Problems with DNS on macOS with Socket Filter

[uwej711]

We use lima on macOS for virtual machines and ran into problems with DNS with the latest version of lima (1.0.2) which uses gvisor-tap-vsock 0.8.1. The problem is that our VPN software installs a socket filter as DNS proxy. In the virtual machine DNS resolution fails as long as the socket filter is active. I tried a few things and found out, that the issue only happens when using UDP, TCP was fine.
In the end it looks like the actual implementation here in https://github.com/containers/gvisor-tap-vsock/blob/main/pkg/services/dns/dns.go#L150 is basically too fast for that socket filter. With a simple GO program that just does a DNS query with client.Exchange I can reproduce the behavior. DNS resolution works with the socket filter if there is a short delay between opening the connection and sending the request:

This works:

conn, err := client.Dial(nameserver)
time.Sleep(200 * time.Microsecond)
r, _, err := client.ExchangeWithConn(msg, conn)

but this does not

r, _, err := dnsClient.Exchange(msg, nameserver)

I understand that the actual problem might be with the socket filter and maybe macOS, and will try to address this with the vendor of the VPN software, but I also wonder, if we could add a change like this to your code base ...

[baude]

i would think any PR is welcome ... @cfergeau you agree ?

[cfergeau]

gvisor-tap-vsock 0.8.0 made big changes to DNS resolution, but they turned out to be problematic in a number of cases, so these changes were reverted in 0.8.3. If DNS worked fine before 0.8.1 with this VPN software, then it should also be ok with 0.8.3 or newer.

[uwej711]

Thanks for the update. I can confirm that the issue no longer exists with lima 1.0.6. Closing this.