Skip to content

Fix container DNS resolution broken by AAAA/IPv6 NXDOMAIN handling #786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jglogan merged 1 commit into from
Oct 31, 2025
Merged

Fix container DNS resolution broken by AAAA/IPv6 NXDOMAIN handling #786

jglogan merged 1 commit into from
Oct 31, 2025

Conversation

@radoxtech
Copy link
Contributor

@radoxtech radoxtech commented Oct 18, 2025
edited
Loading

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update

Motivation and Context

In Alpine Linux containers (commonly used as Docker base images), standard DNS resolution is provided by musl, a lightweight C standard library (libc). Musl implements DNS lookups via getaddrinfo(), which queries AAAA (IPv6) records first.

Observed problem

DNS did not work correctly inside containers. Any system command attempting to resolve hostnames (e.g., ping dynamodb-admin) failed when the DNS server responded NXDOMAIN for AAAA records, even if A (IPv4) records existed. Explicitly forcing IPv4 (ping -4 dynamodb-admin) worked correctly, showing the issue is specific to musl’s IPv6-first behavior.

Consequence

In IPv4-only environments, Alpine-based containers cannot resolve hostnames using standard tools or libraries. Applications relying on getaddrinfo() fail with ENOTFOUND, breaking networking and inter-container communication.

Root cause

Following RFC 8305 / RFC 6724, musl treats NXDOMAIN for AAAA as “hostname does not exist” and does not fallback to A (IPv4) records.

Fix implemented

The Apple Container DNS engine now behaves as follows:

  • If an A record exists, AAAA queries return NOERROR with empty answer (NODATA).
  • If neither A nor AAAA exist, NXDOMAIN is returned.

This ensures that Alpine-based containers in IPv4-only networks can correctly resolve hostnames inside containers without modifying container images or application code.

Reproduction steps (Apple Container CLI 0.5.0)

  1. Run the local DynamoDB container in the background:
container run -d --name dynamodb-local docker.io/amazon/dynamodb-local:latest
  1. Run the admin container in interactive mode:
container run -it --name dynamodb-admin -p 8000:8000 docker.io/aaronshaf/dynamodb-admin:latest sh
  1. From inside the admin container, ping the local DynamoDB container:
ping dynamodb-local
ping -4 dynamodb-local

Observed: resolution fails (NXDOMAIN / ENOTFOUND).
Workaround: explicitly forcing IPv4 works.

If comments in source are not required please remove them or let me know.

Testing

  • Tested locally
  • Added/updated tests
  • Added/updated docs

@jglogan
Copy link
Contributor

jglogan commented Oct 29, 2025

@radoxtech Thanks for the contribution and sorry for the delay. Looking at this now.

jglogan
jglogan approved these changes Oct 30, 2025
View reviewed changes
Copy link
Contributor

@jglogan jglogan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@radoxtech Thanks for the contribution and good catch!

Comments provide the "why" to the casual reader, I left those in.

@jglogan
Copy link
Contributor

jglogan commented Oct 30, 2025

@radoxtech Could you rebase your PR using signed commits?

See: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#ssh-commit-signature-verification

@radoxtech
Copy link
Contributor Author

radoxtech commented Oct 30, 2025

@jglogan

I pushed signed commit.

@jglogan
Copy link
Contributor

jglogan commented Oct 30, 2025

Thanks, merged!

@jglogan jglogan merged commit 745cc18 into apple:main Oct 31, 2025
2 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Dec 3, 2025
Merged
@Tazintosh Tazintosh mentioned this pull request Dec 3, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jglogan jglogan jglogan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@radoxtech @jglogan