-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNS resolution issues when connected to OpenVPN #12012
Comments
Hi @esp1, Thanks for reporting this. I could be wrong, but I don't think we control the Vault build in homebrew, unless you use our own tap: https://github.com/hashicorp/homebrew-tap Regardless, from what I understand you would have the same issue with our official binaries, because we don't build them on MacOS, we cross-compile them on Linux. This means they don't include the MacOS resolver bits you need. The good news is that there's a plan in the works to change this. I don't have a timeline, but the design doc was circulating internally just this week, so I don't think it's that far off. |
@esp1 I checked in with our release engineering team, and they're going to be addressing this issue as part of an effort that should be landing sometime around September. This may not be the exact time it lands, but it's definitely coming. :) |
Thanks for the reply @hsimon-hashicorp, genuinely. Have been fighting this issue for months, maybe longer. Good to know it's getting worked. As @esp1 notes, we've seen this in Terraform. It's something to do with the underlying Go stock DNS library. It yells YOLO at the mDNS resolver, figures out what upstream DNS server mDNS would use, and calls it directly. I can't even get That mostly works until the AWS load balancer, whose IP address is now hardcoded into PiHole (or |
@rjhornsby That sounds like a pain, to be sure. I'll keep an eye on this one, and please feel free to come along and bump it as you need. |
@hsimon-hashicorp Is there any news from the release engineering team regarding when a fix will land? |
Just went through another round of "...why isn't DNS resolution behaving properly? wait ... why does it seem to be vault and consul specifically having issues?" before vaguely remembering this bug. Any progress by chance? |
Yes! I think we neglected to include this in the changelog, but the latest releases should include the fix for this, as per #13728. I'll see about updating CHANGELOG. |
Fixed in #13728. |
I'm not sure if I'm doing something wrong, but this doesn't seem to be fixed:
However, immediately following up,
For the cURL to get a redirect like that, it has to use the VPN dns and go through the VPN tunnel because vault is not on the interwebs. This suggests that the problem is in the vault binary itself, not with the network or the VPN configuration. I've tried both vault 1.9.3 (homebrew) and compiling my own locally using [1] go v1.17.6 produces |
Note that we don't control the default homebrew vault, though we do have a homebrew tap: https://github.com/hashicorp/homebrew-tap Compiling your own locally the way we do would use Or you could go to https://releases.hashicorp.com/vault/1.9.3/. |
thanks for the feedback. that helps me understand what's going on. I tried using both the tap and - to be sure - grabbing the same binary(?) directly from https://releases.hashicorp.com/vault/1.9.3/, but got the same failed DNS results for both. However, looking at the build fragment you linked, I was able to compile 1.10 from master like so:
and that ... worked. Name resolution does what it is expected. This also works for the It seems that while reading through all the different threads One of the things I did notice is that on mine I get
|
We don't want to set CGO_ENABLED=1 as that has a bunch of consequences. The fact that you have Re-opening since it sounds like our fix didn't work. |
I went back and checked, and I think you're right about my having |
I was under the impression that it was possible to get proper DNS lookups on darwin using CGO_ENABLED=0 and |
@ncabatoff I left a comment on your PR, |
Adding a link to this comment regarding cross-compilation for ARM64 from AMD64 on macOS CI: golang/go#12524 (comment) |
It appears that this is having issues again. |
The binaries distributed by Hashicorp and the ones installed by Homebrew all have this issue on the latest versions (v1.12.0). When building myself from source (not cross-compiling), the issue persists:
When following the workaround mentioned above (this one), the issue is resolved:
Note that a quick way to see if the issue will manifest, at least on my system when not cross-compiling, is to check for the presence of
|
Same here with Installed via brew on an Mac Mini m1 ( macOS 13.0.1 ) |
The version installed from home-brew is once again failing to resolve correctly:
|
@archoversight, confirmed. Also made sure I got vault from the hashicorp tap.
For now, I get vault working by maintaining a static DNS entry in the local DNS server (192.168.3.7) but that's brittle obviously. |
Look like the same issue
But Consul and Nomad work with the same setup
|
This is still happening with
|
Vault 1.13 is going to use Go 1.20, which should allow for an easy fix. I suspect it won't be fixed in 1.13.0 (though maybe?), but I aim to address it by 1.13.1 at least. |
Going by
I've checked and it seems that we're good now:
Would one of the impacted people above care to verify this in their environments? |
Describe the bug
The
vault
command line tool does not resolve VPN hosts when connected to OpenVPN. Note that OpenVPN is configured with a split DNS setup and does not modify/etc/resolv.conf
to add in nameservers for VPN hosts.To Reproduce
Steps to reproduce the behavior:
env VAULT_ADDR=https://internal.vpn.host vault login -method=ldap username=edwin
Error authenticating: Put "https://internal.vpn.host/v1/auth/ldap/login/edwin": dial tcp: lookup vault.prod.factual.com on 192.168.1.1:53: no such host
Expected behavior
Should see message
Success! You are now authenticated.
Environment:
vault status
): 1.4.2vault version
): v1.7.3 ('5d517c864c8f10385bf65627891bc7ef55f5e827+CHANGES')Additional context
I am experiencing this issue on the above version of
vault
CLI installed via homebrew on a Mac.I believe this is due to the same issue as hashicorp/terraform#3536 that was fixed in hashicorp/terraform#5925. The problem and solution are summarized in hashicorp/terraform#3536 (comment):
I am able to work around this issue by manually editing
/etc/resolv.conf
to use the VPN nameservers, or by putting the IP address of the vault server into/etc/hosts
.The text was updated successfully, but these errors were encountered: