Your Distribution version: Ubuntu 20.04
Whether the issue is on WSL 2 and/or WSL 1: WSL2 Linux version 4.19.104-microsoft-standard (oe-user@oe-host) (gcc version 8.2.0 (GCC)) #1 SMP Wed Feb 19 06:37:35 UTC 2020

[timriker]

Thanks for the detailed report. I can't repro here, but I am pretty sure that's only because my ISP isn't coughing up any AUTHORITY/ADDITIONAL upstream. Please collect logs and backlink the feedback item. Your analysis looks awfully sound on its own merits, but having traces for the devs to look at is better than not.

You should be able to reproduce this by pointing your windows DNS server(s) to servers that are authoritative for something instead of to your default ISP servers or public servers like google. I don't know of any public servers off hand that are both authoritative AND allow recursive lookups. This, however, is common for corporate DNS servers when on VPN connections. Often the company DNS servers handle internal non-routable names for the company domain as well as recursing requests for external domains.

[b-diggity]

I have this issue as well! It commonly affects Terraform. When doing a packet capture, I can see the NS records for the lookup of registry.terraform.io being returned in the answer section. Then I see terraform making its request for the url using a NS record IP and not the actual site IP because the NS records were returned incorrectly. Please help!

Here is the DNS response coming into my PC:

Here is the DNS response coming into my WSL:

[billchenchina]

Thank you guys all,

I've tested on Hyper-V, and I also encountered this problem. I doubt this is problem with the Hyper-V's DNS server.

Should anyone with WSL 1 test if this problem exists?

/cc @therealkenc

[billchenchina]

Thank you guys all,

I've tested on Hyper-V, and I also encountered this problem. I doubt this is problem with the Hyper-V's DNS server.

Should anyone with WSL 1 test if this problem exists?

/cc @therealkenc

Quick update: our university's DNS provides AUTHORITY SECTION and ADDITIONAL SECTION in response.

[b-diggity]

The issue does not appear to affect WSLv1.

[timriker]

It did affect me back when I was running WSLv1. I've not been running v1 for a while now.

The issue only happens if the upstream DNS server is providing authoritative/additional records. In this case the ADDITIONAL records are merged in to the reply, but I don't see any AUTHORITY records getting merged.

$ dig www.churchofjesuschrist.org @172.27.16.1

; <<>> DiG 9.16.1-Ubuntu <<>> www.churchofjesuschrist.org @172.27.16.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30030
;; flags: qr rd ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.churchofjesuschrist.org.   IN      A

;; ANSWER SECTION:
www.churchofjesuschrist.org. 0  IN      CNAME   www.churchofjesuschrist.org.edgekey.net.
www.churchofjesuschrist.org.edgekey.net. 0 IN CNAME e15515.dsca.akamaiedge.net.
e15515.dsca.akamaiedge.net. 0   IN      A       23.50.233.88
e15515.dsca.akamaiedge.net. 0   IN      A       23.50.233.69
n0dsca.akamaiedge.net.  0       IN      A       88.221.81.192
n7dsca.akamaiedge.net.  0       IN      A       184.50.88.125
n6dsca.akamaiedge.net.  0       IN      A       104.124.1.39
n3dsca.akamaiedge.net.  0       IN      A       184.28.219.181
n5dsca.akamaiedge.net.  0       IN      A       23.66.122.5
n4dsca.akamaiedge.net.  0       IN      A       184.28.219.46
n2dsca.akamaiedge.net.  0       IN      A       23.66.122.47
n1dsca.akamaiedge.net.  0       IN      A       23.66.122.29
n0dsca.akamaiedge.net.  0       IN      AAAA    2600:1480:e800::c0

;; Query time: 20 msec
;; SERVER: 172.27.16.1#53(172.27.16.1)
;; WHEN: Mon Sep 27 11:30:21 MDT 2021
;; MSG SIZE  rcvd: 607

Why is this taking so long to fix? This is obvious incorrect behavior. Is the source the the DNS proxy available so we can submit a patch?

[digininja]

I agree, it definitely seems like something significant enough that it should not still be dragging on after this long.

[bernardmaltais]

This is causing an issue with terraform in WSL2. Can you please fix this?

[vladimir-shopov]

More and more programs used in WSL2 stop working - Helm and Terraform, just to name a few. Can somebody take this bug seriously?

[martinbalint]

As a quick workaround, use cloudflare or similar resolver.

Modify /etc/resolv.conf to
nameserver 1.1.1.1

For VPN or private zones, use appropriate DNS server.

[indispeq]

👍 to fix this, it is breaking Terraform usage on WSL2.

[timriker]

This looks like it's an issue with the Hyper-V DNS resolver. Has this been reported to the Hyper-V team? I see similar behavior in other Hyper-V VMs.

[tbarbette]

Affected too

[tmill15]

I've solved all issues regarding DNS and VPN using this tool: https://github.com/sakai135/wsl-vpnkit

[SouvickDutta]

Affected too

[bobvandevijver]

I have posted this issue in the Windows Feedback hub under Hyper-V, so make sure to upvote it: https://aka.ms/AAlwtcs (in the hope it helps).

[zollo]

Confirmed to be an issue on my end, all DNS queries include root servers:

(.venv) zollo@ws-zollo1:~$ nslookup apple.com
Server:         172.20.176.1
Address:        172.20.176.1#53

Non-authoritative answer:
Name:   apple.com
Address: 17.253.144.10
Name:   l.root-servers.net
Address: 199.7.83.42
Name:   k.root-servers.net
Address: 193.0.14.129
Name:   e.root-servers.net
Address: 192.203.230.10
Name:   f.root-servers.net
Address: 192.5.5.241
Name:   a.root-servers.net
Address: 198.41.0.4
Name:   c.root-servers.net
Address: 192.33.4.12
Name:   d.root-servers.net
Address: 199.7.91.13
Name:   g.root-servers.net
Address: 192.112.36.4
Name:   b.root-servers.net
Address: 199.9.14.201
Name:   i.root-servers.net
Address: 192.36.148.17
Name:   j.root-servers.net
Address: 192.58.128.30
Name:   m.root-servers.net
Address: 202.12.27.33
Name:   apple.com
Address: 2620:149:af0::10
Name:   l.root-servers.net
Address: 199.7.83.42
Name:   k.root-servers.net
Address: 193.0.14.129
Name:   e.root-servers.net
Address: 192.203.230.10
Name:   f.root-servers.net
Address: 192.5.5.241
Name:   a.root-servers.net
Address: 198.41.0.4
Name:   c.root-servers.net
Address: 192.33.4.12
Name:   d.root-servers.net
Address: 199.7.91.13
Name:   g.root-servers.net
Address: 192.112.36.4
Name:   b.root-servers.net
Address: 199.9.14.201
Name:   i.root-servers.net
Address: 192.36.148.17
Name:   j.root-servers.net
Address: 192.58.128.30
Name:   m.root-servers.net
Address: 202.12.27.33

WSL version: 1.2.5.0
Kernel version: 5.15.90.1
WSLg version: 1.0.51
MSRDC version: 1.2.3770
Direct3D version: 1.608.2-61064218
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.22621.2134

[digininja]

How can something this fundamental still be an issue three years after it was first reported.

Every other OS, even Vista, managed to do DNS correctly.

[mgkuhn]

How can something this fundamental still be an issue three years after it was first reported.

Usually this is because the relevant code once belonged to an entirely different product team, which likely has been long disbanded, and as a result that code has become orphaned. Don't forget that some of that code base (Internet Connection Sharing?) is probably more than a quarter century old, and never was intended to serve DNS to a modern Linux environment via WSL. This DNS server/proxy functionality also seems entirely undocumented, so even finding it will be a challenge. Windows NT has lots of "skeletons in the closest", and the code behind this issue is probably one of those. I suggest the best way forward is to find an experienced code archeologist and start decompiling, as even the source code may have been lost.

If you think I'm joking: https://arstechnica.com/gadgets/2017/11/microsoft-patches-equation-editor-flaw-without-fixing-the-source-code/

[ghost]

I'd suggest that this is a bigger issue than Microsoft will give credit for. It essentially makes it impossible to use DNS reliably in some environments, such as the case where a DNS proxy will forward some requests to Azure to take advantage of Azure private DNS. WSL simply cannot resolve some of these private hostnames because of this bug.

[timriker]

This is a Hyper-V issue. Spin up an Hyper-V virtual machine and you will see the exact same bug.

[digininja]

@mgkuhn even given all that, the fact it breaks so much stuff means there should be some priority on getting it fixed, even if it means rebuilding that library from scratch. Three years should be enough to get something done.

[mgkuhn]

This is a Hyper-V issue. Spin up an Hyper-V virtual machine and you will see the exact same bug.

And now test it on a separate Linux box connected to the Internet via Windows' "Internet Connection Sharing", all the way back to Windows 98 SE. Hyper-V may be just another environment affected, not the actual location of that DNS code.

[mgkuhn]

Will the newly announced dnsTunneling option help to circumvent the problem?
https://devblogs.microsoft.com/commandline/windows-subsystem-for-linux-september-2023-update/#dns-tunneling

[CatalinFetoiu]

Please try enabling "dnsTunneling" and let us know if it fixes the issue. thanks!

[bobvandevijver]

It looks like dnsTunneling (I've combined this with the new mirrored networking mode as well) works like a charm 👍🏻

[digininja]

Is there a write up on how to do this somewhere?

[bobvandevijver]

Well yes, its in this link as posted by @mgkuhn:

Will the newly announced dnsTunneling option help to circumvent the problem? https://devblogs.microsoft.com/commandline/windows-subsystem-for-linux-september-2023-update/#dns-tunneling

Just make sure to have the latest win11 22H2 feature updates (released yesterday, KB5030310) installed.

[microsoft-github-policy-service]

This issue has been automatically closed since it has not had any activity for the past year. If you're still experiencing this issue please re-file this as a new issue or feature request.

Thank you!

[jrabasco]

I can't believe this is finally fixed, thanks.

[digininja]

I was sceptical as the last message says the issue has been closed due to inactivity, not due to it actually being fixed, but I've just checked and it does appear to have been fixed.

Four years and one day to get DNS working correctly, that is impressively bad going.

[jrabasco]

I am actually not sure anymore, I still see issues on my end ... Tempted to re-open.

[jrabasco]

@digininja What version of windows/wsl are you running?

[digininja]

@jrabasco The box I checked on is Win 11 Home on 23H2 with WSL version 2.2.4.0.

[sknolin]

@jrabasco This was simply closed due to inactivity, nothing's been fixed. There's maybe a workaround with dns tunneling.

[mirabilos]

On Thu, 26 Sep 2024, Jérémy Rabasco wrote: I am actually not sure anymore, I still see issues on my end ... Tempted to re-open.

I cannot test it, I’ve not got access to a recent Windows system any more, it was only for a test project, at work.

[digininja]

@sknolin I've not got DNS tunnelling setup and it is working for me. My original work around was just to run a script that changed resolve.conf to use my network resolver rather than the built in one.

I agree there has been no official fix mentioned, but something has changed that has got it working for me. I imagine that if someone did do an official fix they would be on here shouting about it which suggests it may be accidental.

[mgkuhn]

The dnsTunneling option was enabled by default in March 2024 in https://github.com/microsoft/WSL/releases/tag/2.2.1

[timriker]

This is still an issue. Please reopen.
The issue is in the internal DNS proxy. The same issue manifests inside other Hyper-V containers.

Please open an issue with whoever owns the DNS forwarder in Hyper-V and respond with a link to that issue here.