Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problems with DNS on macOS with Socket Filter #439

Open
uwej711 opened this issue Dec 14, 2024 · 0 comments
Open

Problems with DNS on macOS with Socket Filter #439

uwej711 opened this issue Dec 14, 2024 · 0 comments

Comments

@uwej711
Copy link

uwej711 commented Dec 14, 2024

We use lima on macOS for virtual machines and ran into problems with DNS with the latest version of lima (1.0.2) which uses gvisor-tap-vsock 0.8.1. The problem is that our VPN software installs a socket filter as DNS proxy. In the virtual machine DNS resolution fails as long as the socket filter is active. I tried a few things and found out, that the issue only happens when using UDP, TCP was fine.
In the end it looks like the actual implementation here in https://github.com/containers/gvisor-tap-vsock/blob/main/pkg/services/dns/dns.go#L150 is basically too fast for that socket filter. With a simple GO program that just does a DNS query with client.Exchange I can reproduce the behavior. DNS resolution works with the socket filter if there is a short delay between opening the connection and sending the request:

This works:

conn, err := client.Dial(nameserver)
time.Sleep(200 * time.Microsecond)
r, _, err := client.ExchangeWithConn(msg, conn)

but this does not

r, _, err := dnsClient.Exchange(msg, nameserver)

I understand that the actual problem might be with the socket filter and maybe macOS, and will try to address this with the vendor of the VPN software, but I also wonder, if we could add a change like this to your code base ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant