Curl has incorrect DNS resolution in a dind context

ERO

4/18/24, 3:30 PM

I am running a docker:20.10.7-dind container.

Into this one I am running a multi containers app.

One container is a back container. Another one is a keycloak container.

I connect on the back container and have :

back$ cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0

back$ cat /etc/nsswitch.conf
hosts: files dns

back$ nslookup keycloak.localhost
Server:     127.0.0.11
Address:    127.0.0.11#53

Non-authoritative answer:
Name:   keycloak.localhost
Address: 172.20.0.10

back$ host keycloak.localhost
keycloak.localhost has address 172.20.0.10

back$ nc keycloak.localhost 443 -vvv
keycloak.localhost (172.20.0.10:443) open

However, when it comes to curl :

back$ curl https://keycloak.localhost -v
*   Trying 127.0.0.1:443...
* connect to 127.0.0.1 port 443 failed: Connection refused
*   Trying [::1]:443...
* Immediate connect fail for ::1: Address not available
* Failed to connect to keycloak.localhost port 443 after 0 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to keycloak.localhost port 443 after 0 ms: Couldn't connect to server

I notice that curl badly resolve the keycloak.localhost but I cannot figure out why ?

Note that if I help curl to resolve, it works like a charm :

back$ curl https://keycloak.localhost -v --resolve keycloak.localhost:443:172.20.0.10
* Added keycloak.localhost:443:172.20.0.10 to DNS cache
* Hostname keycloak.localhost was found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 172.20.0.10:443...
* Connected to keycloak.localhost (172.20.0.10) port 443 (#0)
> GET / HTTP/2
> Host: keycloak.localhost
> user-agent: curl/8.0.1
> accept: */*
> 
< HTTP/2 200 
...

I would appreciate any clue to help me understand this.

Cheers

317

1 + 2

domain-name-system

curl

docker

Patrick Mevzek

4/19/24, 1:04 AM

What do you have in `/etc/hosts`? `nslookup` (but you should use `dig` instead) is a pure DNS client so it doesn't care about `/etc/hosts` and just ask some nameserver. On the contrary, `curl` asks the OS to do the name resolution by default, and in turn the OS can take various sources to resolve name. `files` is first in `/etc/resolv.conf` so the content of `/etc/hosts` will have priority over DNS queries for a given name.

ERO

4/19/24, 3:32 PM

@PatrickMevzek ``` back$ cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.18.0.1 keycloak.localhost 192.168.48.8 90c46daa0d2b ``` I have an explicit resolution in `/etc/hosts` because I have an extra host in my docker config `keycloak.localhost:host-gateway`

Score:0

Server

ERO

5/23/24, 9:17 PM

Ok I finally figured it out.

It is due to the curl/libcurl version.

Since v7.85, curl is always resolving localhost to 127.0.0.1.

See :

https://curl.se/changes.html#7_85_0

https://github.com/curl/curl/issues/9192

I downgraded curl and my stuff is working fine now.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Curl has incorrect DNS resolution in a dind context

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.