[Android] Fall back to 'localhost' when *.localhost resolves to only non-loopback addresses#128068
Open
kotlarmilos wants to merge 6 commits into
Open
Conversation
Contributor
|
Tagging subscribers to this area: @karelz, @dotnet/ncl |
kotlarmilos
force-pushed
the
fix/127965-dns-localhost-non-loopback-fallback
branch
from
b7205f9 to
3a51363
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates System.Net.NameResolution DNS resolution behavior for *.localhost (RFC 6761 §6.3) to avoid returning non-loopback addresses on Android when the platform resolver provides unexpected results, by falling back to resolving plain localhost in more cases.
Changes:
- Add a helper to detect when
*.localhostresults contain no loopback addresses. - Extend the RFC 6761 §6.3 fallback logic in the synchronous resolution path to trigger when the OS returns only non-loopback addresses.
- Extend the same fallback logic in the async (GetAddrInfoAsync) completion path for both
IPAddress[]andIPHostEntry.
Show a summary per file
| File | Description |
|---|---|
| src/libraries/System.Net.NameResolution/src/System/Net/Dns.cs | Extends RFC 6761 localhost-subdomain fallback logic to handle non-loopback OS resolver results (sync + async). |
Copilot's findings
Comments suppressed due to low confidence (3)
src/libraries/System.Net.NameResolution/src/System/Net/Dns.cs:556
- The new RFC 6761 fallback condition only triggers when the OS returns zero loopback addresses (HasNoLoopbackAddress). However the failing Android test report shows a mixed result set ("7 out of 8 items" non-loopback), which would bypass this fallback and still return non-loopback addresses. Consider treating any non-loopback address in a *.localhost result as grounds to discard/filter the OS result (e.g., fall back when not all returned addresses are loopback, or filter the list to loopback addresses only).
fallbackToLocalhost = true;
}
if (!fallbackToLocalhost)
{
result = justAddresses ? (object)
addresses :
new IPHostEntry
src/libraries/System.Net.NameResolution/src/System/Net/Dns.cs:830
- Same issue in the async completion path: the fallback only triggers when there are no loopback addresses at all, so a mixed address list (some loopback + some non-loopback) will not be corrected and can still violate RFC 6761 and the existing loopback-only test. Update the condition/logic to handle mixed results (discard or filter out non-loopback addresses for *.localhost).
// result is IPAddress[] so justAddresses is guaranteed true here.
return await ((Task<T>)(Task)Dns.GetHostAddressesAsync(Localhost, addressFamily, cancellationToken)).ConfigureAwait(false);
}
if (isLocalhostSubdomain && result is IPHostEntry entry &&
(entry.AddressList.Length == 0 || HasNoLoopbackAddress(entry.AddressList)))
{
if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(hostName, "RFC 6761: Localhost subdomain returned no loopback addresses, falling back to 'localhost'");
NameResolutionTelemetry.Log.AfterResolution(hostName, activity, answer: result, exception: null);
fallbackOccurred = true;
// result is IPHostEntry so justAddresses is guaranteed false here.
return await ((Task<T>)(Task)Dns.GetHostEntryAsync(Localhost, addressFamily, cancellationToken)).ConfigureAwait(false);
src/libraries/System.Net.NameResolution/src/System/Net/Dns.cs:841
- The IPHostEntry async fallback path has the same mixed-result problem: if entry.AddressList contains at least one loopback plus additional non-loopback addresses, HasNoLoopbackAddress returns false and the method returns the OS result unchanged. To satisfy RFC 6761 and keep behavior consistent with the address-array path, consider falling back (or filtering) when the result contains any non-loopback addresses.
return result;
}
catch (SocketException ex) when (isLocalhostSubdomain && !fallbackOccurred)
{
// RFC 6761 Section 6.3: If localhost subdomain fails, fall back to resolving plain "localhost".
if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(hostName, "RFC 6761: Localhost subdomain resolution failed, falling back to 'localhost'");
NameResolutionTelemetry.Log.AfterResolution(hostName, activity, answer: null, exception: ex);
fallbackOccurred = true;
- Files reviewed: 1/1 changed files
- Comments generated: 0
…non-loopback addresses
Dns falls back to resolving plain 'localhost' when the OS resolver fails or returns zero addresses for a '*.localhost' subdomain (RFC 6761 Section 6.3). However, on Android the bionic getaddrinfo returns non-loopback addresses (link-local fe80::* and globally-routable IPv6) for '*.localhost', bypassing the fallback and causing Dns.GetHostAddresses("foo.localhost.") to return non-loopback addresses. This was caused by the fallback condition only triggering on empty or failed OS responses; it is now extended to also trigger when the OS returns only non-loopback addresses, in both the sync and async paths.
Fixes dotnet#127965.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The previous [ActiveIssue] skips on six DnsGetHostAddresses_/DnsGetHostEntry_LocalhostSubdomain* tests (referencing dotnet#126456 and dotnet#127965) all covered the same root cause: platform resolvers (Android bionic, iOS/tvOS/MacCatalyst) returned non-loopback addresses for '*.localhost' subdomains, bypassing the existing RFC 6761 6.3 fallback. With the fallback now extended to trigger when the OS returns no loopback addresses, these tests are expected to pass on every platform. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
kotlarmilos
force-pushed
the
fix/127965-dns-localhost-non-loopback-fallback
branch
from
3a51363 to
a536036
Compare
Member
Author
|
/azp run runtime-extra-platforms |
|
Azure Pipelines successfully started running 1 pipeline(s). |
…Address Address review feedback: HasNoLoopbackAddress previously returned false for an empty array, forcing every caller to spell the condition as 'Length == 0 || HasNoLoopbackAddress(...)'. An empty result has no loopback addresses by definition, so the helper now returns true in that case, and the three call sites are simplified accordingly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
/azp run runtime-extra-platforms |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This was referenced May 12, 2026
This was referenced May 13, 2026
Open
[ci-scan] Test failure: Errata4.TestXslTransform on tvos-arm64 (UnauthorizedAccessException)
#128016
Open
kotlarmilos
commented
May 13, 2026
…GetHostAddressesTest.cs
…GetHostEntryTest.cs
rzikm
requested changes
May 13, 2026
Member
Author
|
@copilot look at the comment
|
Per review feedback: the Dns.cs behavior is correct, /etc/hosts non-loopback entries for *.localhost should be respected. Revert the production code to only fall back to plain 'localhost' when the OS resolver returns empty. Adapt the six re-enabled tests to skip the IsLoopback assertion on Android and Apple mobile (iOS, tvOS, MacCatalyst), where the OS resolver may legitimately return non-loopback addresses (e.g. link-local IPv6) for *.localhost. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
/azp run runtime-extra-platforms |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This was referenced May 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Dns falls back to resolving plain
localhostwhen the OS resolver fails or returns zero addresses for a*.localhostsubdomain (RFC 6761 §6.3). However, on Android the bionicgetaddrinforeturns non-loopback addresses (link-localfe80::*and globally-routable IPv6) for*.localhost, bypassing the fallback and causingDns.GetHostAddresses("foo.localhost.")to return non-loopback addresses. The same behavior was observed on iOS/tvOS/MacCatalyst. This was caused by the fallback condition only triggering on empty or failed OS responses; it is now extended to also trigger when the OS returns only non-loopback addresses, in both the sync and async paths.Six previously-disabled tests covering the same root cause are re-enabled in this PR.
Fixes #127965.
Fixes #127953.
Supersedes the test-skip workarounds:
[ci-scan] Skip DnsGetHostAddresses_LocalhostSubdomainWithTrailingDot on Android[mobile] Skip failing Android localhost subdomain DNS tests