vault cli don't use alternative DNS resolver

[T0bl]

Describe the bug
The Vault cli don't use alternative DNS Server for a specific Domain.

To Reproduce

scutil --dns
DNS configuration

resolver #1
  search domain[0] : example.com
  search domain[1] : fritz.box
  nameserver[0] : 192.168.2.1
  if_index : 7 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : example.com
  nameserver[0] : 10.10.0.84
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 101000

...

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : fritz.box
  nameserver[0] : 192.168.2.1
  if_index : 7 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

vault login
Token (will be hidden):
Error authenticating: error looking up token: Get "https://vault.example.com/v1/auth/token/lookup-self": dial tcp: lookup vault.example.com on 192.168.2.1:53: no such host

Expected behavior
Vault cli should use the alternative DNS Server like all other tools (ping/curl vault.example.com works fine).

Environment:

• Vault CLI Version (retrieve with vault version): Vault v1.7.0 ('4e222b85c40a810b74400ee3c54449479e32bb9f+CHANGES')
• Server Operating System/Architecture: macOS 11.2.3 (20D91)

Additional context
If i set the alternative resolver as primary everything works fine.

[sgmiller]

I may be mistaken, but wouldn't the second resolver only be consulted if the first can't respond? See https://apple.stackexchange.com/questions/157245/why-wont-os-x-query-multiple-dns-servers

Can you verify that ping does what you expect when that config is in place?

[T0bl]

Yes, it works. I followed this article and everything except "vault cli" works great.

vault login
Token (will be hidden):
Error authenticating: error looking up token: Get "https://vault.example.com/v1/auth/token/lookup-self": dial tcp: lookup vault.example.com on 192.168.2.1:53: no such host
╭─    ~ ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 2 ✘  14:12:33  
╰─ curl -I vault.example.com
HTTP/1.1 301 Moved Permanently
content-length: 0
location: https://vault.example.com/

╭─    ~ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ✔  14:12:36  
╰─ ping vault.example.com
PING vault.example.com (10.10.0.51): 56 data bytes
64 bytes from 10.10.0.51: icmp_seq=0 ttl=62 time=25.923 ms
^C
--- vault.example.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 25.923/25.923/25.923/0.000 ms
╭─    ~ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ✔  14:12:38  

Is the vault cli using the "/etc/resolv.conf" instead of the whole entries of the scutil configuration?

[sgmiller]

Interesting. Will dig deeper.

[ncabatoff]

Hi @T0bl,

Thanks for reporting this.

I'm going to close this as a duplicate of #12012. Usually I prefer to close the newer bug, but in this case that one has more current information.