DNS issues in WSL2

[OneBlue]

Version

Multiple Windows builds are affected

WSL Version

• WSL 2
• WSL 1

This issue is here to merge DNS related issues in WSL2.

Symptoms include:

• DNS resolution failing with Temporary failure in name resolution
• DNS resolution timing out

This issue does not cover scenarios where /etc/resolv.conf is manually edited.

If you're hitting this, please upvote / comment and upload logs

[stijnherreman]

@OneBlue I've posted repro steps in #8236 for one of the causes.

[lbarbaglia]

Hi,
I'm having the exact same issue so I've collected some logs in case it can help:
WslLogs-2022-05-10_16-27-14.zip

Even modifying the /etc/resolv.conf is not working anymore.

[CraigHutchinson]

I am getting this issue on fresh installation of Windows 11 with WSL2 Ubuntu image, really annoying issue!

[WSL] sudo apt update = ... Temporary failure resolving 'archive.ubuntu.com' ...
[WSL] cat /etc/resolv.conf = ... nameserver 172.23.48.1
[WSL] ping 172.23.48.1 = From 172.23.62.236 icmp_seq=3 Destination Host Unreachable
[WSL] ping google.com = ping: google.com: Temporary failure in name resolution
[Windows] ping 172.23.48.1 = Reply from 172.23.48.1: bytes=32 time<1ms TTL=128

Attached are the logs.
WslLogs-2022-05-17_10-17-13.zip

NOTE: ON Windows 11 I got this error when running the capture so they may be incomplete?

[r2evans]

@CraigHutchinson , your comment appears to mimic what I'm seeing, where the problem is somehow in the routing and not just the name resolution. Have you found any workarounds?

[MikaelUmaN]

#4285 was already tracking this. I consider this issue the /dupe #4285

[BtbN]

There were multiple open issues, all about the functionally same issue. Hence, as the initial description says, this exists to merge and declutter them.

[dlaudams]

There were multiple open issues, all about the functionally same issue. Hence, as the initial description says, this exists to merge and declutter them.

If this leads to a fix, this is a great outcome.

However the way it was handled may alienate the community. i.e., closing all the related issues without discussion or a clear reason provided in those issues.

[unowiz]

It might be to do with Windows Defender settings. resolv.conf and wsl.conf based approach didn't work for me.
sudo apt update && sudo apt upgrade worked immediately after I turned off the Private network firewall. Once the update completed, I've put the firewall for private network back on.

On Windows 11, Go to Windows Security (from system tray, right click on Windows Security icon and select "View security dashboard" or simply search for "Firewall and network protection" after you press the windows key). Within the Firewall and network protection page, you should see Domain network (if domain connected), Private network, Public network. Go for the private network an turn it off temporarily as a workaround. Hope this helps.

[Shellishack]

I may have found another way to fix this. Originally I had this problem after using a proxy software. I just edited resolv.conf. It worked well until I realized that I also couldn't ping to Windows from WSL.

For some reason, the vEthernet (WSL) adapter on my PC was treated as a public network. Disabling public firewall or turning off the option "block all incoming connections, including those in the list of allowed applications" in Control Panel fixed everything. I also attempted to change its connection profile to private using PowerShell, but Get-NetConnectionProfile can't even find it while both ipconfig and Get-NetIPconfiguration can display some limited info about it.

[zugazagoitia]

It might be to do with Windows Defender settings. resolv.conf and wsl.conf based approach didn't work for me. sudo apt update && sudo apt upgrade worked immediately after I turned off the Private network firewall. Once the update completed, I've put the firewall for private network back on.

On Windows 11, Go to Windows Security (from system tray, right click on Windows Security icon and select "View security dashboard" or simply search for "Firewall and network protection" after you press the windows key). Within the Firewall and network protection page, you should see Domain network (if domain connected), Private network, Public network. Go for the private network an turn it off temporarily as a workaround. Hope this helps.

This seems to be a fix for me too, Windows Firewall must be blocking DNS queries originating inside the WSL VM from reaching the DNS server at the host.

[Ray-Barker]

Tried to disable Windows Defender Firewall on Windows 10, doesn't help.
Tried manually editing /etc/resolv.conf in my Ubuntu 20.04 WSL2 by adding 8.8.8.8 and 1.1.1.1, it helps, but these servers don't work in our VPN.
What helped me as a workaround was adding my router's IP as a nameserver to resolv.conf since it has DNS server capability.
But I would like a more generalized solution.

[mbwhite]

Windows 10 with Ubuntu 20 in WSL2 : got some reproducible failures today for the first time; and it's confirmed something I've suspected but never been able to prove.. that there might be a connection with running the docker daemon.

Everything is working correctly (as fas as DNS goes), start the docker daemon (just a plain sudo dockerd ) afterwards, the 'temporary failure' error occurs.

Logs attached.
WslLogs-2022-06-08_16-56-39.zip

[jikuja]

For me #7555 gave really good pointers for fixing the issue.

Fixes that works for me:

• Disabling defender for public profile fixes DNS issue
• or removal of vEthernet(WSL) network connection on public profile settings also fixes the DNS issue

I cannot recommend either of those to anyone because the first solution just breaks security and the second one might open some vulnerabilites.

[AlexHunterCodes]

My vEthernet (WSL) connection on a fresh Windows 11 install came with a Public profile too. I normally have "Blocks all incoming connections, including those in the list of allowed apps" enabled in the Windows Defender Firewall for untrusted networks, but I had to disable it to fix DNS resolution in WSL2.

The WSL2 Hyper-V virutal switch is an internal one and is not shared with your host adapter, so theoretically it shouldn't be a security issue for this network to be assigned a Private profile instead of a Public one.

That said, I don't see how I can change it since the adapter doesn't show up in Network and Sharing Centre or Settings, and it doesn't show up in the registry (Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles) either.

[BtbN]

Can you change it via Set-NetConnectionProfile in an elevated PowerShell prompt?

[kochinc]

Hi folks, we have put out a new update that aims to address networking issues in WSL. In your .wslconfig file you can set experimental.networkingMode=mirrored, as well as some other key settings that should improve your network compatibility! Please try them out and let us know what you think.

More info on this release and the changes can be found here in the blog post.

Please note: You need to be on a Windows Insiders version to use the new networking settings (Any channel of Windows Insiders will do, including release preview). If you see the "These are not supported" messages it means that your current Windows version doesn't have support, and you will need to upgrade. These features will eventually be coming to Windows 11 22H2.

Thank you. Now I don't have to turn off the firewall for WSL2 to resolve names. I recalled there were only lo and eth0 listed with 'ip addr' command. After the pre-release update, 'ip addr' command shows all network interfaces including Wi-Fi and VPNs.

[craigloewen-msft]

These new networking features are now available on the latest version of Win11 22H2!

@matkozak this work is currently not planned to go back to Win10.

Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run cmd.exe /c ver and ensure that your build number is 22621.2428 or higher (Including the minor build number which is after the . as this was a backport!)

[slonopotamus]

According to that page, KB5031354 has absolutely nothing to do with WSL2.

[hack3rman]

Confirmed KB5031354 fixed the WSL2 DNS issue for me.

[Kyle2142]

Just in case it helps anyone, I had previously used the generateResolvConf = false config and after backup/restore to a different windows installation, it seems like it broke. Disabling this re-created /etc/resolv.conf (why did I have /wsl/resolv.conf?) and made DNS work again. Win11 not having the adapter listed threw me off though

[amadeann]

This may be completely unrelated, but maybe it works for some people (worked for me). I am using NordVPN, and with the "Stay invisible on LAN" setting ON, I get "Temporary failure in name resolution" error. When I switch if off, things work as expected. So if other solutions don't work for you, and you're using a VPN (NordVPN or other), you may try and debug issues on that end.

[slonopotamus]

"Stay invisible on LAN"

This is just a fancy way to say "we'll inject random rules in your system firewall and break things". Absolutely identical to block-outside-dns OpenVPN option.

[keith-horton]

Sorry for the DNS issues. We have updated our troubleshooting documentation with Firewall configuration compatibility issues, and a workaround for an OS bug. https://github.com/MicrosoftDocs/WSL/blob/main/WSL/troubleshooting.md#troubleshooting-dns-in-wsl

It has suggestions for various VPNs as well.

[j0nimost]

My real challenge was that /etc/resolv.conf was a link file pointing to /mnt/wsl/resolv.conf. I deleted the file link
you can check if it is a link using this (#4285 (comment))

Run:
$ ls -la /etc/resolv.conf
if you see an output like this:
lrwxrwxrwx 1 root root 20 Dec 14 16:08 /etc/resolv.conf -> /mnt/wsl/resolv.conf

It's a link file you can resolve this issue using the following steps

• Delete the link sudo rm /etc/resolv.conf
• Recreate the file sudo touch /etc/resolv.conf
• Open editor of choice; I used nano sudo nano /etc/resolv.conf
• Add the following

# [network]
# generateResolvConf = false
nameserver 1.1.1.1 # Cloudflare public DNS

• Exit and Save and you should have an internet connection

Unfortunately, this solution is not sticky. You have to redo it every time WSL2 looses connection.

[bpohoriletz]

if none of above worked for you check if DNS resolution works with TCP with
dig +tcp google.com
if it does - follow this answer to force DNS via TCP and see if it solved the issue with
ping google.com. Use ping not dig since dig ignores options

[supahfox]

I'm having the same issue
These are my logs WslLogs-2024-01-31_12-05-41.zip

WSL version: 2.0.14.0
Kernel version: 5.15.133.1-1

[asunekants]

These new networking features are now available on the latest version of Win11 22H2!

@matkozak this work is currently not planned to go back to Win10.

Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run cmd.exe /c ver and ensure that your build number is 22621.2428 or higher (Including the minor build number which is after the . as this was a backport!)

Is it at all possible to reconsider this decision?
I'm struggling with this issue in a corporate environment that at the moment is restricted to Windows 10 for a regulatory reason that I don't quite understand, and having this on Windows 10 would make my life a lot easier;
I'm certain that I'm not alone in that.

Thank you very much!

[gtedavid]

Hi, I don't know if this helps on this issue, because it seems to be happening to quite a few people and I wanted to avoid opening an issue just for this, as I have found a temporary workaround.

https://gist.github.com/coltenkrauter/608cfe02319ce60facd76373249b8ca6?permalink_comment_id=5017885#gistcomment-5017885
I unfortunately don't know what was the configuration of /etc/resolve.conf before the issue appeared

I may have a VPN (paid licence), but it isn't used that often - unknown if that played a role in the DNS resolution failing

[rdworkbench]

downgrade your wsl to version 1 .. wsl --set-version 1

[thodges-wayspring]

Do we yet know what exactly is causing this issue? Is it a specific version of WSL2 or is in ALL WSL2 versions? Why does WSL1 work and 2 does not?

[BtbN]

On 07/06/2024 15:35, TylerCHodges wrote: Do we yet know what exactly is causing this issue? Is it a specific version of WSL2 or is in ALL WSL2 versions? Why does WSL1 work and 2 does not?

It's been explained in this issue countless times now. WSL2 is a VM, with its own networking. So if you employ some kind of Firewall or "Security Solution" that blocks incoming network traffic, including the VMs DNS queries, it breaks. WSL1 is not a VM, so it conceptually does not have the issue. It's also long been solved with host mode networking and some of the other related new features that are graduating from experimental-mode now. So there is no reason to use WSL1 (which on top of that, also does not work properly anymore with modern Distros).

[jabbera]

@TylerCHodges upgrading to 2.2.1 and making sure resolve.conf was automatically generated fixed my issues.

[hahearn73]

downgrade your wsl to version 1 .. wsl --set-version 1

This solved my issue. Company firewall blocked wsl2 but not wsl1

[levzlotnik]

Hi, I'm having issues with connecting from WSL2 to a machine on my LAN. No VPN involved.
This appeared suddenly today, last time I tried (a few weeks ago) it had no such issues.

Error messages:

levz@<MY WSL2>:~$ ping <TARGET MACHINE>
ping: <TARGET MACHINE>: Temporary failure in name resolution

Output of wsl --version:

WSL version: 2.2.4.0
Kernel version: 5.15.153.1-2
WSLg version: 1.0.61
MSRDC version: 1.2.5326
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.26091.1-240325-1447.ge-release
Windows version: 10.0.22631.3737

Things I've tried:

• Manually editing /etc/resolv.conf
• Editing %USERPROFILE%\.wslconfig and adding/removing iteratively all the following flags:
  • wsl2.dnsTunneling=true
  • experimental.networkingMode=mirrored
  • experimental.bestEffortDnsParsing=true

Notes:

• My Windows SSH (or pinging) has no issues connecting to the same machine on LAN.
• From within WSL2, I am able to connect to the same local machine via its LAN IP address.

It's not a deal breaker for me since I still can connect to the local machine through something like VSCode but I'd still prefer being able to SSH to that machine from WSL2 as well.

[slonopotamus]

This appeared suddenly today, last time I tried (a few weeks ago) it had no such issues.

So just undo any changes you did to your setup during these few weeks.

[levzlotnik]

This appeared suddenly today, last time I tried (a few weeks ago) it had no such issues.

So just undo any changes you did to your setup during these few weeks.

I hadn't made any changes myself, I assume the changes came from some automatic updates to Windows settings. So I don't really know what changed.
It's not really a big deal for me as I can still connect through Windows' SSH. I just reported that this was an issue for me that's related to this thread.

[danielfdickinson]

This is just an FYI, I have worked around the issues and have things working (latest Windows 11 normal--non-insiders--channel).

1. With dnsTunneling=true (or not set as this is the default) in both NAT and mirrored network modes, nslookup github.com only succeeds for the first of the three queries it makes.
   • I suspect this is due to having DoH enabled on all my networks in the Windows host networking.
2. In order to disable dnsTuneling for mirrored network mode, one has to first set

networkMode=NAT
dnsTunneling=false

then do a wsl --shutdown, start wsl, and shut it down again, then set

networkMode=mirrored
dnsTunneling=false

Then the next time you start wsl the 10.255.255.254 address on the loopback will no longer be there. If you just skip to the dnsTunneling=false and networkMode=mirrored in one step the dns tunneling remains active and the 10.255.255.254 address is still present.

HTH

[OscBacon]

Hey, I also run into issues when using mirrored mode (dnsTunneling set to true or false), and switch wifi connections.
So far, seems like the only fix is to stick to NAT mode?
Any other possible fixes?
@danielfdickinson tried switching off dnsTunneling in two steps, but no luck

Also, DNS issues happen on my end with no VPN involved