Open anpandey opened 2 years ago
After a bit of investigation, wg
isn't actually doing anything different from programs like curl
for DNS resolution.
This is happening because dnscrypt starts listening for requests only after it detects the network is up. If wireguard-wg1-peer-xxxx.service
starts before that, my guess is wg quits entirely (probably because it's getting a connection refused) instead of retrying in cases like when the network is down.
I found a workaround to have systemd do the retries since wg
thinks it's an unrecoverable error:
systemd.services."wireguard-wg1-peer-xxxxx-refresh" = {
serviceConfig = {
Restart = "on-failure";
RestartSec = 60;
};
};
Describe the bug
I'm using dnsscrypt-proxy2 listening locally on localhost port 53 as my system DNS server. I also have
services.wireguard
enabled in a network namespace with a domain name as a peer endpoint. However,wg
fails to properly resolve the endpoint address when the generated systemd service is run.This is what the relevant part of my
configuration.nix
looks like:Additional context
I can confirm with dnscrypt-proxy2 disabled and NetworkManager DNS enabled, name resolution for the endpoint works. My guess is that the
wg
invocations are run in the specified network namespace (where dnscrypt-proxy2 is not reachable), so DNS resolution fails.Also interesting is that by directly using the IP address of the endpoint (so that the connection is usable),
curl
is able to use the locally runningdnscrypt-proxy2
instance.and running tcpdump:
My guess is that
wg
is doing something different for name resolution (but it looks like it uses getaddrinfo()), or that the endpoint needs to be fully set up for name resolution to work.A fix for this might be similar to what's needed in #169128, where we can resolve the domain name for the endpoint before all other configuration (e.g. moving the
wg1
interface to its own namespace)Notify maintainers
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.