`nslookup root` timeout

I’m using Docker Desktop for Windows with the default DNS settings which uses as the nameserver on all my images and I discovered that the command nslookup root times out with the error “;; connection timed out; no servers could be reached”. I’m not that familiar with the inner workings of nslookup but I believe that command is an alias for something like nslookup -type=ns . (which also fails with the same error). If I update my resolv.conf to a legit server like, the commands work.

Is this expected behavior?

The “root” command seems to be some kind of special command which is not implemented the same way in every nslookup but It should not time out if the IP address is really belongs to a DNS server and that DNS server knows about the root servers. Can you run any command with nslookup using that IP? Try:

nslookup google.com

That works, and I’m able to do most other dig and nslookup commands, but anything using root or “.” times out.

Doing a little more research: For the command nslookup -type=ns ., pcap shows no response from at all. However, I discovered the logs for Docker’s embedded CoreDNS-1.8.6 server (%APPDATA%\Docker\log\vm\dns-forwarder.out.log) and they seem to indicate that the query was actually done and “NOERROR” was received (although, the elapsed time is a bit extreme):

[INFO] - 36015 “NS IN . udp 17 false 512” NOERROR qr,rd,ra 17 26.25215932s
[INFO] - 36015 “NS IN . udp 17 false 512” NOERROR qr,rd,ra 17 31.261171557s
[INFO] - 36015 “NS IN . udp 17 false 512” NOERROR qr,rd,ra 17 36.251690171s

I see similar using nslookup -vc -type=ns . (to use TCP) but the pcap shows ACK the request and then the system sets FIN,ACK. .5 doesn’t offer a query response.

I also found something that can help you. Yesterday I tried nslookup on Docker Desktop for Mac and Docker Desktop for Windows. Both of them worked. Today I started my VPN on Windows and got the same error as you. nslookup works, but not nslookup root and not nslookup -type=ns .

Do you also have a VPN turned on or anything that can change the routing on your machine?

Yep, and disabling it allows nslookup -type=ns . to work but I still get the same error with nslookup root. Good catch.

Is it the same error with the timeout or just can’t resolve it? I tried nslookup root on multiple machines and I had different results while nslookup -type=ns . gave me the same result everywhere. So I would not rely on the implementation of nslookup root

On both CentOS 7 and Alpine, nslookup root results in ;; connection timed out; no servers could be reached. You’re correct that it shouldn’t be relied upon but it still seems to suggest some sort of issue with Docker’s embedded CoreDNS. If I change from to, both distros can nslookup root fine.

I also just noticed. Off of VPN I no longer get the error for the nslookup -type=ns command but the results are not helpful:


Non-authoritative answer:
*** Can’t find .: No answer

Authoritative answers can be found from:

(Note: I’m not cutting off text, the Authoritative list is empty)