Change https://go.dev/cl/384076 mentions this issue: net/dns: Increase UDP response buffer to 1232 bytes

cc @ianlancetaylor @neild

Workaround: We were able to work around the problem by adding a DNS entry in the hosts file:
51.107.60.33 management.azure.com
When using WSL, the hostfile can be edited in Windows. %windir%\system32\drivers\etc\hosts and then restart the WSL.
So at least we could use Terraform again.

For what it's worth, there is no generally applicable workaround that fixes users' experience without other side effects and possible downsides.

That IP isn't the same IP I see, so I wonder if there's some geographic DNS response occurring.

previously #11070

Even from the linked site, the recommendation for the increased buffer size is for EDNS0 which is not implemented here (ref #6464). Equally important on their site is the support for TCP, and had WSL followed spec and returned a proper truncated response, it would have been retried gracefully.

@seankhliao

I would push back on the notion that this should be resolved elsewhere.

Go is the exception to behaving correctly: other userland programs such as dig(1), nslookup(1), host(1), as well as glibc API calls such as getaddrinfo(3) work. I can write Python, C#, Rust, C, etc, and those will work correctly in this networking environment.

Go is adhering strictly to an antiquated standard, EDNS0 has been a standard since 1999 and larger responses are not a new specification or the result of rapidly moving network standards or the ground shifting under Go. Strict adherence to 512 byte responses is not followed by other tools in the same ecosystem, Go ought to "be liberal in what it accepts", within reason and of course, unless doing so would violate memory safety or other safety criteria of the software.

End-users are not in a position to solve their upstream DNS server's issues, nor are software maintainers. We don't have control over our end user's DNS servers.

This error isn't unique to the situation I described, it's just most acute right now for those users in the specific scenario I documented. 112 issues have been reported on GitHub with the text "cannot unmarshal DNS", and a survey of those shows that they have occurred across all platforms and among extraordinarily widely used pieces of software across Mac, Windows, *nix. Those issues show that various other VPN providers, ISPs, routers, have all behaved similarly. And going back to the earlier points, users don't have control over those things and we shouldn't expect all Go software users to be software engineers or to be able to modify their DNS configuration.

Lastly, I strongly believe that software that works is superior to software that does not, and end-users of the software will not care what link in the chain is causing it not to work.

There is an opportunity to mitigate an issue end-users are facing in one place, I think bringing Golang into alignment with the rest of the ecosystem will positively impact users.

Thanks for the report.

Microsoft is unlikely to update their DNS server to adhere to the pre-1999 DNS specification.

Why not? It's been a while since I've read DNS RFCs, but my impression is still today that DNS servers are not allowed to send >512-byte responses unless the client explicitly indicates support for such using EDNS.

As such, I feel like emphasizing "pre-1999" is unfair. I think Microsoft should update their DNS server to adhere to the DNS specification. I'd prefer we don't add hacks to accommodate non-spec behavior.

However, #6464 remains open if someone wants to update Go's DNS client to use EDNS, and to support+advertise a larger buffer size. I think that's the standards-conforming way to address this issue, if folks aren't willing to wait on the issue being fixed in WSL2.

Hey @mdempsky I would like this re-opened please. Any way we could get on a call to chat about this?

Just for reference, there is an (currently open) issue over at WSL that should cover this issue microsoft/WSL#7642. I'd suggest adding your findings there as well.

Understood, though I'd like to chat with someone on the Go language team about the scope & impact of this issue. It's affecting customers of major Go language-built software & has for about seven years. It's particularly acute because, I suspect, none of the players wants to take responsibility for fixing this.

End users do not care why their software is broken, but we have an opportunity here to address, at least partially, thousands of issues raised by users over the past 7 years. And if the Pareto principle is applicable here, I suspect those users knowledgeable enough and motivated enough to comment on GitHub are just a fraction of those impacted.

Hey @mdempsky I would like this re-opened please. Any way we could get on a call to chat about this?

Why? What do you hope these requests would accomplish?

As stated, the Go DNS client is spec-compliant to the best of my knowledge, and a feature request issue (#6464) already exists that I believe would make it more accommodating to non-compliant DNS software like WSL2. It just needs someone to implement it. I'm happy to review CLs.

With all due respect, Go is a open source project and I think that your best bet to get a desired change through isn't via a private call with a maintainer.

Other languages & libraries use larger buffers and accept larger responses in order to "be liberal in what they accept" to tolerate non-compliant implementations, and a concerted effort by a consortium of DNS implementations and stakeholders pushed for a larger acceptable buffer size in 2020, more than two decades after that specification was accepted.

And end users do not care why their software does not work. I think a phone call might be a better channel to have an empathetic conversation over the issues I've read & the litany of closed/unsolved issues reported against packages on GitHub, StackOverflow, and elsewhere.

Otherwise, I can keep replying, but I don't see any responses to my points on the merits so far. I would like to raise the bar from this text-based conversation to one that's more empathetic toward end-users.

I think we should try, here, to solve customer, end-user problems.

I think we should try, here, to solve customer, end-user problems.

We've identified two ways to do that already: have WSL2 fix their DNS server (microsoft/WSL#7642), or implement #6464.

Would anything break by using a larger default buffer for responses? I think that's what glibc does, and as observed previously I think Go is an outlier here among languages & libraries in not tolerating a larger response.

There is something I don't understand here. Apparently some DNS server is out of spec by sending packets greater than 512 bytes without setting the truncated bit. But it can't be the regular Microsoft server, or Go programs on all systems would be reporting problems, not just programs on WSL. Does WSL run a local name server? What is the nameserver entry in resolv.conf? What happens if you change it to 8.8.8.8 or 1.1.1.1?

CC @jstarks for WSL issue.

@ianlancetaylor First, you're right, the WSL2 DNS server is out of spec. No question there.

Second, let's take a step back - this isn't a WSL2 specific issue. Fixing the acute issue users are facing in WSL2 is WSL2 specific, but I'd encourage you to read the many, many comments on GitHub issues. https://github.com/search?o=asc&q=%22cannot+unmarshal+DNS%22&s=created&type=Issues

Starting with these issues which predate WSL2.

I'm using a red circle to indicate that a user's problem was never solved, a yellow circle to indicate that a workaround was implemented to mitigate customer issues, but didn't root cause them, and a green circle when a project that is actually a DNS server solved the issue. I'm also using GitHub Markdown's list notation to provide partially unfurled data about the link destination via just pasting in URLs.

Consul

• 🟡 Hashicorp Consul worked around issue by enabling message compression, root cause not fixed, merely mitigated: go 1.4.2 cannot parse some dns responses from consul hashicorp/consul#854
• Consul PR 1 Compress all DNS responses hashicorp/consul#971
• Consul PR 2 Compress all DNS responses hashicorp/consul#2096

Confd

• 🟡 Confd worked around issue by using netdns=cgo: confd fails to find etcd using SRV records if there are more than 3 SRV records kelseyhightower/confd#285

Docker

• 🟡 Docker failed to resolve requests to Mesos DNS server produced responses larger than 512 bytes, impacted Docker. Root cause not fixed, merely mitigated: Docker can't parse mesos-dns answers mesosphere/mesos-dns#170
• Mesos PR: resolver: Compress all DNS answers mesosphere/mesos-dns#173

Kubernetes

• 🔴 This user's issue making DNS requests to Google's Container Registry were never resolved: UI hangs when cluster brought up with vagrant kubernetes/kubernetes#11119 (comment)

Weave

• 🟡 Weave DNS response exceeded 512 bytes, they referenced the bug in consul, they worked around this by compressing DNS responses.
• Weave PR: Try to compress too long replies (when forwarding). weaveworks/weave#1313

rakyll/drive / odeke-em/drive

• 🔴 Client side utility failed to make requests to googleapis.com, never solved. Closed because maintainer could not reproduce and/or pointed to golang as upstream bug Cannot unmarshal DNS message odeke-em/drive#358

Mesos, again

• 🟢 A 740 byte DNS response on Mac OSX, using Go applications against Mesos DNS fail to work possible malformed response with large responses mesosphere/mesos-dns#326
• Someone points out that the previous mitigation failed: possible malformed response with large responses mesosphere/mesos-dns#326 (comment)
• Mesos DNS server fixed! 512 byte limit PR: https://github.com/skynetservices/skydns/blob/4c00898b5ed8769af24f8dde381386f3969c2275/server/server.go#L175

Resolvable, a Docker DNS resolver

• 🟢 PR to truncate DNS responses because Compress DNS responses and truncate them if using UDP transport gliderlabs/resolvable#13

Goproxy

• 🔴 User getting an error trying to lookup ec4.images-amazon.com "Sounds like you have a problem in your local DNS server" Can not unmarshal dns message elazarl/goproxy#137

Moby / then Docker

• 🔴 Various users report DNS not working, the workaround posted near the bottom can hardly be called such. 33 comments, more than a dozen users reporting issues. This is in 2016, so users were various Linux distributions. Embedded dns server breaks DIND moby/moby#20037
• This is still an open issue.

freegeoip

• 🔴 User gets an error when trying to perform a Get in a go application using Docker. cannot unmarshal DNS Message fiorix/freegeoip#160
• "Could have been. I've literally just changed service providers from yesterday so I'm using different DNS servers. The error has gone away. Odd."

heroku

• 🔴 Heroku CLI on MacOS (2016, so back then OSX) failing to log in. Unable to run heroku login 'cannot unmarshal DNS message' heroku/legacy-cli#1899
• Heroku maintainers don't control user's DNS server.

clair

• 🔴 user has "unmarshal DNS..." error on www.redhat.com, cannot use container scanning CLI tool clair Unable to download Debian and Redhat vulnerabilities quay/clair#171
• Clair maintainers don't control user's DNS server.

Docker for Mac

• 🔴 Dozens of users report issues with DNS, never fixed. Docker for Mac 1.12.0 TCP DNS queries fail moby/moby#24344
• Docker maintainers don't control user's DNS servers.

gorush application server

• 🔴 user reports "gcm-http.googleapis.com" gets a unmarshal DNS error, no resolution ERROR: Cannot unmarshal DNS Message appleboy/gorush#116
• Maintainer can't reproduce, closes. They don't control the user's DNS server.

Docker for Mac

• 🔴 more DNS bugs reported by Mac users, no resolution Pulling repositories fail with DNS resolve error docker/for-mac#357

I think that software that works is better than software that doesn't work, and if a partial mitigation before EDNS0 support lands in Go would have prevented these issues, shouldn't it have been done? How many frustrated users is too many?

That's just the first two pages of results from the GitHub issues. I'll continue tomorrow.

Change https://go.dev/cl/385035 mentions this issue: net: send EDNS(0) packet length in DNS query

@AaronFriel Can you or someone else with WSL see if https://go.dev/cl/385035 fixes the problem? That CL uses EDNS(0) to advertise a permitted packet size of 1232 bytes.

Although I have to say that if there are DNS servers out there that incorrectly send responses larger than 512 bytes in the absence of an EDNS(0) packet length, then I suspect that there are DNS servers out there that will simply ignore the EDNS(0) packet length and send whatever packet size they feel like. So I don't know how much this will actually help.

@ianlancetaylor I can, with great enthusiasm, report that your CL causes the test case to pass in the issue.

🎉🎉🎉🎉🎉

It took me a bit to figure out how to check out the CL - I used the base64 encoded blob, not sure if that's the easiest way to do it - but I did build Go locally. And the result of running the test command is starkly different.

Go 1.17.6:

$ ~/.local/go/bin.1.17.6/go run resolve-test.go 
panic: lookup management.azure.com on 172.20.32.1:53: cannot unmarshal DNS message

goroutine 1 [running]:
main.main()
        /home/friel/c/tmp/resolve-test.go:11 +0xe8
exit status 2

With patch applied:

$ ~/c/gh/go/bin/go run resolve-test.go 
13.86.219.80

I rebuilt the Pulumi toolchain that a user reported this error on and which I was able to reproduce, and I can confirm that issue is mitigated as well.

I anticipate this would resolve issues for our friends and colleagues in the infra-as-code ecosystem, as well as anyone else using Go tooling to manage or authenticate with Azure, and likely many of issues folks experienced with non-conforming DNS resolvers out of their control due to being part of a proxy, VPNs, their ISP's routers or otherwise.

If this could be included in the next dot release of Go, I would be eternally grateful. 🙇

Change https://go.dev/cl/386016 mentions this issue: net: send EDNS(0) packet length in DNS query

Change https://go.dev/cl/386014 mentions this issue: Revert "net: send EDNS(0) packet length in DNS query"

Change https://go.dev/cl/386034 mentions this issue: [release-branch.go1.16] net: increase maximum accepted DNS packet to 1232 bytes

Change https://go.dev/cl/386035 mentions this issue: [release-branch.go1.17] net: increase maximum accepted DNS packet to 1232 bytes