DNS server mixes AUTHORITY/ADDITIONAL section into ANSWER section while responding to queries

[Neurone]

Environment

Windows build number: Microsoft Windows [Version 10.0.19041.450]
Your Distribution version: Ubuntu 18.04
Whether the issue is on WSL 2 and/or WSL 1: WSL2 Linux version 4.19.104-microsoft-standard (oe-user@oe-host) (gcc version 8.2.0 (GCC)) #1 SMP Wed Feb 19 06:37:35 UTC 2020

Steps to reproduce

Query the TXT record of a domain, for example:

➜  ~ dig txt ultradns.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> txt ultradns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17666
;; flags: qr rd ad; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ultradns.com.                  IN      TXT

;; ANSWER SECTION:
ultradns.com.           0       IN      TXT     "MS=ms21611534"
ultradns.com.           0       IN      TXT     "vvRWDjirF1kB3svP5yCIHlovQ99/rxi+VEivELNFqBvdbPZGOgtqL4qOFWfAQ0uB1o2tXEs/Ex6sgBJxaot6ig=="
ultradns.com.           0       IN      TXT     "v=spf1 exists:%{i}._i.%{d}._d.espf.agari.com include:%{d}.79.spf-protect.agari.com -all"
ultradns.com.           0       IN      TXT     "Security Issues Contact: 1-650-228-2391"
ari.beta.aridns.net.au. 0       IN      A       37.209.194.2
ari.alpha.aridns.net.au. 0      IN      A       37.209.192.2
ari.delta.aridns.net.au. 0      IN      A       37.209.198.2
ari.gamma.aridns.net.au. 0      IN      A       37.209.196.2
pdns196.ultradns.co.uk. 0       IN      A       156.154.69.196
pdns196.ultradns.com.   0       IN      A       156.154.64.196
pdns196.ultradns.org.   0       IN      A       156.154.67.196
pdns196.ultradns.info.  0       IN      A       156.154.68.196
ari.beta.aridns.net.au. 0       IN      AAAA    2001:dcd:2::2
ari.alpha.aridns.net.au. 0      IN      AAAA    2001:dcd:1::2
ari.delta.aridns.net.au. 0      IN      AAAA    2001:dcd:4::2
ari.gamma.aridns.net.au. 0      IN      AAAA    2001:dcd:3::2
pdns196.ultradns.co.uk. 0       IN      AAAA    2610:a1:1017::e8
pdns196.ultradns.biz.   0       IN      AAAA    2610:a1:1015::e8
pdns196.ultradns.com.   0       IN      AAAA    2001:502:f3ff::e8
pdns196.ultradns.net.   0       IN      AAAA    2610:a1:1014::e8
pdns196.ultradns.org.   0       IN      AAAA    2001:502:4612::e8
pdns196.ultradns.info.  0       IN      AAAA    2610:a1:1016::e8

;; Query time: 0 msec
;; SERVER: 192.168.16.1#53(192.168.16.1)
;; WHEN: Tue Aug 25 10:56:19 CEST 2020
;; MSG SIZE  rcvd: 1117

➜  ~ dig txt bing.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> txt bing.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4005
;; flags: qr rd ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;bing.com.                      IN      TXT

;; ANSWER SECTION:
bing.com.               0       IN      TXT     "facebook-domain-verification=09yg8uzcfnqnlqekzsbwjxyy8rdck7"
bing.com.               0       IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"
bing.com.               0       IN      TXT     "v=msv1 t=6097A7EA-53F7-4028-BA76-6869CB284C54"
dns1.p09.nsone.net.     0       IN      A       198.51.44.9
dns2.p09.nsone.net.     0       IN      A       198.51.45.9
dns3.p09.nsone.net.     0       IN      A       198.51.44.73
dns4.p09.nsone.net.     0       IN      A       198.51.45.73

;; Query time: 70 msec
;; SERVER: 192.168.16.1#53(192.168.16.1)
;; WHEN: Tue Aug 25 02:12:06 CEST 2020
;; MSG SIZE  rcvd: 359

Please note that DNS server 192.168.16.1 comes from the Hyper-V Virtual Network Adapter and it is dynamically and automatically configured by WSL/ICS/Windows, so the exact DNS server's IP changes every time Windows restarts.

➜  ~ cat /etc/resolv.conf
# This file was automatically generated by WSL. To stop automatic generation of this file, add the following entry to /etc/wsl.conf:
# [network]
# generateResolvConf = false
nameserver 192.168.16.1

Here the link to the collected log and feedback item: https://aka.ms/AA9dnzo

Expected behavior

Correct DNS response like the examples below, where the ANSWER section contains only the ANSWER section and not also some info from the AUTHORITY/ADDITIONAL sections.

The following query is done using the current authoritative DNS server for ultradns.com

➜  ~ dig @pdns196.ultradns.com txt ultradns.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> @pdns196.ultradns.com txt ultradns.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61852
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 10, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ultradns.com.                  IN      TXT

;; ANSWER SECTION:
ultradns.com.           300     IN      TXT     "MS=ms21611534"
ultradns.com.           300     IN      TXT     "Security Issues Contact: 1-650-228-2391"
ultradns.com.           300     IN      TXT     "v=spf1 exists:%{i}._i.%{d}._d.espf.agari.com include:%{d}.79.spf-protect.agari.com -all"
ultradns.com.           300     IN      TXT     "vvRWDjirF1kB3svP5yCIHlovQ99/rxi+VEivELNFqBvdbPZGOgtqL4qOFWfAQ0uB1o2tXEs/Ex6sgBJxaot6ig=="

;; AUTHORITY SECTION:
ultradns.com.           3600    IN      NS      pdns196.ultradns.biz.
ultradns.com.           3600    IN      NS      pdns196.ultradns.co.uk.
ultradns.com.           3600    IN      NS      pdns196.ultradns.org.
ultradns.com.           3600    IN      NS      pdns196.ultradns.com.
ultradns.com.           3600    IN      NS      pdns196.ultradns.info.
ultradns.com.           3600    IN      NS      pdns196.ultradns.net.
ultradns.com.           3600    IN      NS      ari.beta.aridns.net.au.
ultradns.com.           3600    IN      NS      ari.gamma.aridns.net.au.
ultradns.com.           3600    IN      NS      ari.alpha.aridns.net.au.
ultradns.com.           3600    IN      NS      ari.delta.aridns.net.au.

;; Query time: 25 msec
;; SERVER: 156.154.64.196#53(156.154.64.196)
;; WHEN: Tue Aug 25 10:51:48 CEST 2020
;; MSG SIZE  rcvd: 623

The following query is done using my ISP's DNS.

➜  ~ dig @192.168.1.254 txt bing.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> @192.168.1.254 txt bing.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23185
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 8, ADDITIONAL: 17

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c07dcc091ba95b504d06372d5f44576986e68d091921e2ec (good)
;; QUESTION SECTION:
;bing.com.                      IN      TXT

;; ANSWER SECTION:
bing.com.               3600    IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"
bing.com.               3600    IN      TXT     "v=msv1 t=6097A7EA-53F7-4028-BA76-6869CB284C54"
bing.com.               3600    IN      TXT     "facebook-domain-verification=09yg8uzcfnqnlqekzsbwjxyy8rdck7"

;; AUTHORITY SECTION:
bing.com.               127543  IN      NS      dns2.p09.nsone.net.
bing.com.               127543  IN      NS      ns4-204.azure-dns.info.
bing.com.               127543  IN      NS      ns1-204.azure-dns.com.
bing.com.               127543  IN      NS      dns4.p09.nsone.net.
bing.com.               127543  IN      NS      ns2-204.azure-dns.net.
bing.com.               127543  IN      NS      dns3.p09.nsone.net.
bing.com.               127543  IN      NS      ns3-204.azure-dns.org.
bing.com.               127543  IN      NS      dns1.p09.nsone.net.

;; ADDITIONAL SECTION:
dns1.p09.nsone.net.     25148   IN      A       198.51.44.9
dns2.p09.nsone.net.     25148   IN      A       198.51.45.9
dns3.p09.nsone.net.     25160   IN      A       198.51.44.73
dns4.p09.nsone.net.     25160   IN      A       198.51.45.73
ns1-204.azure-dns.com.  343     IN      A       40.90.4.204
ns2-204.azure-dns.net.  937     IN      A       64.4.48.204
ns3-204.azure-dns.org.  2681    IN      A       13.107.24.204
ns4-204.azure-dns.info. 343     IN      A       13.107.160.204
dns1.p09.nsone.net.     25148   IN      AAAA    2620:4d:4000:6259:7::9
dns2.p09.nsone.net.     25148   IN      AAAA    2a00:edc0:6259:7::9
dns3.p09.nsone.net.     25160   IN      AAAA    2620:4d:4000:6259:7::90
dns4.p09.nsone.net.     25160   IN      AAAA    2a00:edc0:6259:7::90
ns1-204.azure-dns.com.  343     IN      AAAA    2603:1061::cc
ns2-204.azure-dns.net.  937     IN      AAAA    2620:1ec:8ec::cc
ns3-204.azure-dns.org.  2681    IN      AAAA    2a01:111:4000::cc
ns4-204.azure-dns.info. 343     IN      AAAA    2620:1ec:bda::cc

;; Query time: 23 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Tue Aug 25 02:12:26 CEST 2020
;; MSG SIZE  rcvd: 830

The following query is done using Google's public DNS server.

➜  ~ dig @8.8.8.8 txt bing.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> @8.8.8.8 txt bing.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60678
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;bing.com.                      IN      TXT

;; ANSWER SECTION:
bing.com.               3599    IN      TXT     "facebook-domain-verification=09yg8uzcfnqnlqekzsbwjxyy8rdck7"
bing.com.               3599    IN      TXT     "v=msv1 t=6097A7EA-53F7-4028-BA76-6869CB284C54"
bing.com.               3599    IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"

;; Query time: 37 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Aug 25 02:15:13 CEST 2020
;; MSG SIZE  rcvd: 226

Actual behavior

➜  ~ dig txt bing.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> txt bing.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4005
;; flags: qr rd ad; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;bing.com.                      IN      TXT

;; ANSWER SECTION:
bing.com.               0       IN      TXT     "facebook-domain-verification=09yg8uzcfnqnlqekzsbwjxyy8rdck7"
bing.com.               0       IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"
bing.com.               0       IN      TXT     "v=msv1 t=6097A7EA-53F7-4028-BA76-6869CB284C54"
dns1.p09.nsone.net.     0       IN      A       198.51.44.9
dns2.p09.nsone.net.     0       IN      A       198.51.45.9
dns3.p09.nsone.net.     0       IN      A       198.51.44.73
dns4.p09.nsone.net.     0       IN      A       198.51.45.73

;; Query time: 70 msec
;; SERVER: 192.168.16.1#53(192.168.16.1)
;; WHEN: Tue Aug 25 02:12:06 CEST 2020
;; MSG SIZE  rcvd: 359

➜  ~ dig txt ultradns.com

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> txt ultradns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17666
;; flags: qr rd ad; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ultradns.com.                  IN      TXT

;; ANSWER SECTION:
ultradns.com.           0       IN      TXT     "MS=ms21611534"
ultradns.com.           0       IN      TXT     "vvRWDjirF1kB3svP5yCIHlovQ99/rxi+VEivELNFqBvdbPZGOgtqL4qOFWfAQ0uB1o2tXEs/Ex6sgBJxaot6ig=="
ultradns.com.           0       IN      TXT     "v=spf1 exists:%{i}._i.%{d}._d.espf.agari.com include:%{d}.79.spf-protect.agari.com -all"
ultradns.com.           0       IN      TXT     "Security Issues Contact: 1-650-228-2391"
ari.beta.aridns.net.au. 0       IN      A       37.209.194.2
ari.alpha.aridns.net.au. 0      IN      A       37.209.192.2
ari.delta.aridns.net.au. 0      IN      A       37.209.198.2
ari.gamma.aridns.net.au. 0      IN      A       37.209.196.2
pdns196.ultradns.co.uk. 0       IN      A       156.154.69.196
pdns196.ultradns.com.   0       IN      A       156.154.64.196
pdns196.ultradns.org.   0       IN      A       156.154.67.196
pdns196.ultradns.info.  0       IN      A       156.154.68.196
ari.beta.aridns.net.au. 0       IN      AAAA    2001:dcd:2::2
ari.alpha.aridns.net.au. 0      IN      AAAA    2001:dcd:1::2
ari.delta.aridns.net.au. 0      IN      AAAA    2001:dcd:4::2
ari.gamma.aridns.net.au. 0      IN      AAAA    2001:dcd:3::2
pdns196.ultradns.co.uk. 0       IN      AAAA    2610:a1:1017::e8
pdns196.ultradns.biz.   0       IN      AAAA    2610:a1:1015::e8
pdns196.ultradns.com.   0       IN      AAAA    2001:502:f3ff::e8
pdns196.ultradns.net.   0       IN      AAAA    2610:a1:1014::e8
pdns196.ultradns.org.   0       IN      AAAA    2001:502:4612::e8
pdns196.ultradns.info.  0       IN      AAAA    2610:a1:1016::e8

;; Query time: 0 msec
;; SERVER: 192.168.16.1#53(192.168.16.1)
;; WHEN: Tue Aug 25 10:56:19 CEST 2020
;; MSG SIZE  rcvd: 1117

Info from the AUTHORITY/ADDITIONAL sections are mixed in the ANSWER section: this behaviour currently creates issues to other programs that need to process the answer.

For example, in this issue geth cannot unmarshal the DNS message because it's greater then 512 bytes.

Geth is written in go, and go DNS client follows the RFC 1035 specification. This specification states that via UDP the maximum allowed message size is 512 bytes.

The program works fine with all other DNS servers because ANSWER configured in the DNS server is correctly less then 512 bytes, but it fails with WSL that - with the addition of other information - creates an ANSWER section too big.

This strange behavior potentially impacts every RFC 1035 compliant library, and at least it impatcs every program written in go-lang and that uses the native DNS client library.

As a final note, I don't know if it is related to the same problem or if it can provide some clues, you can also notice a warning message appearing at the beginning of the DNS response:

;; WARNING: recursion requested but not available

[therealkenc]

Thanks for the detailed report. I can't repro here, but I am pretty sure that's only because my ISP isn't coughing up any AUTHORITY/ADDITIONAL upstream. Please collect logs and backlink the feedback item. Your analysis looks awfully sound on its own merits, but having traces for the devs to look at is better than not.

[Neurone]

Sure. I updated the issue adding a query to an authoritative DNS - so you can see by your own even if your ISP does not act like mine - and I added the link to the feedback item. I also updated the new IP of the resolver (now 192.168.16.1) to reflect the recording of the feeedback.

[timriker]

This happens for me too. Any fix in the works? This gets in the way of DNS administration.

This happens for zones that are authoritative for your upstream DNS server. I see it on VPN for the office, but not when I'm not on VPN.

[florentchauveau]

This is still happening with build 10.0.19042.610.

Really surprised to see so few people affected by this.

The "ADDITIONAL SECTION" is added to the "ANSWER SECTION". This makes things really bad when you are managing thousands of targets with Ansible...

[boogie-byte]

I am affected by this issue as well.

Windows build number: 10.0.19042.685
Your Distribution version: Ubuntu 20.04
Whether the issue is on WSL 2 and/or WSL 1: WSL2 Linux version 4.19.104-microsoft-standard (oe-user@oe-host) (gcc version 8.2.0 (GCC)) #1 SMP Wed Feb 19 06:37:35 UTC 2020

[timriker]

Thanks for the detailed report. I can't repro here, but I am pretty sure that's only because my ISP isn't coughing up any AUTHORITY/ADDITIONAL upstream. Please collect logs and backlink the feedback item. Your analysis looks awfully sound on its own merits, but having traces for the devs to look at is better than not.

You should be able to reproduce this by pointing your windows DNS server(s) to servers that are authoritative for something instead of to your default ISP servers or public servers like google. I don't know of any public servers off hand that are both authoritative AND allow recursive lookups. This, however, is common for corporate DNS servers when on VPN connections. Often the company DNS servers handle internal non-routable names for the company domain as well as recursing requests for external domains.

[b-diggity]

I have this issue as well! It commonly affects Terraform. When doing a packet capture, I can see the NS records for the lookup of registry.terraform.io being returned in the answer section. Then I see terraform making its request for the url using a NS record IP and not the actual site IP because the NS records were returned incorrectly. Please help!

Here is the DNS response coming into my PC:

Here is the DNS response coming into my WSL:

[billchenchina]

Thank you guys all,

I've tested on Hyper-V, and I also encountered this problem. I doubt this is problem with the Hyper-V's DNS server.

Should anyone with WSL 1 test if this problem exists?

/cc @therealkenc

[billchenchina]

Thank you guys all,

I've tested on Hyper-V, and I also encountered this problem. I doubt this is problem with the Hyper-V's DNS server.

Should anyone with WSL 1 test if this problem exists?

/cc @therealkenc

Quick update: our university's DNS provides AUTHORITY SECTION and ADDITIONAL SECTION in response.

[b-diggity]

The issue does not appear to affect WSLv1.

[timriker]

It did affect me back when I was running WSLv1. I've not been running v1 for a while now.

The issue only happens if the upstream DNS server is providing authoritative/additional records. In this case the ADDITIONAL records are merged in to the reply, but I don't see any AUTHORITY records getting merged.

$ dig www.churchofjesuschrist.org @172.27.16.1

; <<>> DiG 9.16.1-Ubuntu <<>> www.churchofjesuschrist.org @172.27.16.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30030
;; flags: qr rd ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.churchofjesuschrist.org.   IN      A

;; ANSWER SECTION:
www.churchofjesuschrist.org. 0  IN      CNAME   www.churchofjesuschrist.org.edgekey.net.
www.churchofjesuschrist.org.edgekey.net. 0 IN CNAME e15515.dsca.akamaiedge.net.
e15515.dsca.akamaiedge.net. 0   IN      A       23.50.233.88
e15515.dsca.akamaiedge.net. 0   IN      A       23.50.233.69
n0dsca.akamaiedge.net.  0       IN      A       88.221.81.192
n7dsca.akamaiedge.net.  0       IN      A       184.50.88.125
n6dsca.akamaiedge.net.  0       IN      A       104.124.1.39
n3dsca.akamaiedge.net.  0       IN      A       184.28.219.181
n5dsca.akamaiedge.net.  0       IN      A       23.66.122.5
n4dsca.akamaiedge.net.  0       IN      A       184.28.219.46
n2dsca.akamaiedge.net.  0       IN      A       23.66.122.47
n1dsca.akamaiedge.net.  0       IN      A       23.66.122.29
n0dsca.akamaiedge.net.  0       IN      AAAA    2600:1480:e800::c0

;; Query time: 20 msec
;; SERVER: 172.27.16.1#53(172.27.16.1)
;; WHEN: Mon Sep 27 11:30:21 MDT 2021
;; MSG SIZE  rcvd: 607

Why is this taking so long to fix? This is obvious incorrect behavior. Is the source the the DNS proxy available so we can submit a patch?

[digininja]

I agree, it definitely seems like something significant enough that it should not still be dragging on after this long.

[bernardmaltais]

This is causing an issue with terraform in WSL2. Can you please fix this?

[vladimir-shopov]

More and more programs used in WSL2 stop working - Helm and Terraform, just to name a few. Can somebody take this bug seriously?

[martinbalint]

As a quick workaround, use cloudflare or similar resolver.

Modify /etc/resolv.conf to nameserver 1.1.1.1

For VPN or private zones, use appropriate DNS server.

[indispeq]

👍 to fix this, it is breaking Terraform usage on WSL2.

[benc-uk]

Major bug, I lost 1/2 a day to this issue, as it's really not obvious what the problem is Seriously needs fixing

[ghost]

I'm not expecting a great DNS server for such limited use, but please make it standards-compliant.

[herkulessi]

Couldn't WSL just use the Windows DNS Servers, without hosting its own? Basically, instead of putting the WSL-DNS into the relov.conf, you could just put the Nameservers that Windows is configured to use there... It might lead to double upstream requests, since Windows and Linux might request the same domain independant of each other, but it would work. And it would still allow wsl to use the Interface based DNS-Servers you can set in Windows.

[billchenchina]

Couldn't WSL just use the Windows DNS Servers, without hosting its own?

WSL is actually using the Hyper-V's default recursive resolver. Creating an Hyper-V guest and it would show the same wrong result.

Basically, instead of putting the WSL-DNS into the relov.conf, you could just put the Nameservers that Windows is configured to use there... It might lead to double upstream requests, since Windows and Linux might request the same domain independant of each other, but it would work. And it would still allow wsl to use the Interface based DNS-Servers you can set in Windows.

Yes.

[timriker]

This bug is in the default Hyper-V resolver? Has it been reported to that team? Anyone have a link to the reported issue in Hyper-V? Does anyone have steps to reproduce this in Hyper-V without being a WSL instance?

[billchenchina]

This bug is in the default Hyper-V resolver? Does anyone have steps to reproduce this in Hyper-V without being a WSL instance?

I think so. I've tested Hyper-V alone in https://github.com/microsoft/WSL/issues/5806#issuecomment-926858463

Has it been reported to that team? Anyone have a link to the reported issue in Hyper-V?

idk.

[edwinbalani]

As noted in https://github.com/microsoft/WSL/issues/7642, for WSL2 specifically the DNS resolver is provided by Windows Internet Connection Sharing (ICS) aka the SharedAccess service. This is also documented on Microsoft docs:

Internet Connection Sharing (ICS) is a required component of WSL 2. The ICS service is used by the Host Network Service (HNS) to create the underlying virtual network which WSL 2 relies on for NAT, DNS, DHCP, and host connection sharing.

So I think the bug is not in Hyper-V, but is in ICS.

I tried to quickly reproduce the bad DNS replies using Mobile Hotspot in Windows, to show it's not WSL2-specific, but ICS crashed as soon as I started the hotspot 🙃 (and I was left with no DNS resolution in WSL2). I will try harder a little later.

[jamezrin]

@craigloewen-msft can you please take a look at this? Is there any way we can provide more info?

I personally found this issue while running dig google.com any

[shwuandwing]

+1. This is affecting many popular CLI tools of WSL2, including terraform / helm

[jrabasco]

Hey!

This has been a pain for us for a long time now, can we have some update on the status? There are many tools that fail because of this and it's an obvious bug since it goes against the DNS specs.

[SuperSandro2000]

I just wanted to let everyone know that this is still a problem.

[EnriqueAlmanza]

this is still a problem... "helm dep up" takes more than 20 minutes!

[timriker]

This looks like it's an issue with the Hyper-V DNS resolver. Has this been reported to the Hyper-V team? I see similar behavior in other Hyper-V VMs.

[tbarbette]

Affected too

[tmill15]

I've solved all issues regarding DNS and VPN using this tool: https://github.com/sakai135/wsl-vpnkit

[SouvickDutta]

Affected too

[bobvandevijver]

I have posted this issue in the Windows Feedback hub under Hyper-V, so make sure to upvote it: https://aka.ms/AAlwtcs (in the hope it helps).

[zollo]

Confirmed to be an issue on my end, all DNS queries include root servers:

(.venv) zollo@ws-zollo1:~$ nslookup apple.com
Server:         172.20.176.1
Address:        172.20.176.1#53

Non-authoritative answer:
Name:   apple.com
Address: 17.253.144.10
Name:   l.root-servers.net
Address: 199.7.83.42
Name:   k.root-servers.net
Address: 193.0.14.129
Name:   e.root-servers.net
Address: 192.203.230.10
Name:   f.root-servers.net
Address: 192.5.5.241
Name:   a.root-servers.net
Address: 198.41.0.4
Name:   c.root-servers.net
Address: 192.33.4.12
Name:   d.root-servers.net
Address: 199.7.91.13
Name:   g.root-servers.net
Address: 192.112.36.4
Name:   b.root-servers.net
Address: 199.9.14.201
Name:   i.root-servers.net
Address: 192.36.148.17
Name:   j.root-servers.net
Address: 192.58.128.30
Name:   m.root-servers.net
Address: 202.12.27.33
Name:   apple.com
Address: 2620:149:af0::10
Name:   l.root-servers.net
Address: 199.7.83.42
Name:   k.root-servers.net
Address: 193.0.14.129
Name:   e.root-servers.net
Address: 192.203.230.10
Name:   f.root-servers.net
Address: 192.5.5.241
Name:   a.root-servers.net
Address: 198.41.0.4
Name:   c.root-servers.net
Address: 192.33.4.12
Name:   d.root-servers.net
Address: 199.7.91.13
Name:   g.root-servers.net
Address: 192.112.36.4
Name:   b.root-servers.net
Address: 199.9.14.201
Name:   i.root-servers.net
Address: 192.36.148.17
Name:   j.root-servers.net
Address: 192.58.128.30
Name:   m.root-servers.net
Address: 202.12.27.33

WSL version: 1.2.5.0
Kernel version: 5.15.90.1
WSLg version: 1.0.51
MSRDC version: 1.2.3770
Direct3D version: 1.608.2-61064218
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.22621.2134

[digininja]

How can something this fundamental still be an issue three years after it was first reported.

Every other OS, even Vista, managed to do DNS correctly.

[mgkuhn]

How can something this fundamental still be an issue three years after it was first reported.

Usually this is because the relevant code once belonged to an entirely different product team, which likely has been long disbanded, and as a result that code has become orphaned. Don't forget that some of that code base (Internet Connection Sharing?) is probably more than a quarter century old, and never was intended to serve DNS to a modern Linux environment via WSL. This DNS server/proxy functionality also seems entirely undocumented, so even finding it will be a challenge. Windows NT has lots of "skeletons in the closest", and the code behind this issue is probably one of those. I suggest the best way forward is to find an experienced code archeologist and start decompiling, as even the source code may have been lost.

If you think I'm joking: https://arstechnica.com/gadgets/2017/11/microsoft-patches-equation-editor-flaw-without-fixing-the-source-code/

[ghost]

I'd suggest that this is a bigger issue than Microsoft will give credit for. It essentially makes it impossible to use DNS reliably in some environments, such as the case where a DNS proxy will forward some requests to Azure to take advantage of Azure private DNS. WSL simply cannot resolve some of these private hostnames because of this bug.

[timriker]

This is a Hyper-V issue. Spin up an Hyper-V virtual machine and you will see the exact same bug.

[digininja]

@mgkuhn even given all that, the fact it breaks so much stuff means there should be some priority on getting it fixed, even if it means rebuilding that library from scratch. Three years should be enough to get something done.

[mgkuhn]

This is a Hyper-V issue. Spin up an Hyper-V virtual machine and you will see the exact same bug.

And now test it on a separate Linux box connected to the Internet via Windows' "Internet Connection Sharing", all the way back to Windows 98 SE. Hyper-V may be just another environment affected, not the actual location of that DNS code.

[mgkuhn]

Will the newly announced dnsTunneling option help to circumvent the problem? https://devblogs.microsoft.com/commandline/windows-subsystem-for-linux-september-2023-update/#dns-tunneling

[CatalinFetoiu]

Please try enabling "dnsTunneling" and let us know if it fixes the issue. thanks!

[bobvandevijver]

It looks like dnsTunneling (I've combined this with the new mirrored networking mode as well) works like a charm 👍🏻

[digininja]

Is there a write up on how to do this somewhere?

[bobvandevijver]

Well yes, its in this link as posted by @mgkuhn:

Will the newly announced dnsTunneling option help to circumvent the problem? https://devblogs.microsoft.com/commandline/windows-subsystem-for-linux-september-2023-update/#dns-tunneling

Just make sure to have the latest win11 22H2 feature updates (released yesterday, KB5030310) installed.