domain routes don't work on client #1073

Open
opened 2025-11-20 05:23:30 -05:00 by saavagebueno · 8 comments
Owner

Originally created by @emperorkebab on GitHub (Jul 22, 2024).

Describe the problem

domain routes don't work on my ubuntu and windows clients, i can ping my other docker peer either by its netbird ip or name, i can even ping a local machine (in the peer's network) by using an ip route, but domain routes don't work

I verified that the domain is resolvable and accessible inside my peer's docker container, and that the container has the 3 needed cap_adds
The domain route is correctly setup, with the docker peer as routing peer, and the distribution group assigned to the clients

i even tried hosting a webserver with the route's domain name inside the docker peer, with no avail
The only workaround is to create an ip route and manually add the domain mapping in the client hosts file, which is unpractical
Potentially related to https://github.com/netbirdio/netbird/issues/1788


To Reproduce

Steps to reproduce the behavior:

  1. I created a domain route with the docker peer as routing peer, and the distribution group of the client
  2. use netbird up (with debug flags)

Expected behavior

The client should ping and connect to the domain of the domain route successfully


NetBird version

0.28.4 for:

  • Self hosted management
  • docker peer
  • ubuntu client
  • windows client

Outputs

netbird up debug log (ubuntu client):

024-07-22T19:26:52+02:00 INFO client/internal/acl/manager.go:52: ACL rules processed in: 1.138681ms, total rules count: 2
2024-07-22T19:26:53+02:00 ERRO client/internal/routemanager/dynamic/route.go:165: Failed to resolve domains for route [mydomain.com]: resolve domains: 1 errors occurred:
	* resolve d mydomain.com: lookup mydomain.com on 127.0.0.53:53: no such host
2024-07-22T19:26:53+02:00 ERRO client/internal/routemanager/dynamic/route.go:165: Failed to resolve domains for route [mydomain.com]: resolve domains: 1 errors occurred:
	* resolve d mydomain.com: lookup mydomain.com on 127.0.0.53:53: no such host
2024-07-22T19:26:53+02:00 ERRO client/internal/routemanager/dynamic/route.go:165: Failed to resolve domains for route [mydomain.com]: resolve domains: 1 errors occurred:
	* resolve d mydomain.com: lookup mydomain.com on 127.0.0.53:53: no such host

client ping error (ubuntu client):

ping: mydomain.com: Temporary failure in name resolution

netbird status (ubuntu client):

Peers detail:
 mydockerpeer.netbird.selfhosted:
  NetBird IP: 100.101.142.98
  Public key: *removed*
  Status: Connected
  -- detail --
  Connection type: P2P
  Direct: true
  ICE candidate (Local/Remote): host/srflx
  ICE candidate endpoints (Local/Remote): 192.168.82.102:51820/198.74.80.1:51820
  Last connection update: 22 seconds ago
  Last WireGuard handshake: 10 seconds ago
  Transfer status (received/sent) 420 B/660 B
  Quantum resistance: false
  Routes: -
  Latency: 61.711842ms

OS: linux/amd64
Daemon version: 0.28.4
CLI version: 0.28.4
Management: Connected to https://anon-HPxz3.domain:8080
Signal: Connected to https://anon-HPxz3.domain:8080
Relays: 
  [stun:anon-HPxz3.domain:3478] is Available
  [turn:anon-HPxz3.domain:3478?transport=udp] is Available
Nameservers: 
FQDN: myclient.netbird.selfhosted
NetBird IP: 100.95.37.12/16
Interface type: Kernel
Quantum resistance: false
Routes: -
Peers count: 1/1 Connected
Originally created by @emperorkebab on GitHub (Jul 22, 2024). **Describe the problem** domain routes don't work on my ubuntu and windows clients, i can ping my other docker peer either by its netbird ip or name, i can even ping a local machine (in the peer's network) by using an ip route, but domain routes don't work I verified that the domain is resolvable and accessible inside my peer's docker container, and that the container has the 3 needed cap_adds The domain route is correctly setup, with the docker peer as routing peer, and the distribution group assigned to the clients i even tried hosting a webserver with the route's domain name inside the docker peer, with no avail The only workaround is to create an ip route and manually add the domain mapping in the client hosts file, which is unpractical Potentially related to https://github.com/netbirdio/netbird/issues/1788 --- **To Reproduce** Steps to reproduce the behavior: 1. I created a domain route with the docker peer as routing peer, and the distribution group of the client 2. use netbird up (with debug flags) --- **Expected behavior** The client should ping and connect to the domain of the domain route successfully --- **NetBird version** 0.28.4 for: - Self hosted management - docker peer - ubuntu client - windows client --- **Outputs** netbird up debug log (ubuntu client): ``` 024-07-22T19:26:52+02:00 INFO client/internal/acl/manager.go:52: ACL rules processed in: 1.138681ms, total rules count: 2 2024-07-22T19:26:53+02:00 ERRO client/internal/routemanager/dynamic/route.go:165: Failed to resolve domains for route [mydomain.com]: resolve domains: 1 errors occurred: * resolve d mydomain.com: lookup mydomain.com on 127.0.0.53:53: no such host 2024-07-22T19:26:53+02:00 ERRO client/internal/routemanager/dynamic/route.go:165: Failed to resolve domains for route [mydomain.com]: resolve domains: 1 errors occurred: * resolve d mydomain.com: lookup mydomain.com on 127.0.0.53:53: no such host 2024-07-22T19:26:53+02:00 ERRO client/internal/routemanager/dynamic/route.go:165: Failed to resolve domains for route [mydomain.com]: resolve domains: 1 errors occurred: * resolve d mydomain.com: lookup mydomain.com on 127.0.0.53:53: no such host ``` client ping error (ubuntu client): ``` ping: mydomain.com: Temporary failure in name resolution ``` netbird status (ubuntu client): ``` Peers detail: mydockerpeer.netbird.selfhosted: NetBird IP: 100.101.142.98 Public key: *removed* Status: Connected -- detail -- Connection type: P2P Direct: true ICE candidate (Local/Remote): host/srflx ICE candidate endpoints (Local/Remote): 192.168.82.102:51820/198.74.80.1:51820 Last connection update: 22 seconds ago Last WireGuard handshake: 10 seconds ago Transfer status (received/sent) 420 B/660 B Quantum resistance: false Routes: - Latency: 61.711842ms OS: linux/amd64 Daemon version: 0.28.4 CLI version: 0.28.4 Management: Connected to https://anon-HPxz3.domain:8080 Signal: Connected to https://anon-HPxz3.domain:8080 Relays: [stun:anon-HPxz3.domain:3478] is Available [turn:anon-HPxz3.domain:3478?transport=udp] is Available Nameservers: FQDN: myclient.netbird.selfhosted NetBird IP: 100.95.37.12/16 Interface type: Kernel Quantum resistance: false Routes: - Peers count: 1/1 Connected ```
saavagebueno added the clientdnsdocker labels 2025-11-20 05:23:30 -05:00
Author
Owner

@lixmal commented on GitHub (Jul 25, 2024):

Hi @emperorkebab,

Is the domain resolvable from the client? That's where the domains are resolved.
If it is, can you send over the contents of /etc/resolv.conf when netbird is up, please?

@lixmal commented on GitHub (Jul 25, 2024): Hi @emperorkebab, Is the domain resolvable from the client? That's where the domains are resolved. If it is, can you send over the contents of `/etc/resolv.conf` when netbird is `up`, please?
Author
Owner

@emperorkebab commented on GitHub (Jul 27, 2024):

Is the domain resolvable from the client?

No, (in all of my clients)

can you send over the contents of /etc/resolv.conf when netbird is up, please?

@lixmal I hope this is descriptive enough

ubuntu client docker peer
when netbird up
nameserver 127.0.0.53
options edns0 trust-ad
search netbird.selfhosted
search lan
nameserver 127.0.0.11
options edns0 trust-ad ndots:0
when netbird down
nameserver 127.0.0.53
options edns0 trust-ad
search .

can't disable netbird via docker tty

can resolve domain No Yes, ping too
network connecting from public net in server's local network, alongside the route domain's target
@emperorkebab commented on GitHub (Jul 27, 2024): > Is the domain resolvable from the client? No, (in all of my clients) > can you send over the contents of `/etc/resolv.conf` when netbird is `up`, please? @lixmal I hope this is descriptive enough <table> <tr> <th></th> <th>ubuntu client</th> <th>docker peer</th> </tr> <tr> <td>when netbird up</td> <td> ``` nameserver 127.0.0.53 options edns0 trust-ad search netbird.selfhosted ``` </td> <td> ``` search lan nameserver 127.0.0.11 options edns0 trust-ad ndots:0 ``` </td> </tr> <tr> <td>when netbird down</td> <td> ``` nameserver 127.0.0.53 options edns0 trust-ad search . ``` </td> <td> can't disable netbird via docker tty </td> </tr> <tr> <td>can resolve domain</td> <td> No </td> <td> Yes, ping too </td> </tr> <tr> <td>network</td> <td> connecting from public net </td> <td> in server's local network, alongside the route domain's target </td> </tr> </table>
Author
Owner

@emperorkebab commented on GitHub (Jul 27, 2024):

Also after updating my clients and servers to 0.28.6

The ubuntu client output log now is:

2024-07-23T10:15:23+02:00 ERRO client/internal/routemanager/dynamic/route.go:178: Failed to resolve domains for route [mydomain.com]: resolve domains: 1 errors occurred:
	* resolve d mydomain.com: lookup mydomain.com on 127.0.0.53:53: server misbehaving

instead of the original:

2024-07-22T19:26:53+02:00 ERRO client/internal/routemanager/dynamic/route.go:165: Failed to resolve domains for route [mydomain.com]: resolve domains: 1 errors occurred:
	* resolve d mydomain.com: lookup mydomain.com on 127.0.0.53:53: no such host

The new error (upper one) also happens in line 165 for the first error log line, the next ones happen in line 178

@emperorkebab commented on GitHub (Jul 27, 2024): Also after updating my clients and servers to 0.28.6 The ubuntu client output log now is: ``` 2024-07-23T10:15:23+02:00 ERRO client/internal/routemanager/dynamic/route.go:178: Failed to resolve domains for route [mydomain.com]: resolve domains: 1 errors occurred: * resolve d mydomain.com: lookup mydomain.com on 127.0.0.53:53: server misbehaving ``` instead of the original: ``` 2024-07-22T19:26:53+02:00 ERRO client/internal/routemanager/dynamic/route.go:165: Failed to resolve domains for route [mydomain.com]: resolve domains: 1 errors occurred: * resolve d mydomain.com: lookup mydomain.com on 127.0.0.53:53: no such host ``` The new error (upper one) also happens in line 165 for the first error log line, the next ones happen in line 178
Author
Owner

@lixmal commented on GitHub (Jul 27, 2024):

That's the issue then. The clients must be able to resolve the domain for the route to be added.

If this is a private domain you could set the DNS server for the clients to the private one that can resolve it (plus add the route for the DNS server itself)

@lixmal commented on GitHub (Jul 27, 2024): That's the issue then. The clients must be able to resolve the domain for the route to be added. If this is a private domain you could set the DNS server for the clients to the private one that can resolve it (plus add the route for the DNS server itself)
Author
Owner

@emperorkebab commented on GitHub (Jul 27, 2024):

I see what you mean but that DNS solution will just give access to all local domains without access control
I was hoping to be able to route individual domains from the clients to the local network through the docker peer, is something like this possible?

@emperorkebab commented on GitHub (Jul 27, 2024): I see what you mean but that DNS solution will just give access to all local domains without access control I was hoping to be able to route individual domains from the clients to the local network through the docker peer, is something like this possible?
Author
Owner

@lixmal commented on GitHub (Aug 1, 2024):

DNS won't give access, it will only expose the IP addresses.

You'll have DNS resolution on the routing clients, which will route their traffic to the routing peer.

@lixmal commented on GitHub (Aug 1, 2024): DNS won't give access, it will only expose the IP addresses. You'll have DNS resolution on the routing clients, which will route their traffic to the routing peer.
Author
Owner

@nazarewk commented on GitHub (Apr 23, 2025):

@emperorkebab is this still an issue for you with the latest NetBird version?

@nazarewk commented on GitHub (Apr 23, 2025): @emperorkebab is this still an issue for you with the latest NetBird version?
Author
Owner

@emperorkebab commented on GitHub (Jun 10, 2025):

@emperorkebab is this still an issue for you with the latest NetBird version?

I'm planning to test this again as soon as possible and report here

@emperorkebab commented on GitHub (Jun 10, 2025): > [@emperorkebab](https://github.com/emperorkebab) is this still an issue for you with the latest NetBird version? I'm planning to test this again as soon as possible and report here
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#1073