The DNS situation with Musl and Alpine
DNS on Alpine (musl-based) could, in the past, suddenly show breakage, but that’s solved already.
Problem
Alpine Linux got a lot of “bad press” in various blogs and comments because they use a C standard library, [musl], which did not support DNS-over-TCP. Examples:
- Why I Will Never Use Alpine Linux Ever Again – Martin Heinz (2023) (discussion on Hacker News)
- How to deal with Alpine DNS issues – Dmitry Chuyko (2023)
- Does Alpine resolve DNS properly? – Mark @ purplecarrot (2021)
- DNS resolution issue in Alpine Linux – Christoph Lupprich (2021) (discussion on Hacker News)
- “I really want to like Alpine, but we (Fly.io) have seen so many DNS issues with customer images that we’re now recommending Ubuntu or Debian slim.” – michaeldwan on a Hacker News discussion (2022)
Martin Heinz explained it succinctly:
… musl (by design) doesn’t support DNS-over-TCP. Usually, you would not notice this difference, because most of the time a single UDP packet (512 bytes) is enough to resolve hostnames… until it isn’t enough and your application (running on Kubernetes) that previously worked completely fine for months suddenly starts throwing “Unknown Host” exceptions for one particular (very critical) hostname. The worst part is that this can manifest randomly, anytime when some external network change causes the resolution of some particular domain to require more than the 512 bytes available in single UDP packet. – Martin Heinz (2023)
Of course this caused a lot of online discussion and some people lost trust in musl (and thus, Alpine).
Solved
However musl got DNS-over-TCP support in 2023 and Alpine Linux profits. In commit 51d4669fb97782f6a66606da852b5afd49a08001, dns: implement tcp fallback was added by Rich Felker (“dalias”) on 2022-09-22, even before Martin Heinz and Dmitry Chuyko wrote their blogposts.
Even better, Extension Mechanism for DNS (EDNS) and Authenticated Data (AD), handy for DNSSEC and DANE, are supported per commit fd7ec068efd590c0393a612599a4fab9bb0a8633 dated even earlier, 2020-05-18. That solved a problem on Alpine with Postfix using DANE. Note that this was an issue distinct from the DNS-over-TCP situation.
Easier resolv.conf
Please study this resolv.conf for glibc-based
systems:
options edns0 trust-ad
search evert.net
nameserver 127.0.0.1Below, an equivalent for musl-based systems:
search evert.net
nameserver 127.0.0.1That’s right. You don’t need the options edns0 trust-ad
on the musl-based system. You do need it on glib-based systems
because, according to “dalias”, glibc shows “misbehavior stripping the
AD bit from results (glibc strips it without that weird option in
resolv.conf)” (2023-10-02 on IRC).
(I’m using unbound as caching DNS server on the VM, so Postfix has an
easy time using DNS-based blocklists and doing other name lookups. So
that’s why I have localhost as a nameserver in
resolv.conf.)
Concluding remarks
That’s what I, a simple end-user, made of it. Hopefully I didn’t mess up the technical details. I’m in the process of replacing an old Scientific Linux 6 (RHEL clone) virtual machine, used for mail filtering, by an Alpine installation, although I also created a DragonflyBSD VM. Both are nice IMHO, but Alpine is smaller and easier to manage; it using musl might be a risk but apart from the solved DNS problems, I don’t see many other complaints “in the wild”. It should suffice for my personal home server ;-)
Also I’m grateful for the quick responses on IRC from the musl developer “dalias” and the Alpine enthusiast “minimal”, which adds further confidence.