Deno DNS failure for firestore.googleapis.com, Node works fine

[dandv]

The script below runs fine with Node 22, but fails with Deno 2.1.4 due to DNS failure in resolving firestore.googleapis.com. This blocks any projects using Firestore.

import { initializeApp, cert } from 'firebase-admin/app';
import { getFirestore } from 'firebase-admin/firestore';

initializeApp({
  credential: cert('service-account-key-deno-firestore-dns-bug.json'),
});

const db = getFirestore();

const collectionRef = db.collection('deno-bug');

console.log('Getting snapshot...');
const snapshot = await collectionRef.get();  // <-- fails with Deno

console.log('Getting documents...');
const documents = snapshot.docs.map(doc => ({
  id: doc.id,
  ...doc.data(),
}));

console.log(JSON.stringify(documents, null, 2));

Node v22

$ echo '{ "type": "module" }' > package.json
$ npx tsx deno-firebase-dns-bug.ts
Getting snapshot...
(node:1589721) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
Getting documents...
[
  {
    "id": "node-can-read-this",
    "hello": "world"
  }
]
$ node -v
v22.11.0

Deno v2.1.4

$ deno run --allow-all deno-firebase-dns-bug.ts
Getting snapshot...
error: Uncaught (in promise) Error: 14 UNAVAILABLE: Name resolution failed for target dns:firestore.googleapis.com:443

Running the script with a couple env vars for GRPC debugging confirms the DNS failure:

$ GRPC_NODE_VERBOSITY=DEBUG GRPC_NODE_TRACE=dns_resolver,ip_resolver deno run --allow-all deno-firebase-dns-bug.ts 
Getting snapshot...
D 2024-12-16T12:08:14.262Z | v1.12.4 1589142 | dns_resolver | Resolver constructed for target dns:firestore.googleapis.com:443
D 2024-12-16T12:08:14.266Z | v1.12.4 1589142 | dns_resolver | Looking up DNS hostname firestore.googleapis.com
D 2024-12-16T12:08:14.271Z | v1.12.4 1589142 | dns_resolver | Resolution error for target dns:firestore.googleapis.com:443: getaddrinfo ENOTFOUND firestore.googleapis.com
D 2024-12-16T12:08:16.974Z | v1.12.4 1589142 | dns_resolver | Looking up DNS hostname firestore.googleapis.com
D 2024-12-16T12:08:16.975Z | v1.12.4 1589142 | dns_resolver | Resolution error for target dns:firestore.googleapis.com:443: getaddrinfo ENOTFOUND firestore.googleapis.com
...

Using the alternate DNS resolver also fails:

$  GRPC_NODE_USE_ALTERNATIVE_RESOLVER=true GRPC_NODE_VERBOSITY=DEBUG GRPC_NODE_TRACE=dns_resolver,ip_resolver deno run --allow-all deno-firebase-dns-bug.ts
Getting snapshot...
D 2024-12-16T12:16:19.439Z | v1.12.4 1590142 | dns_resolver | Resolver constructed for target dns:firestore.googleapis.com:443
D 2024-12-16T12:16:19.442Z | v1.12.4 1590142 | dns_resolver | Looking up DNS hostname firestore.googleapis.com
D 2024-12-16T12:16:19.442Z | v1.12.4 1590142 | dns_resolver | Using alternative DNS resolver.
D 2024-12-16T12:16:19.443Z | v1.12.4 1590142 | dns_resolver | Using alternative DNS resolver.
D 2024-12-16T12:16:19.445Z | v1.12.4 1590142 | dns_resolver | Resolution error for target dns:firestore.googleapis.com:443: Error: queryA UNKNOWN firestore.googleapis.com
D 2024-12-16T12:16:21.467Z | v1.12.4 1590142 | dns_resolver | Looking up DNS hostname firestore.googleapis.com
D 2024-12-16T12:16:21.467Z | v1.12.4 1590142 | dns_resolver | Using alternative DNS resolver.
D 2024-12-16T12:16:21.468Z | v1.12.4 1590142 | dns_resolver | Resolution error for target dns:firestore.googleapis.com:443: Error: queryA UNKNOWN firestore.googleapis.com
...

Attached is the service-account-key for a demo Firebase project with that Firestore collection. The password is the Deno version I used.
service-account-key.zip

[nathanwhit]

I tried out your example and I couldn't reproduce this issue on my macOS, Linux, or Windows machines. All three gave the same results as node. There must be something different about your environment, but hard to know exactly what.

What OS are you using?

[dandv]

@nathanwhit Thanks for taking a look. I thought the issue was more common since others mentioned DNS issues, eg. #6197 (comment).

I'm running Fedora Linux 38 with all updates installed. What debugging info can I provide?

$ uname -a
Linux fedora 6.8.9-100.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May  2 18:50:49 UTC 2024 x86_64 GNU/Linux

$ nslookup google.com
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; no servers could be reached

$ dig google.com
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused

; <<>> DiG 9.18.26 <<>> google.com
;; global options: +cmd
;; no servers could be reached

$ cat /etc/resolv.conf
# Generated by resolvconf

$ sudo dmesg | grep -i dns
$ sudo journalctl -xe | grep -i dns
$ nslookup firestore.googleapis.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   firestore.googleapis.com
Address: 142.251.222.234
Name:   firestore.googleapis.com
Address: 2404:6800:4001:807::200a

tcpdump on port 53 shows nothing while running GRPC_NODE_VERBOSITY=DEBUG GRPC_NODE_TRACE=dns_resolver,ip_resolver deno run --allow-all deno-firebase-dns-bug.ts. Same when I added GRPC_NODE_USE_ALTERNATIVE_RESOLVER=true .

$ sudo tcpdump -n port 53
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlo1, link-type EN10MB (Ethernet), snapshot length 262144 bytes


^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

Here's the deno run --log-level=debug.

[dandv]

After I've set a nameserver 8.8.8.8 in /etc/resolv.conf, the problem is no longer reproducible. I do see it with Telekom Malaysia as the ISP, and systemctl status systemd-resolved showed:

Using degraded feature set UDP instead of UDP+EDNS0 for DNS server

Interesting that node somehow managed to resolve firestore.googleapis.com with the initial (default, nothing in /etc/resolv.conf, no 8.8.8.8 anywhere) configuration.

Maybe @bluwy could spare a moment and confirm if he happens to use this ISP?

[bluwy]

Maybe @bluwy could spare a moment and confirm if he happens to use this ISP?

It works fine for me on WiFi and my phone's hotspot (macos):

Getting snapshot...
Getting documents...
[
  {
    "id": "node-can-read-this",
    "hello": "world"
  }
]

[dandv]

I still see this issue with Deno 2.1.6 (related to #27642?). Deno fails to resolve www.googleapis.com unless I switch the DNS provider to 1.1.1.1 or 8.8.8.8.

import { GoogleAuth } from 'google-auth-library';

const auth = new GoogleAuth({
  keyFilename: '...',
});

const client = await auth.getClient();
accessToken = await client.getAccessToken();

error: Uncaught Error: getaddrinfo ENOTFOUND www.googleapis.com
    at __node_internal_captureLargerStackTrace (ext:deno_node/internal/errors.ts:93:9)
    at __node_internal_ (ext:deno_node/internal/errors.ts:246:10)
    at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:43:26)
    at ext:deno_node/internal_binding/cares_wrap.ts:71:9
    at Object.runMicrotasks (ext:core/01_core.js:683:26)
    at processTicksAndRejections (ext:deno_node/_next_tick.ts:59:10)
    at runNextTicks (ext:deno_node/_next_tick.ts:76:3)
    at eventLoopTick (ext:core/01_core.js:182:21)

[kt3k]

@dandv What does the below script print without setting 1.1.1.1 or 8.8.8.8?:

const resp = await fetch("https://www.googleapis.com/")
console.log(resp.status)

[dandv]

Both 2.1.6 and 2.1.7 output 404:

$ cat /etc/resolv.conf
# resolv.conf autogenerated by /etc/openvpn/client.up (tun0)

$ deno run -A deno-resp.ts 
404
$ deno --version
deno 2.1.6 (stable, release, x86_64-unknown-linux-gnu)
v8 13.0.245.12-rusty
typescript 5.6.2
$ deno upgrade
Current Deno version: v2.1.6
Looking up stable version

Found latest stable version v2.1.7

Downloading https://github.com/denoland/deno/releases/download/v2.1.7/deno-x86_64-unknown-linux-gnu.zip
Deno is upgrading to version 2.1.7

Upgraded successfully to Deno v2.1.7 (stable)

$ deno run -A deno-resp.ts 
404

I still get 404 after I set the nameserver, which is expected (if one browses there):

$ cat /etc/resolv.conf
# resolv.conf autogenerated by /etc/openvpn/client.up (tun0)

nameserver 8.8.8.8
$ cat deno-resp.ts 
const resp = await fetch("https://www.googleapis.com/")
console.log(resp.status)
$ deno run -A deno-resp.ts 
404

[kt3k]

Thanks for your response. 404 result means that DNS resolution was correctly done (if DNS resolution failed, it should throw TypeError).

Looks like fetch can resolve the domain name correctly on your system.

fetch uses hyper's DNS resolver while node:http.request uses hickory-dns (via Deno.resolveDns). It looks like hickory-dns has some issue with your network settings.

---

Side note: hickory-dns also have some issues #27670 #27735 (comment) I'm considering to change the DNS resolver for node:http.request to hyper's