On Sat, May 27, 2023 at 02:22:47PM +0000, Juan Orti wrote:
> Hi,
> 
> I'm testing a DNS server in a rootless container using pasta, and I have seen that the IPv6 UDP packets are not reaching the service:
> 
> $ dig www.google.com @fddc:f797:78ef:70::5 +short
> ;; communications error to fddc:f797:78ef:70::5#53: timed out
> ;; communications error to fddc:f797:78ef:70::5#53: timed out
> ;; communications error to fddc:f797:78ef:70::5#53: timed out
> 
> ; <<>> DiG 9.18.15 <<>> www.google.com @fddc:f797:78ef:70::5 +short
> ;; global options: +cmd
> ;; no servers could be reached
> 
> TCP over IPv6 and UDP, TCP over IPv4 works fine:
> 
> $ dig www.google.com @fddc:f797:78ef:70::5 +short +tcp
> 216.239.38.120
> $ dig www.google.com @192.168.7.5 +short
> 216.239.38.120
> $ dig www.google.com @192.168.7.5 +short +tcp216.239.38.120
> 
> The pasta process is running with these arguments:
> 
> /usr/bin/pasta --config-net -u 53-53:53-53 -t 53-53:53-53 -t 3003-3003:3003-3003 -T none -U none --no-map-gw --netns /run/user/1002/netns/netns-378b62b8-bf27-3b51-1fb1-e2ebb7119647
> 
> I'm using passt-0^20230509.g96f8d55-1.fc38.x86_64 from Fedora CoreOS 38. Is this a known bug? or am I doing something wrong?

So, we have some special cases related to port 53 - aimed at allowing
the container to contact a nameserver outside.  I don't think we
thought much about the case of a DNS server inside the container.  So
my first guess would be that those special cases have an error that's
interfering with your use case.  If it's possible to try running your
server on a port other than 53 temporarily that would be interesting
to try.

We also attempt to auto-configure those cases from the host's
resolv.conf, so if you could share that it might shed some extra
light.

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson