DNS Nameservers read udp timeout

[nattapong-atk]

Describe the problem

I have an issue with the DNS nameserver override. Although the internal nameserver mapping for gitlab.mwbkk.com is configured in the NetBird Dashboard (pointing to 100.83.38.245), my Mac client fails to use this override. Instead, it times out when trying to query the internal DNS server, resulting in DNS resolution errors and the message “All upstream servers failed (probe failed)” in the logs.

To Reproduce

1. Go to the NetBird Dashboard and navigate to the DNS > Nameservers section.
2. Configure a nameserver mapping for the domain gitlab.example.com with the internal DNS IP set to 100.83.38.245 and set the Match Domain to gitlab.example.com.
3. Ensure that the BIND DNS server on your GitLab server is properly configured with a zone file like:

$TTL    604800
@       IN      SOA     ns1.example.com. admin.example.com. (
                              2025022201
                              604800
                              86400
                              2419200
                              604800 )
;
@       IN      NS      ns1.example.com.
ns1     IN      A       100.83.38.245
gitlab  IN      A       100.83.38.245

4. Connect your Mac client to the NetBird VPN.
5. Run netbird status -d on the Mac and observe DNS events showing the error:

read udp 100.83.178.108:51646->100.83.38.245:53: i/o timeout

6. Attempt to access gitlab.example.com via a browser or command-line tools (e.g., curl), and note that the DNS query fails due to the timeout.

Expected behavior

The Mac client should successfully query the internal DNS server at 100.83.38.245 without any UDP read timeouts. The netbird status -d output should indicate that the nameserver mapping for gitlab.example.com is available (e.g., “Nameservers: 1/1 Available”), allowing DNS queries for gitlab.example.com to resolve correctly.

Are you using NetBird Cloud?

I am using a self-hosted NetBird control plane.

NetBird version

Daemon version: 0.37.0
CLI version: 0.37.0

NetBird status -d output:

Peers detail:
Events:
  [WARNING] DNS (a09e64d0-5dfe-4f81-a9b8-581add06b2a5)
    Message: All upstream servers failed (probe failed)
    Time: 14 minutes, 56 seconds ago
    Metadata: upstreams: 100.83.38.245:53
  [INFO] SYSTEM (5756441c-4d1c-454e-8b10-e1d249e76095)
    Message: Network map updated
    Time: 14 minutes, 56 seconds ago
  [WARNING] DNS (ecf4cda7-ec46-4f5a-87e5-b610b1c4c293)
    Message: All upstream servers failed (probe failed)
    Time: 14 minutes, 47 seconds ago
    Metadata: upstreams: 100.83.38.245:53
  [INFO] SYSTEM (38328189-566b-458a-807a-e766b804095f)
    Message: Network map updated
    Time: 14 minutes, 47 seconds ago
  [WARNING] DNS (800d36ee-8e8b-44ac-8b5a-134303498230)
    Message: All upstream servers failed (probe failed)
    Time: 9 minutes, 40 seconds ago
    Metadata: upstreams: 100.83.38.245:53
  [INFO] SYSTEM (a11118b2-3d9a-419b-8311-8c24b4af02de)
    Message: Network map updated
    Time: 9 minutes, 40 seconds ago
  [WARNING] DNS (5a06d02f-a65a-4ab0-a998-f8fdb6e496ff)
    Message: All upstream servers failed (probe failed)
    Time: 8 minutes, 35 seconds ago
    Metadata: upstreams: 100.83.38.245:53
  [INFO] SYSTEM (d6623f55-e8d3-4a72-89f3-25f5dd4fd30c)
    Message: Network map updated
    Time: 8 minutes, 35 seconds ago
  [WARNING] DNS (d634501c-a938-4c17-9022-b035aaed396e)
    Message: All upstream servers failed (probe failed)
    Time: 7 minutes, 41 seconds ago
    Metadata: upstreams: 100.83.38.245:53
  [INFO] SYSTEM (f6018af1-27e8-4467-bc04-d12bb7171a8e)
    Message: Network map updated
    Time: 7 minutes, 41 seconds ago
OS: darwin/arm64
Daemon version: 0.37.0
CLI version: 0.37.0
Management: Connected to https://netbird.example.com:443
Signal: Connected to https://netbird.example.com:443
Relays:
  [stun:netbird.example.com:3478] is Available
  [turn:netbird.example.com:3478?transport=udp] is Available
  [rels://netbird.example.com:443] is Available
Nameservers:
  [100.83.38.245:53] for [gitlab.example.com] is Unavailable, reason: 1 error occurred:
	* read udp 100.83.178.108:51646->100.83.38.245:53: i/o timeout
FQDN: macbook-pro-s-nattapong.netbird.selfhosted
NetBird IP: 100.83.178.108/16
Interface type: Userspace
Quantum resistance: false
Networks: -
Peers count: 0/0 Connected

Screenshots

Additional context

• Direct queries to the BIND DNS server (e.g., using dig gitlab.example.com @100.83.38.245) return the correct A record, confirming that the internal DNS server is functioning.
• The error messages indicate that the client is unable to reach the internal nameserver (100.83.38.245) due to UDP timeouts, suggesting a potential connectivity issue or misconfiguration in the DNS override settings.
• Possible causes might include a distribution group mismatch or a network connectivity issue between the client and the internal DNS server.
• Restarting the VPN client or reconnecting does not resolve the issue.

I hope this report provides the necessary details to help troubleshoot the "Nameservers read udp timeout" issue with the DNS override in NetBird.

[nattapong-atk]

Do you face any (non-mobile) client issues?

Yes.

This is the result of debugging netbird for 1m -AS.
netbird.debug.1062627925.zip

And This is the result of debugging netbird debug bundle -AS.
netbird.debug.1119080183.zip

[mlsmaycon]

@nattapong-atk can you please share the bundle from the following command without the -A flag:

netbird for 1m -S

[nattapong-atk]

@mlsmaycon
This is the result of debugging netbird debug for 1m -S

netbird.debug.1369215731.zip

[lixmal]

Hi @nattapong-atk,

can you confirm that you have an access policy in place to allow access to the peer? If not, you will have to add it: https://docs.netbird.io/how-to/manage-network-access

Currently you have no accessible peers:

Peers count: 0/0 Connected

[nattapong-atk]

@lixmal
I confirm that I haven't set up any Access Policies yet.

[nattapong-atk]

@lixmal
I have now set up the Access Policies as suggested (Source Group ALL to Destination Group ALL), and I'm back. However, my peers count still shows 2/19 Connected.

and I ran the command netbird debug for 1m -S again after setting the Access Policies (Source Group ALL to Destination Group ALL). Here is the output I received:

netbird.debug.3732902210.zip

[lixmal]

The configuration looks correct. Can you verify the addresses or interfaces your dns server binds to?
Netbird currently tries resolving com. to verify that a dns server is reachable, if your dns server doesn't resolve it, that might be the reason it is marked unavailable.

[nattapong-atk]

this my DNS setting

in netbird status -d result

Nameservers:
  [100.83.38.245:53] for [gitlab.mwbkk.com] is Unavailable, reason: 1 error occurred:
	* read udp 100.83.178.108:52348->100.83.38.245:53: i/o timeout

[nattapong-atk]

@lixmal
i run command dig gitlab.mwbkk.com @100.83.38.245 for check DNS Server
this result:

; <<>> DiG 9.10.6 <<>> gitlab.mwbkk.com @100.83.38.245
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45739
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;gitlab.mwbkk.com.		IN	A

;; ANSWER SECTION:
gitlab.mwbkk.com.	604800	IN	A	100.83.38.245

;; Query time: 1 msec
;; SERVER: 100.83.38.245#53(100.83.38.245)
;; WHEN: Sat Feb 22 19:51:52 +07 2025
;; MSG SIZE  rcvd: 61