DNS server returns NXDOMAIN on non-existing AAAA records

[radhus]

• I have tried with the latest version of my channel (Stable or Edge)
• I have uploaded Diagnostics
• Diagnostics ID: 3DDF88CF-907D-4BF1-8BEF-3FD8E7207349/20201129181726

Expected behavior

Resolving a domain name which doesn't have an AAAA record should return no response.

Example from dig towards Google DNS:

$ dig @8.8.8.8 github.com AAAA

; <<>> DiG 9.10.6 <<>> @8.8.8.8 github.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15515
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;github.com.			IN	AAAA

;; AUTHORITY SECTION:
github.com.		838	IN	SOA	ns-1707.awsdns-21.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Nov 29 19:08:27 CET 2020
;; MSG SIZE  rcvd: 123

Actual behavior

DNS server inside Docker for Mac returns NXDOMAIN (as compared to status NOERROR above):

$ docker run --rm -ti alpine:edge sh -c 'apk add bind-tools >/dev/null 2>&1 && dig github.com AAAA'

; <<>> DiG 9.16.8 <<>> github.com AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8937
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;github.com.                    IN      AAAA

;; Query time: 0 msec
;; SERVER: 192.168.65.1#53(192.168.65.1)
;; WHEN: Sun Nov 29 18:09:49 UTC 2020
;; MSG SIZE  rcvd: 28

Information

• macOS Version: 10.14.6

While this might have worked in most cases, I see big issues running late edge versions of Alpine Linux which contains musl libc version 1.2.1+. In 1.2.1 this commit was introduced, which I think is the culprit of the problems. In my understanding, musl will query for both A and AAAA records, and if either of them return NXDOMAIN it will treat the whole domain as not-existing.

musl is probably doing the right thing here, and I cannot find other DNS servers that returns NXDOMAIN like this.

This is potentially related to these issues?

• VPNKit DNS server returns NXDOMAIN for SRV records moby/vpnkit#509
• DNS - wrong "No such name" answer moby/vpnkit#202 - old similar issue which seems to be fixed, although I'm not sure how vpnkit is used in Docker for Mac.

Diagnostic logs

Docker for Mac: 2.5.2 (50165)
Engine: 20.10.0-rc1

Steps to reproduce the behavior

Run docker run --rm -ti alpine:edge sh -c 'apk add bind-tools >/dev/null 2>&1 && dig github.com AAAA' and see if the DNS server returns NOERROR (correct) or NXDOMAIN (incorrect - hence reproduced) as status.

[stephen-turner]

Thanks, this is a dupe of #5020.

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked