Creating HNS endpoint through hcsshim assigns default DNS server despite one not being provided #2369
Description
When trying to create an HNS Endpoint using hcsshim with an already existing HNS network, we see a default DNS server being applied to the endpoint with value of 10.0.0.2. This DNS server gets assigned to the HNS Endpoint regardless of whether or not we are specifying any DNS Server in the HNS Create Endpoint Request object. For example,
Diagnosis
Create HNS Endpoint request parameters parameters:
MacAddress:
IPAddress:169.254.172.2
DNSSuffix:
DNSServerList:
GatewayAddress:
EnableInternalDNS:false
Create HNS Endpoint response:
MacAddress:00-15-5D-3C-45-8F
IPAddress:169.254.172.2
DNSSuffix:us-west-2.compute.internal
DNSServerList:10.0.0.2
GatewayAddress:169.254.172.1
EnableInternalDNS:false
2025-02-07T17:24:54Z [INFO] Creating HNS endpoint: &{
Id:
Name:fargate-bridge-ep-2010b132-4a60-49c8-a43f-71b6810bcebf
VirtualNetwork:
VirtualNetworkName:fargate-bridge
Policies:[[...]]
MacAddress:
IPAddress:169.254.172.2
DNSSuffix:
DNSServerList:
GatewayAddress:
EnableInternalDNS:false
DisableICC:false
PrefixLength:22
IsRemoteEndpoint:false
Namespace:}
2025-02-07T17:24:54Z [INFO] Received HNS endpoint response: &{
Id:ec633774-bc35-4992-94f4-a9782cf7e73c
Name:fargate-bridge-ep-2010b132-4a60-49c8-a43f-71b6810bcebf
VirtualNetwork:095bd359-11bc-4b5d-b264-a79d1dad291e
VirtualNetworkName:fargate-bridge
Policies:[[...]]
MacAddress:00-15-5D-3C-45-8F
IPAddress:169.254.172.2
DNSSuffix:us-west-2.compute.internal
DNSServerList:10.0.0.2
GatewayAddress:169.254.172.1
EnableInternalDNS:false
DisableICC:false
PrefixLength:22
IsRemoteEndpoint:false
Namespace:}.
The log messages come from this code: https://github.com/aws/amazon-vpc-cni-plugins/blob/master/plugins/vpc-eni/network/network_windows.go#L211-L219
Which calls this code: https://github.com/microsoft/hcsshim/blob/main/internal/hns/hnsendpoint.go#L177-L187
As you can see, the DNS Server List is getting auto-assigned this default DNS server which in turn causes DNS requests to time out when running within a Windows Container even with no server explicitly being passed in to the request.
Alternatively, when we do pass in a DNS Address in the DNSServerList field, we see that server properly applied without issues. The issue seems to be only when no input is provided for this field, even with EnableInternalDNS set to false.
From our testing, this is affecting Windows Server 2019 and 2022.
Container runtime: containerd 1.7.20