`nslookup root` timeout

mitchelljp · February 15, 2022, 7:20pm

I’m using Docker Desktop for Windows with the default DNS settings which uses 192.168.65.5 as the nameserver on all my images and I discovered that the command nslookup root times out with the error “;; connection timed out; no servers could be reached”. I’m not that familiar with the inner workings of nslookup but I believe that command is an alias for something like nslookup -type=ns . (which also fails with the same error). If I update my resolv.conf to a legit server like 8.8.8.8, the commands work.

Is this expected behavior?

rimelek · February 15, 2022, 11:42pm

The “root” command seems to be some kind of special command which is not implemented the same way in every nslookup but It should not time out if the IP address is really belongs to a DNS server and that DNS server knows about the root servers. Can you run any command with nslookup using that IP? Try:

nslookup google.com 192.168.65.5

mitchelljp · February 16, 2022, 1:10am

That works, and I’m able to do most other dig and nslookup commands, but anything using root or “.” times out.

mitchelljp · February 16, 2022, 2:59pm

Doing a little more research: For the command nslookup -type=ns ., pcap shows no response from 192.168.65.5 at all. However, I discovered the logs for Docker’s embedded CoreDNS-1.8.6 server (%APPDATA%\Docker\log\vm\dns-forwarder.out.log) and they seem to indicate that the query was actually done and “NOERROR” was received (although, the elapsed time is a bit extreme):

[INFO] 192.168.65.4:55735 - 36015 “NS IN . udp 17 false 512” NOERROR qr,rd,ra 17 26.25215932s
[INFO] 192.168.65.4:55735 - 36015 “NS IN . udp 17 false 512” NOERROR qr,rd,ra 17 31.261171557s
[INFO] 192.168.65.4:55735 - 36015 “NS IN . udp 17 false 512” NOERROR qr,rd,ra 17 36.251690171s

I see similar using nslookup -vc -type=ns . (to use TCP) but the pcap shows 192.168.65.5 ACK the request and then the 192.168.65.4 system sets FIN,ACK. .5 doesn’t offer a query response.

rimelek · February 16, 2022, 6:21pm

I also found something that can help you. Yesterday I tried nslookup on Docker Desktop for Mac and Docker Desktop for Windows. Both of them worked. Today I started my VPN on Windows and got the same error as you. nslookup works, but not nslookup root and not nslookup -type=ns .

Do you also have a VPN turned on or anything that can change the routing on your machine?

mitchelljp · February 16, 2022, 6:43pm

Yep, and disabling it allows nslookup -type=ns . to work but I still get the same error with nslookup root. Good catch.

rimelek · February 16, 2022, 7:42pm

Is it the same error with the timeout or just can’t resolve it? I tried nslookup root on multiple machines and I had different results while nslookup -type=ns . gave me the same result everywhere. So I would not rely on the implementation of nslookup root

mitchelljp · February 16, 2022, 8:12pm

On both CentOS 7 and Alpine, nslookup root results in ;; connection timed out; no servers could be reached. You’re correct that it shouldn’t be relied upon but it still seems to suggest some sort of issue with Docker’s embedded CoreDNS. If I change from 192.168.65.5 to 8.8.8.8, both distros can nslookup root fine.

mitchelljp · February 16, 2022, 8:39pm

I also just noticed. Off of VPN I no longer get the error for the nslookup -type=ns command but the results are not helpful:

Server: 192.168.65.5
Address: 192.168.65.5#53

Non-authoritative answer:
*** Can’t find .: No answer

Authoritative answers can be found from:

(Note: I’m not cutting off text, the Authoritative list is empty)