DNS not working anymore

[CamJN]

Description

Trying to pull any new images results in a dns error, despite system dns working fine.

$ docker pull ubuntu:24.04
Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io on 127.0.0.53:53: no such host
$ dscacheutil -q host -a name registry-1.docker.io
name: registry-1.docker.io
ipv6_address: 2600:1f18:2148:bc00:8d61:9b62:40aa:8bb8
ipv6_address: 2600:1f18:2148:bc02:445d:9ace:d20b:c303
ipv6_address: 2600:1f18:2148:bc01:571f:e759:a87a:2961

name: registry-1.docker.io
ip_address: 54.198.86.24
ip_address: 54.236.113.205
ip_address: 54.227.20.253

Version

colima version 0.8.0
git commit: 9c08cff

runtime: docker
arch: x86_64
client: v27.3.1
server: v26.1.1
limactl version 1.0.2

qemu-img: not installed

Operating System

• macOS Intel <= 13 (Ventura)
• macOS Intel >= 14 (Sonoma)
• Apple Silicon <= 13 (Ventura)
• Apple Silicon >= 14 (Sonoma)
• Linux

Output of colima status

$ colima status
INFO[0000] colima is running using macOS Virtualization.Framework
INFO[0000] arch: x86_64
INFO[0000] runtime: docker
INFO[0000] mountType: virtiofs
INFO[0000] socket: unix:///Users/camdennarzt/.colima/default/docker.sock

Reproduction Steps

1. using docker image ls determine an image that you do not have pulled locally
2. run any docker command which would pull that image eg: docker pull ubuntu:24.04
3. observe dns being broken

Expected behaviour

DNS should work

Additional context

it seems that there's some issue with lima that might be related: lima-vm/lima#2939

[jiusi9]

I have a same issue, today.

[jalpedersen]

A possible workaround is to assign a reachable address to the virtual machine:

network:
    address: true

[Cuchulain]

The same problem is on the ARM64 (M1).

$ colima version
colima version 0.8.0
git commit: 9c08cff339f087c0600d9d56af7b5fbcfe02e287

runtime: docker
arch: aarch64
client: v27.2.1-rd
server: v24.0.9

$ colima status
INFO[0000] colima is running using macOS Virtualization.Framework
INFO[0000] arch: aarch64
INFO[0000] runtime: docker
INFO[0000] mountType: virtiofs
INFO[0000] socket: unix:///Users/user/.config/colima/default/docker.sock

[uwej711]

I ran into that issue as well after updateing to colima 0.8.0 and lima 1.0.2. After some digging we found out that the issue seems to be caused by a DNS proxy as network filter installed by our vpn software. Once that filter is disabled or the vpn client uninstalled DNS started to work again. Everything works if using lima 0.23.2 with colima 0.8.0. The actual change is discussed in the linked issue above.
Further experiments imply that the new DNS implementation in lima 1.0.2 via gvisor-tap-vsock which uses Miek Gieben's library https://github.com/miekg/dns is just to fast for that DNS proxy to function. A tiny delay between opening the connection to the DNS server and sending the request makes the filter work. Without the delay the dns request runs in a timeout. I created containers/gvisor-tap-vsock#439 to discuss a change there (knowing that the code there is not the actual problem, rather as a workaround).
I would be curious if other people with DNS issues with latest lima also have some network filters running on their macs.

[uwej711]

Here you can find a simple test to run on your mac: https://github.com/uwej711/test-go-dns

[uwej711]

And another thing: in my case DNS still works when using TCP instead of UDP, so you can also try to block UDP in ypur virtual machine with iptables:

sudo  iptables -A OUTPUT -p udp -d 192.168.5.2 -j REJECT --reject-with icmp-proto-unreachable

[CamJN]

I do not use any network filters. The only interesting thing about my dns is that I have dnsmasq installed on my laptop and have macOS use that, rather than the dhcp supplied server.