Fix container DNS resolution broken by AAAA/IPv6 NXDOMAIN handling by radoxtech · Pull Request #786

Fix container DNS resolution broken by AAAA/IPv6 NXDOMAIN handling by radoxtech · Pull Request #786 · apple/container

Type of Change

Bug fix
New feature
Breaking change
Documentation update

Motivation and Context

In Alpine Linux containers (commonly used as Docker base images), standard DNS resolution is provided by musl, a lightweight C standard library (libc). Musl implements DNS lookups via getaddrinfo(), which queries AAAA (IPv6) records first.

Observed problem

DNS did not work correctly inside containers. Any system command attempting to resolve hostnames (e.g., ping dynamodb-admin) failed when the DNS server responded NXDOMAIN for AAAA records, even if A (IPv4) records existed. Explicitly forcing IPv4 (ping -4 dynamodb-admin) worked correctly, showing the issue is specific to musl’s IPv6-first behavior.

Consequence

In IPv4-only environments, Alpine-based containers cannot resolve hostnames using standard tools or libraries. Applications relying on getaddrinfo() fail with ENOTFOUND, breaking networking and inter-container communication.

Root cause

Following RFC 8305 / RFC 6724, musl treats NXDOMAIN for AAAA as “hostname does not exist” and does not fallback to A (IPv4) records.

Fix implemented

The Apple Container DNS engine now behaves as follows:

If an A record exists, AAAA queries return NOERROR with empty answer (NODATA).
If neither A nor AAAA exist, NXDOMAIN is returned.

This ensures that Alpine-based containers in IPv4-only networks can correctly resolve hostnames inside containers without modifying container images or application code.

Reproduction steps (Apple Container CLI 0.5.0)

Run the local DynamoDB container in the background:

container run -d --name dynamodb-local docker.io/amazon/dynamodb-local:latest

Run the admin container in interactive mode:

container run -it --name dynamodb-admin -p 8000:8000 docker.io/aaronshaf/dynamodb-admin:latest sh

From inside the admin container, ping the local DynamoDB container:

ping dynamodb-local
ping -4 dynamodb-local

Observed: resolution fails (NXDOMAIN / ENOTFOUND).
Workaround: explicitly forcing IPv4 works.

If comments in source are not required please remove them or let me know.

Testing

Tested locally
Added/updated tests
Added/updated docs