Sprite DNS resolver (10.0.0.2) intermittently refuses connections; IPv6 resolver (fdf::2) completely down

Questions / Help
1

Description:

Both DNS resolvers in /etc/resolv.conf on Sprites have issues:

  1. fdf::2 — 100% connection refused. Completely unreachable.
  2. 10.0.0.2 — intermittently refuses connections (~50% failure rate on some domains).

Since /etc/resolv.conf is read-only and glibc’s getaddrinfo does not fall back gracefully between nameservers (unlike dig), affected lookups fail with “Temporary failure in
name resolution” for applications using ping, curl, etc.

resolv.conf (read-only, managed by sprite runtime):
nameserver 10.0.0.2
nameserver fdf::2

Reproduction:

fdf::2 is completely dead

dig tigris.dev @fdf::2 +short

;; communications error to fdf::2#53: connection refused

10.0.0.2 works for some domains but not others

for i in $(seq 1 8); do dig google.com @10.0.0.2 +short | head -1; done # 8/8
for i in $(seq 1 8); do dig tigris.dev @10.0.0.2 +short | head -1; done # ~4/8

Real-world impact — getaddrinfo doesn’t retry across nameservers:

sprite@workstation-001:~# ping tigris.dev
PING tigris.dev (169.155.62.13) 56 data bytes
64 bytes from 169.155.62.13: icmp_seq=1 ttl=63 time=0.5 ms
^C
sprite@workstation-001:~# ping tigris.dev
ping: tigris.dev: Temporary failure in name resolution

Not an upstream DNS issue. Querying the authoritative nameservers directly from inside the sprite works 100%:

dig tigris.dev @ns-135.awsdns-16.com +short # 8/8 — authoritative NS works
dig tigris.dev @10.0.0.2 +short # ~4/8 — sprite resolver flaky

The same queries run from outside a sprite (local machine, same domains, same moment) succeed 8/8.

Observed on:

  • Multiple sprites in the same org
  • Verified 2026-04-24

Expected behavior:

  • fdf::2 should be reachable, or removed from resolv.conf
  • 10.0.0.2 should reliably resolve all domains
2

^ Just a quick note on formatting code, logs, and console IO. You can use tilde fences like so:

```
sprite@workstation-001:~# ping [tigris.dev](http://tigris.dev)
PING [tigris.dev](http://tigris.dev) (169.155.62.13) 56 data bytes
64 bytes from 169.155.62.13: icmp_seq=1 ttl=63 time=0.5 ms
^C
sprite@workstation-001:~# ping [tigris.dev](http://tigris.dev)
ping: [tigris.dev](http://tigris.dev): Temporary failure in name resolution
```

That will get you a nice block like so:

sprite@workstation-001:~# ping [tigris.dev](http://tigris.dev)
PING [tigris.dev](http://tigris.dev) (169.155.62.13) 56 data bytes
64 bytes from 169.155.62.13: icmp_seq=1 ttl=63 time=0.5 ms
^C
sprite@workstation-001:~# ping [tigris.dev](http://tigris.dev)
ping: [tigris.dev](http://tigris.dev): Temporary failure in name resolution
3

Hi, I wonder if this was transient - I just tried it and it seems to be working consistently on the sprites I could find.
If you have another sprite where this is happening let me know and I’ll have a look.

One thing I can confirm though - the fdf::2 dns refuses connections, we’ll look into it but this should be generally harmless as the other dns 10.0.0.2 works well (unless it doesn’t - please let me know if you have a sprite with this issue now)