SVI/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-05-14 12:12:27 -04:00
Code Issues 3.0k Packages Projects Releases 10 Wiki Activity

The new Netbird DNS Resolver Forced activation cause more problems that the ones that solve #2133

New Issue
Open
opened 2025-11-20 07:04:25 -05:00 by saavagebueno · 25 comments
saavagebueno commented 2025-11-20 07:04:25 -05:00
Owner
Copy Link

Originally created by @buzzzo on GitHub (Jul 30, 2025).

Describe the problem

The forceful setting of netbird dns resolver cause issue on some system

First of all: not all systems needs to have enabled the netbird dns resolver, so the decision to force it enabled no matter what is configured on the dns settings is not the most clever one.

Secondly on some system the config is not applied resulting in the total break of dns resolution (that is: the nameserver row in resolv.conf reports invalid ip/hostname).

Thirdly: on some mail relay system that rely on rbl checking via dns it reports bogus dns query with the reject of mails due to misleading rbl query.

Currently there is not a way to disable the auto management of configuration, even if the peer group is added to the exclusion list.

Originally created by @buzzzo on GitHub (Jul 30, 2025). **Describe the problem** The forceful setting of netbird dns resolver cause issue on some system First of all: not all systems needs to have enabled the netbird dns resolver, so the decision to force it enabled no matter what is configured on the dns settings is not the most clever one. Secondly on some system the config is not applied resulting in the total break of dns resolution (that is: the nameserver row in resolv.conf reports invalid ip/hostname). Thirdly: on some mail relay system that rely on rbl checking via dns it reports bogus dns query with the reject of mails due to misleading rbl query. Currently there is not a way to disable the auto management of configuration, even if the peer group is added to the exclusion list.
saavagebueno added the bugclienttriage-needed labels 2025-11-20 07:04:25 -05:00
saavagebueno commented 2025-11-20 07:04:26 -05:00
Author
Owner
Copy Link

@buzzzo commented on GitHub (Jul 30, 2025):

To add a just discovered other side effect.
Netbird add its own domain BEFORE the system one (eg: vpn.foo.org is netbird domain and foo.org is domain).
So if BEFORE i could reach mickey.foo.org just typing mickey AFTER the netbird addition result in automatically resolver mickey in michey.vpn.foo.org).

This is fine for desktop system but totally wrong for servers.
Please make this feature as selectable.

@buzzzo commented on GitHub (Jul 30, 2025): To add a just discovered other side effect. Netbird add its own domain BEFORE the system one (eg: vpn.foo.org is netbird domain and foo.org is domain). So if BEFORE i could reach mickey.foo.org just typing mickey AFTER the netbird addition result in automatically resolver mickey in michey.vpn.foo.org). This is fine for desktop system but totally wrong for servers. Please make this feature as selectable.
saavagebueno commented 2025-11-20 07:04:26 -05:00
Author
Owner
Copy Link

@buzzzo commented on GitHub (Jul 30, 2025):

Seems that 0.52.1 fixed the possibility to disable dns management with peer group.

@buzzzo commented on GitHub (Jul 30, 2025): Seems that 0.52.1 fixed the possibility to disable dns management with peer group.
saavagebueno commented 2025-11-20 07:04:26 -05:00
Author
Owner
Copy Link

@LordAnchemis commented on GitHub (Jul 30, 2025):

TLDR: 0.52.1 has buggy DNS resolution

For me it was apt update failing as DNS couldn't resolve debian.org (lol)

@LordAnchemis commented on GitHub (Jul 30, 2025): TLDR: 0.52.1 has buggy DNS resolution For me it was apt update failing as DNS couldn't resolve debian.org (lol)
saavagebueno commented 2025-11-20 07:04:26 -05:00
Author
Owner
Copy Link

@Pamalosebi commented on GitHub (Jul 30, 2025):

When netbird 0.52.1 is activated on my systems I get stuff like

dig github.com
dig: parse of /etc/resolv.conf failed

And It resolves when I disable netbird
sudo netbird down

@Pamalosebi commented on GitHub (Jul 30, 2025): When netbird 0.52.1 is activated on my systems I get stuff like ``` dig github.com dig: parse of /etc/resolv.conf failed ``` And It resolves when I disable netbird `sudo netbird down`
saavagebueno commented 2025-11-20 07:04:26 -05:00
Author
Owner
Copy Link

@nazarewk commented on GitHub (Jul 30, 2025):

Can I ask you to enable trace logs ("permanently", so it starts with those) and gather debug bundles? You can try netbird debug bundle -U, but feel free to mail those to support@netbird.io if the upload fails.

See https://docs.netbird.io/how-to/troubleshooting-client#on-other-linux-and-mac-os for instructions on changing log levels

@nazarewk commented on GitHub (Jul 30, 2025): Can I ask you to enable `trace` logs ("permanently", so it starts with those) and gather debug bundles? You can try `netbird debug bundle -U`, but feel free to mail those to support@netbird.io if the upload fails. See https://docs.netbird.io/how-to/troubleshooting-client#on-other-linux-and-mac-os for instructions on changing log levels
saavagebueno commented 2025-11-20 07:04:26 -05:00
Author
Owner
Copy Link

@buzzzo commented on GitHub (Jul 30, 2025):

When netbird 0.52.1 is activated on my systems I get stuff like

dig github.com
dig: parse of /etc/resolv.conf failed

And It resolves when I disable netbird sudo netbird down

This is because netbird creates a bogus config and the system (linux itself) cannot parse it correctly. The solution would be to upgrade netbird to the latest version AND add the linux peers to the dns exclusion. This seems (at least on my systems) to ignore completely the netbird dns rules and revert to the original resolv.conf.

You could also try to create a dns rules (on the dashboard) with your internal dns servers matching group "all". In this way you are telling to netbird to redirect ALL dns request to your dns server, but in any case netbird rewrite the resolv.conf of your system adding as nameserver its netbird peer ip.

@buzzzo commented on GitHub (Jul 30, 2025): > When netbird 0.52.1 is activated on my systems I get stuff like > > ``` > dig github.com > dig: parse of /etc/resolv.conf failed > ``` > > And It resolves when I disable netbird `sudo netbird down` This is because netbird creates a bogus config and the system (linux itself) cannot parse it correctly. The solution would be to upgrade netbird to the latest version AND add the linux peers to the dns exclusion. This seems (at least on my systems) to ignore completely the netbird dns rules and revert to the original resolv.conf. You could also try to create a dns rules (on the dashboard) with your internal dns servers matching group "all". In this way you are telling to netbird to redirect ALL dns request to your dns server, but in any case netbird rewrite the resolv.conf of your system adding as nameserver its netbird peer ip.
saavagebueno commented 2025-11-20 07:04:27 -05:00
Author
Owner
Copy Link

@Pamalosebi commented on GitHub (Jul 30, 2025):

My system was unusable so I reverted to an older version... That did work.
I did put netbird in my package managers (pacman) exclusion list for now.

sudo podman -U /var/cache/pacman/pkg/netbird-0.51.2-1-x86_64.pkg.tar.zst
sudo systemctl restart netbird.service
sudo netbird up
@Pamalosebi commented on GitHub (Jul 30, 2025): My system was unusable so I reverted to an older version... That did work. I did put netbird in my package managers (pacman) exclusion list for now. ``` sudo podman -U /var/cache/pacman/pkg/netbird-0.51.2-1-x86_64.pkg.tar.zst sudo systemctl restart netbird.service sudo netbird up ```
saavagebueno commented 2025-11-20 07:04:27 -05:00
Author
Owner
Copy Link

@LordAnchemis commented on GitHub (Jul 30, 2025):

Can I ask you to enable trace logs ("permanently", so it starts with those) and gather debug bundles? You can try netbird debug bundle -U, but feel free to mail those to support@netbird.io if the upload fails.

See https://docs.netbird.io/how-to/troubleshooting-client#on-other-linux-and-mac-os for instructions on changing log levels

DNS name resolution is broken

Netbird forces its own nameservers (100.x.x.x) into /etc/resolv.conf
Although it does backup the original file (with the old name servers), you cannot edit resolv.conf while netbird is up

If you haven't defined a name server in the dashboard and your client relies on IPv4 DNS - domain names are no longer resolved system-wide - it will try to look up the name server at 100.x.x.x, which then points to nothing = fail

You can bypass the issue by using either IPv6 (if your system/network/ISP supports it) or set up a custom name server (in the dashboard) that points to your 'old' DNS resolver (ie. the router/gateway IP address)

But this is only a 'temporary' fix - as netbird should NOT break core system functionality (like DNS out of the box)

Users should be allowed to choose which DNS server they want (ie. router/gateway or netbird's) and what priority etc. - or at least fall back to the default/old DNS if there is no custom name server defined in the dashboard

Don't need logs - as a few of us (@buzzzo) have already done the digging around and diagnosed the issue this morning

@LordAnchemis commented on GitHub (Jul 30, 2025): > Can I ask you to enable `trace` logs ("permanently", so it starts with those) and gather debug bundles? You can try `netbird debug bundle -U`, but feel free to mail those to [support@netbird.io](mailto:support@netbird.io) if the upload fails. > > See https://docs.netbird.io/how-to/troubleshooting-client#on-other-linux-and-mac-os for instructions on changing log levels DNS name resolution is broken Netbird forces its own nameservers (100.x.x.x) into /etc/resolv.conf Although it does backup the original file (with the old name servers), you cannot edit resolv.conf while netbird is up If you haven't defined a name server in the dashboard and your client relies on IPv4 DNS - domain names are no longer resolved system-wide - it will try to look up the name server at 100.x.x.x, which then points to nothing = fail You can bypass the issue by using either IPv6 (if your system/network/ISP supports it) or set up a custom name server (in the dashboard) that points to your 'old' DNS resolver (ie. the router/gateway IP address) But this is only a 'temporary' fix - as netbird should NOT break core system functionality (like DNS out of the box) Users should be allowed to choose which DNS server they want (ie. router/gateway or netbird's) and what priority etc. - or at least fall back to the default/old DNS if there is no custom name server defined in the dashboard Don't need logs - as a few of us (@buzzzo) have already done the digging around and diagnosed the issue this morning
saavagebueno commented 2025-11-20 07:04:27 -05:00
Author
Owner
Copy Link

@lixmal commented on GitHub (Jul 30, 2025):

Don't need logs - as a few of us (@buzzzo) have already done the digging around and diagnosed the issue this morning

Can you describe what needs to be fixed or provide a PR? I haven't figured out what's broken yet without logs

@lixmal commented on GitHub (Jul 30, 2025): >Don't need logs - as a few of us (@buzzzo) have already done the digging around and diagnosed the issue this morning Can you describe what needs to be fixed or provide a PR? I haven't figured out what's broken yet without logs
saavagebueno commented 2025-11-20 07:04:27 -05:00
Author
Owner
Copy Link

@braginini commented on GitHub (Jul 30, 2025):

Don't need logs - as a few of us (@buzzzo) have already done the digging around and diagnosed the issue this morning

Logs help fixing things as they contain information that may be specific to certain environments and just speed things up when debugging. Not everyone has the issue. Would be great if you could share the logs

@braginini commented on GitHub (Jul 30, 2025): >Don't need logs - as a few of us (@buzzzo) have already done the digging around and diagnosed the issue this morning Logs help fixing things as they contain information that may be specific to certain environments and just speed things up when debugging. Not everyone has the issue. Would be great if you could share the logs
saavagebueno commented 2025-11-20 07:04:27 -05:00
Author
Owner
Copy Link

@LordAnchemis commented on GitHub (Jul 30, 2025):

2025-07-30T17:38:26Z TRAC client/internal/dns/handler_chain.go:166: DNS request domain=deb.debian.org., handlers (3):
  - pattern: domain=78.100.in-addr.arpa. original: domain=78.100.in-addr.arpa. wildcard=false match_subdomain=true priority=100
  - pattern: domain=netbird.cloud. original: domain=netbird.cloud. wildcard=false match_subdomain=true priority=100
  - pattern: domain=. original: domain=. wildcard=false match_subdomain=true priority=-100
2025-07-30T17:38:26Z TRAC client/internal/dns/handler_chain.go:174: handler matched: domain=deb.debian.org. -> pattern=. wildcard=false match_subdomain=true priority=-100
2025-07-30T17:38:26Z TRAC [request_id: 4e843190] client/internal/dns/upstream.go:114: received upstream question: domain=deb.debian.org. type=1 class=1
2025-07-30T17:38:28Z WARN [request_id: 4e843190] client/internal/dns/upstream.go:138: upstream [fd78:94bf:7df8::1:53]:53 timed out for question domain=deb.debian.org.
2025-07-30T17:38:28Z ERRO [request_id: 4e843190] client/internal/dns/upstream.go:161: all queries to the upstream [[fd78:94bf:7df8::1:53]:53] failed for question domain=deb.debian.org.
2025-07-30T17:38:28Z WARN [request_id: d6e0f964] client/internal/dns/upstream.go:138: upstream [fd78:94bf:7df8::1:53]:53 timed out for question domain=deb.debian.org.
2025-07-30T17:38:28Z ERRO [request_id: d6e0f964] client/internal/dns/upstream.go:161: all queries to the upstream [[fd78:94bf:7df8::1:53]:53] failed for question domain=deb.debian.org.
@LordAnchemis commented on GitHub (Jul 30, 2025): ``` 2025-07-30T17:38:26Z TRAC client/internal/dns/handler_chain.go:166: DNS request domain=deb.debian.org., handlers (3): - pattern: domain=78.100.in-addr.arpa. original: domain=78.100.in-addr.arpa. wildcard=false match_subdomain=true priority=100 - pattern: domain=netbird.cloud. original: domain=netbird.cloud. wildcard=false match_subdomain=true priority=100 - pattern: domain=. original: domain=. wildcard=false match_subdomain=true priority=-100 2025-07-30T17:38:26Z TRAC client/internal/dns/handler_chain.go:174: handler matched: domain=deb.debian.org. -> pattern=. wildcard=false match_subdomain=true priority=-100 2025-07-30T17:38:26Z TRAC [request_id: 4e843190] client/internal/dns/upstream.go:114: received upstream question: domain=deb.debian.org. type=1 class=1 2025-07-30T17:38:28Z WARN [request_id: 4e843190] client/internal/dns/upstream.go:138: upstream [fd78:94bf:7df8::1:53]:53 timed out for question domain=deb.debian.org. 2025-07-30T17:38:28Z ERRO [request_id: 4e843190] client/internal/dns/upstream.go:161: all queries to the upstream [[fd78:94bf:7df8::1:53]:53] failed for question domain=deb.debian.org. 2025-07-30T17:38:28Z WARN [request_id: d6e0f964] client/internal/dns/upstream.go:138: upstream [fd78:94bf:7df8::1:53]:53 timed out for question domain=deb.debian.org. 2025-07-30T17:38:28Z ERRO [request_id: d6e0f964] client/internal/dns/upstream.go:161: all queries to the upstream [[fd78:94bf:7df8::1:53]:53] failed for question domain=deb.debian.org. ```
saavagebueno commented 2025-11-20 07:04:28 -05:00
Author
Owner
Copy Link

@buzzzo commented on GitHub (Jul 30, 2025):

IMHO the point on this issue is not related to find a possible bug or not but on the opportunity to force a configuration on a system which could potentially (and it did) create severe disruption of service.

From what i've seen, let's imagine the following case:

  1. no dns policy non netbird server side

So imagine to upgrade netbird on host A, as soon as netbird gets upgraded the newest service starts to do the following things on host A:

  1. rewrite the system resolver config of host A pretending to set as nameserver the netbird peer ip of host A
  2. if no dns policy found then use the ones presents in resolv.conf of host A

From now on the life lets get started complicated:
imagine that for whatever reason the netbird service is unable to create a valid config on host A:

  1. it creates a resolv.conf file which a line starting like: nameserver BROKEN_ip (yes i've find in my resolv.conf something like that)
  2. I can't modify the resolv.conf to restore a working one because the netbird service actively monitoring it: as soon as i will try to modify resolv.conf it wil restore its own file (the broken one).

So in the end i will have a broken dns resolver, with all the relative consequences.

Some of the problems found with this approach:

  1. nobody ask netbird to enable by default this "feature", which could create dns resolution issues also with a good config applied.
  2. netbird does not check if the config works: resulting in the worst case in a total broken resolver config.
  3. adding in the search domains also the netbird domain could cause misconfiguration in dns resolving (ping hostA gives host A netbird peer ip instead of host A real ip)
  4. Bogus dns resolver (aka: invalid rbl lookup) in the fortunate cases that the resolver config is applied correctly.

So my first concern is the approach that Netbird's Team has used in implementing a breaking (in all senses) change feature.

POSSIBLE WORKAROUNDS:

  1. create a GLOBAL switch on netbird server to enable/disable the auto-replacement of peer's resolver config
  2. create 1) as false by default in the netbird config. (something like ENABLE_DNS_RESOLVER_MODIFICATION=false)
  3. create a GLOBAL flag for disable/enable search netbird vpn domain in peer's resolver config
@buzzzo commented on GitHub (Jul 30, 2025): IMHO the point on this issue is not related to find a possible bug or not but on the opportunity to force a configuration on a system which could potentially (and it did) create severe disruption of service. From what i've seen, let's imagine the following case: 1) no dns policy non netbird server side So imagine to upgrade netbird on host A, as soon as netbird gets upgraded the newest service starts to do the following things on host A: 1) rewrite the system resolver config of host A pretending to set as nameserver the netbird peer ip of host A 2) if no dns policy found then use the ones presents in resolv.conf of host A From now on the life lets get started complicated: imagine that for whatever reason the netbird service is unable to create a valid config on host A: 1) it creates a resolv.conf file which a line starting like: nameserver BROKEN_ip (yes i've find in my resolv.conf something like that) 2) I can't modify the resolv.conf to restore a working one because the netbird service actively monitoring it: as soon as i will try to modify resolv.conf it wil restore its own file (the broken one). So in the end i will have a broken dns resolver, with all the relative consequences. Some of the problems found with this approach: 1) nobody ask netbird to enable by default this "feature", which could create dns resolution issues also with a good config applied. 2) netbird does not check if the config works: resulting in the worst case in a total broken resolver config. 3) adding in the search domains also the netbird domain could cause misconfiguration in dns resolving (ping hostA gives host A netbird peer ip instead of host A real ip) 4) Bogus dns resolver (aka: invalid rbl lookup) in the fortunate cases that the resolver config is applied correctly. So my first concern is the approach that Netbird's Team has used in implementing a breaking (in all senses) change feature. POSSIBLE WORKAROUNDS: 1) create a GLOBAL switch on netbird server to enable/disable the auto-replacement of peer's resolver config 2) create 1) as false by default in the netbird config. (something like ENABLE_DNS_RESOLVER_MODIFICATION=false) 3) create a GLOBAL flag for disable/enable search netbird vpn domain in peer's resolver config
saavagebueno commented 2025-11-20 07:04:28 -05:00
Author
Owner
Copy Link

@LordAnchemis commented on GitHub (Jul 30, 2025):

I agree with @buzzzo

Or at least install the DNS resolver to another file like /etc/netbird/nameservers or something - rather than hijack the system resolv.conf (which is naughty)

And give the user ability to select which DNS resolver to use

@LordAnchemis commented on GitHub (Jul 30, 2025): I agree with @buzzzo Or at least install the DNS resolver to another file like /etc/netbird/nameservers or something - rather than hijack the system resolv.conf (which is naughty) And give the user ability to select which DNS resolver to use
saavagebueno commented 2025-11-20 07:04:28 -05:00
Author
Owner
Copy Link

@buzzzo commented on GitHub (Jul 30, 2025):

I agree with @buzzzo

Or at least install the DNS resolver to another file like /etc/netbird/nameservers or something - rather than hijack the system resolv.conf (which is naughty)

And give the user ability to select which DNS resolver to use

If it done properly the config should work but imho the choice of enabling/disabling should be an admin responsability.

@buzzzo commented on GitHub (Jul 30, 2025): > I agree with [@buzzzo](https://github.com/buzzzo) > > Or at least install the DNS resolver to another file like /etc/netbird/nameservers or something - rather than hijack the system resolv.conf (which is naughty) > > And give the user ability to select which DNS resolver to use If it done properly the config should work but imho the choice of enabling/disabling should be an admin responsability.
saavagebueno commented 2025-11-20 07:04:28 -05:00
Author
Owner
Copy Link

@lixmal commented on GitHub (Jul 30, 2025):

https://github.com/netbirdio/netbird/releases/tag/v0.52.2 is on the way

@lixmal commented on GitHub (Jul 30, 2025): https://github.com/netbirdio/netbird/releases/tag/v0.52.2 is on the way
saavagebueno commented 2025-11-20 07:04:28 -05:00
Author
Owner
Copy Link

@buzzzo commented on GitHub (Jul 30, 2025):

https://github.com/netbirdio/netbird/releases/tag/v0.52.2 is on the way

Is it supposed to fix some of the DNS management issues ?

@buzzzo commented on GitHub (Jul 30, 2025): > https://github.com/netbirdio/netbird/releases/tag/v0.52.2 is on the way Is it supposed to fix some of the DNS management issues ?
saavagebueno commented 2025-11-20 07:04:28 -05:00
Author
Owner
Copy Link

@Blackclaws commented on GitHub (Jul 31, 2025):

My guess is that the upstream resolvers are not picked up correctly by netbird, hence resolution is failing.

@buzzzo
it creates a resolv.conf file which a line starting like: nameserver BROKEN_ip (yes i've find in my resolv.conf something like that)

What is the BROKEN_ip here? isn't it the netbird peer local address?

@Blackclaws commented on GitHub (Jul 31, 2025): My guess is that the upstream resolvers are not picked up correctly by netbird, hence resolution is failing. @buzzzo it creates a resolv.conf file which a line starting like: nameserver BROKEN_ip (yes i've find in my resolv.conf something like that) What is the BROKEN_ip here? isn't it the netbird peer local address?
saavagebueno commented 2025-11-20 07:04:29 -05:00
Author
Owner
Copy Link

@buzzzo commented on GitHub (Jul 31, 2025):

My guess is that the upstream resolvers are not picked up correctly by netbird, hence resolution is failing.

@buzzzo it creates a resolv.conf file which a line starting like: nameserver BROKEN_ip (yes i've find in my resolv.conf something like that)

What is the BROKEN_ip here? isn't it the netbird peer local address?

It's certainly a race condition: but BEFORE commiting a conf on a vital file on the system imho netbird should be verify that the conf works.

@buzzzo commented on GitHub (Jul 31, 2025): > My guess is that the upstream resolvers are not picked up correctly by netbird, hence resolution is failing. > > [@buzzzo](https://github.com/buzzzo) it creates a resolv.conf file which a line starting like: nameserver BROKEN_ip (yes i've find in my resolv.conf something like that) > > What is the BROKEN_ip here? isn't it the netbird peer local address? It's certainly a race condition: but BEFORE commiting a conf on a vital file on the system imho netbird should be verify that the conf works.
saavagebueno commented 2025-11-20 07:04:29 -05:00
Author
Owner
Copy Link

@hurricanehrndz commented on GitHub (Jul 31, 2025):

I think most ppl would like to know what the purpose of the change or more specifically this PR is. Also if you are going to be the system resolver it would be best that you ensure you are adhering to the RFCs and the standard:
https://github.com/netbirdio/netbird/issues/4242

I am in agreeance with everyone else here though, on linux it should be the admin's job to decide what system configurations get applied.

@hurricanehrndz commented on GitHub (Jul 31, 2025): I think most ppl would like to know what the purpose of the change or more specifically this [PR](https://github.com/netbirdio/netbird/commit/cb85d3f2fc8d6836544013fd1764d93d8a02351d) is. Also if you are going to be the system resolver it would be best that you ensure you are adhering to the RFCs and the standard: https://github.com/netbirdio/netbird/issues/4242 I am in agreeance with everyone else here though, on linux it should be the admin's job to decide what system configurations get applied.
saavagebueno commented 2025-11-20 07:04:29 -05:00
Author
Owner
Copy Link

@hurricanehrndz commented on GitHub (Jul 31, 2025):

Does anyone know what problems the change was trying to fix

@hurricanehrndz commented on GitHub (Jul 31, 2025): Does anyone know what problems the change was trying to fix
saavagebueno commented 2025-11-20 07:04:29 -05:00
Author
Owner
Copy Link

@andreascschmidt commented on GitHub (Aug 1, 2025):

I have 0.52.2 and the whole DNS is still fubar. But I also note that on all nodes since the 0.52 update, the routing itself seems broken .. Like it's actually not picking the netbird network at all hence cant resolve the "custom" DNS.

@andreascschmidt commented on GitHub (Aug 1, 2025): I have 0.52.2 and the whole DNS is still fubar. But I also note that on all nodes since the 0.52 update, the routing itself seems broken .. Like it's actually not picking the netbird network at all hence cant resolve the "custom" DNS.
saavagebueno commented 2025-11-20 07:04:29 -05:00
Author
Owner
Copy Link

@hurricanehrndz commented on GitHub (Aug 3, 2025):

I have not seen this, and also I understand now what the team was trying to
fix. I am sure that they will solve the issue.

On Fri, Aug 1, 2025 at 1:37 PM Andreas @.***> wrote:

andreascschmidt left a comment (netbirdio/netbird#4250)
https://github.com/netbirdio/netbird/issues/4250#issuecomment-3145581551

I have 0.52.2 and the whole DNS is still fubar. But I also note that on
all nodes since the update, the routing itself seems broken .. Like it's
actually not picking the netbird network at all hence cant resolve the
"custom" DNS.


Reply to this email directly, view it on GitHub
https://github.com/netbirdio/netbird/issues/4250#issuecomment-3145581551,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABMJBTJKCAEOGQ73AV3IYAL3LO6WBAVCNFSM6AAAAACCWE2YCWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTCNBVGU4DCNJVGE
.
You are receiving this because you commented.Message ID:
@.***>

@hurricanehrndz commented on GitHub (Aug 3, 2025): I have not seen this, and also I understand now what the team was trying to fix. I am sure that they will solve the issue. On Fri, Aug 1, 2025 at 1:37 PM Andreas ***@***.***> wrote: > *andreascschmidt* left a comment (netbirdio/netbird#4250) > <https://github.com/netbirdio/netbird/issues/4250#issuecomment-3145581551> > > I have 0.52.2 and the whole DNS is still fubar. But I also note that on > all nodes since the update, the routing itself seems broken .. Like it's > actually not picking the netbird network at all hence cant resolve the > "custom" DNS. > > — > Reply to this email directly, view it on GitHub > <https://github.com/netbirdio/netbird/issues/4250#issuecomment-3145581551>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABMJBTJKCAEOGQ73AV3IYAL3LO6WBAVCNFSM6AAAAACCWE2YCWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTCNBVGU4DCNJVGE> > . > You are receiving this because you commented.Message ID: > ***@***.***> >
saavagebueno commented 2025-11-20 07:04:29 -05:00
Author
Owner
Copy Link

@ben-nrth commented on GitHub (Aug 5, 2025):

I've had ongoing issues with the local netbird dns resolver in windows:

  • Local netbird resolver gets installed and prioritised over my local network's DNS server, breaking local domain resolution.
  • Local resolver appears to stop responding eventually (i.e. even to .netbird lookup), breaking DNS resolution.
  • Netbird local resolver not removed from DNS list even when Netbird is disconnected and/or the service is disabled. Notably, the routing table is also not cleaned up after netbird disconnects/service is disabled.

The latest version (0.52.2) has seemingly borked a linux server by forcing the local netbird resolver, which then appears to fail to resolve some domains. Weirdly, nslookup works for the same domain, which seems to be using the local resolver, but the application running (a microsoft backup from a synology server) fails with an ip address lookup error.

client debug output:

2025-08-06T09:41:47+10:00 WARN [request_id: b2a211d2] client/internal/dns/upstream.go:138: upstream 8.8.8.8:53 timed out for question domain=login.microsoftonline.com.
2025-08-06T09:41:47+10:00 ERRO [request_id: b2a211d2] client/internal/dns/upstream.go:161: all queries to the upstream [8.8.8.8:53] failed for question domain=login.microsoftonline.com.
2025-08-06T09:41:48+10:00 WARN [request_id: 3e12de2f] client/internal/dns/upstream.go:138: upstream 8.8.8.8:53 timed out for question domain=login.microsoftonline.com.
2025-08-06T09:41:48+10:00 ERRO [request_id: 3e12de2f] client/internal/dns/upstream.go:161: all queries to the upstream [8.8.8.8:53] failed for question domain=login.microsoftonline.com.
2025-08-06T09:41:48+10:00 WARN [request_id: a763676b] client/internal/dns/upstream.go:138: upstream 8.8.8.8:53 timed out for question domain=login.microsoftonline.com.
2025-08-06T09:41:48+10:00 ERRO [request_id: a763676b] client/internal/dns/upstream.go:161: all queries to the upstream [8.8.8.8:53] failed for question domain=login.microsoftonline.com.

yet nslookup output:

ben@racku:~$ nslookup login.microsoftonline.com.
Server: 100.68.255.254
Address: 100.68.255.254#53

Non-authoritative answer:
login.microsoftonline.com canonical name = login.mso.msidentity.com.
login.mso.msidentity.com canonical name = ak.privatelink.msidentity.com.
ak.privatelink.msidentity.com canonical name = www.tm.a.prd.aadg.trafficmanager.net.
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 20.190.142.166
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 20.190.142.164
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 40.126.14.162
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 40.126.14.160
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 40.126.14.164
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 20.190.142.167
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 20.190.142.163
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 20.190.142.165
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 2603:1016:1400:70::4
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 2603:1017:0:78::2
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 2603:1016:1400:70::2
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 2603:1016:1400:68::3
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 2603:1017:0:78::1
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 2603:1017:0:78::
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 2603:1016:1400:68::2
Name: www.tm.a.prd.aadg.trafficmanager.net
Address: 2603:1016:1400:68::5

Apologies is this is going outside the scope of this ticket - a lot of the issues appear to be related to the local resolver, so I've included it here.

@ben-nrth commented on GitHub (Aug 5, 2025): I've had ongoing issues with the local netbird dns resolver in windows: - Local netbird resolver gets installed and prioritised over my local network's DNS server, breaking local domain resolution. - Local resolver appears to stop responding eventually (i.e. even to .netbird lookup), breaking DNS resolution. - Netbird local resolver not removed from DNS list even when Netbird is disconnected and/or the service is disabled. Notably, the routing table is also not cleaned up after netbird disconnects/service is disabled. The latest version (0.52.2) has seemingly borked a linux server by forcing the local netbird resolver, which then appears to fail to resolve some domains. Weirdly, nslookup works for the same domain, which seems to be using the local resolver, but the application running (a microsoft backup from a synology server) fails with an ip address lookup error. client debug output: 2025-08-06T09:41:47+10:00 WARN [request_id: b2a211d2] client/internal/dns/upstream.go:138: upstream 8.8.8.8:53 timed out for question domain=login.microsoftonline.com. 2025-08-06T09:41:47+10:00 ERRO [request_id: b2a211d2] client/internal/dns/upstream.go:161: all queries to the upstream [8.8.8.8:53] failed for question domain=login.microsoftonline.com. 2025-08-06T09:41:48+10:00 WARN [request_id: 3e12de2f] client/internal/dns/upstream.go:138: upstream 8.8.8.8:53 timed out for question domain=login.microsoftonline.com. 2025-08-06T09:41:48+10:00 ERRO [request_id: 3e12de2f] client/internal/dns/upstream.go:161: all queries to the upstream [8.8.8.8:53] failed for question domain=login.microsoftonline.com. 2025-08-06T09:41:48+10:00 WARN [request_id: a763676b] client/internal/dns/upstream.go:138: upstream 8.8.8.8:53 timed out for question domain=login.microsoftonline.com. 2025-08-06T09:41:48+10:00 ERRO [request_id: a763676b] client/internal/dns/upstream.go:161: all queries to the upstream [8.8.8.8:53] failed for question domain=login.microsoftonline.com. yet nslookup output: ben@racku:~$ nslookup login.microsoftonline.com. Server: 100.68.255.254 Address: 100.68.255.254#53 Non-authoritative answer: login.microsoftonline.com canonical name = login.mso.msidentity.com. login.mso.msidentity.com canonical name = ak.privatelink.msidentity.com. ak.privatelink.msidentity.com canonical name = www.tm.a.prd.aadg.trafficmanager.net. Name: www.tm.a.prd.aadg.trafficmanager.net Address: 20.190.142.166 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 20.190.142.164 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 40.126.14.162 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 40.126.14.160 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 40.126.14.164 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 20.190.142.167 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 20.190.142.163 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 20.190.142.165 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 2603:1016:1400:70::4 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 2603:1017:0:78::2 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 2603:1016:1400:70::2 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 2603:1016:1400:68::3 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 2603:1017:0:78::1 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 2603:1017:0:78:: Name: www.tm.a.prd.aadg.trafficmanager.net Address: 2603:1016:1400:68::2 Name: www.tm.a.prd.aadg.trafficmanager.net Address: 2603:1016:1400:68::5 Apologies is this is going outside the scope of this ticket - a lot of the issues appear to be related to the local resolver, so I've included it here.
saavagebueno commented 2025-11-20 07:04:30 -05:00
Author
Owner
Copy Link

@bionemesis commented on GitHub (Oct 27, 2025):

Just want to post here that we are seeing the same issue as @ben-nrth with Synology Active Backup for Microsoft 365 failing with DNS issues. Uninstalling Netbird fixes the issue.

@bionemesis commented on GitHub (Oct 27, 2025): Just want to post here that we are seeing the same issue as @ben-nrth with Synology Active Backup for Microsoft 365 failing with DNS issues. Uninstalling Netbird fixes the issue.
saavagebueno commented 2025-11-20 07:04:30 -05:00
Author
Owner
Copy Link

@ben-nrth commented on GitHub (Oct 27, 2025):

Just want to post here that we are seeing the same issue as @ben-nrth with Synology Active Backup for Microsoft 365 failing with DNS issues. Uninstalling Netbird fixes the issue.

In the end, so that I could continue using Netbird with the Synology server, I used "--disable-dns" when bringing up the client.

If you don't need the .netbird domains, this is an easy workaround.

@ben-nrth commented on GitHub (Oct 27, 2025): > Just want to post here that we are seeing the same issue as [@ben-nrth](https://github.com/ben-nrth) with Synology Active Backup for Microsoft 365 failing with DNS issues. Uninstalling Netbird fixes the issue. In the end, so that I could continue using Netbird with the Synology server, I used "--disable-dns" when bringing up the client. If you don't need the .netbird domains, this is an easy workaround.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
2021 Q4
2022 Q1
2022 Q1
accessibility
acl
agent
agent
Android
Android
api
authentik
automation
azure
battery-usage
bug
cache
client
client-ui
cloud
cloud-only
cloudflare
community
compatibility
config-idp
config-issue
connection
contribution
coturn
cross-vpn
dashboard
data-usage
distribution
dns
docker
documentation
duplicate
enhancement
enhancement
event-stream
feature-request
freebsd
getting-started
go
good first issue
gui
help wanted
home-assistant
idp
inconsistency
integration
integrations
ios
ipv6
jwt
k8s
keycloak
linux
login
macos
management-service
missing-docs
mobile
moved-internal
needs-review
netbird-ui
networking
new-platform
nginx
notification
okta
openwrt
packaging
peer-management
peer-management
peer-management
performance
postgres
posture-checks
psk
pull-request
Mirrored from GitHub Pull Request
 question
refactor
relay
release
rfc
routes
security
security-related
self-hosting
server
signal
sleep-issue
ssh
ssl
status
store
synology
system-compatibility-issue
test-suite
third-party-integration
triage
triage-needed
troubleshooting
UX
waiting-feedback
windows
wontfix
zitadel
No Label bug client triage-needed
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
saavagebueno
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SVI/netbird#2133
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?