Intercept DNS names are not resolving in WSL

I configured OpenZiti in Kubernetes (AKS) using this documentation. Intercepted address "hello.ziti". I'm also using Ziti Desktop Edge for Windows 11. Connecting directly from Windows works fine using curl or through a browser. However, if I want to test the connection via WSL on a current Windows, the error is thrown:

$ curl -vvv http://hello.ziti
* Could not resolve host: hello.ziti
* Closing connection 0
curl: (6) Could not resolve host: hello.ziti

As I understand, it is because requests to DNS-servers are not intercepted from WSL, is there any way to fix it?

@TheLumberjack please help me

@kinseii - there are a few different ways to do this. I fiddle with it every time, so I'm not sure I have a good answer for you. For me, running WSL on windows with ZDEW will translate into WSL. For example, we use mattermost as our chat tool, protected through ziti. From my wsl I can connect to the url just fine:

image927×359 9.28 KB

If that doesn't work for you, it'll be due to however WSL is setup on your system and it's totally an individual configuration type of thing...

You can always run ziti-edge-tunnel from within wsl if you wish. I just verified that's an option and works. For a while, WSL wouldn't make a proper TUN but it works now-a-days.

If you want to get your WSL working like I did here are my .wslconfig and my /etc/wsl.conf files. There's probably a clue in there as to what i have different that you don't have set

%USERPROFILE%.wslconfig

# Settings apply across all Linux distros running on WSL 2
[wsl2]

# Limits VM memory to use no more than 4 GB, this can be set as whole numbers using GB or MB
memory=8GB 

# Sets the VM to use two virtual processors
processors=4

# Specify a custom Linux kernel to use with your installed distros. The default kernel used can be found at https://github.com/microsoft/WSL2-Linux-Kernel
# kernel=C:\\temp\\myCustomKernel

# Sets additional kernel parameters, in this case enabling older Linux base images such as Centos 6
kernelCommandLine = vsyscall=emulate

# Sets amount of swap storage space to 8GB, default is 25% of available RAM
swap=8GB

# Sets swapfile path location, default is %USERPROFILE%\AppData\Local\Temp\swap.vhdx
swapfile=C:\\temp\\wsl-swap.vhdx

# Turn off default connection to bind WSL 2 localhost to Windows localhost
localhostforwarding=true

# Disables nested virtualization
nestedVirtualization=false

# Turns on output console showing contents of dmesg when opening a WSL 2 distro for debugging
# debugConsole=true

# turns of bridged network mode so wsl gets a valid ip from the network...
# https://randombytes.substack.com/p/bridged-networking-under-wsl
# if that's gone, look for wsl-network.txt in dev-stuff
# may 24 2024 - followed https://github.com/Unsigned-Char/WSL2HyperVSwitch
#networkingMode = bridged
#vmSwitch = WSLBridge
#dhcp = false
#dhcp=true
#ipv6=true

#networkingMode=mirrored

/etc/wsl.conf

$ cat /etc/wsl.conf
[user]
default=cd

[boot]
systemd=true

[network]
generateResolvConf = false

@TheLumberjack
Thank you so much for your reply! I checked the WSL settings and they are exactly the same as yours.

I would like to clarify that if I do subnet intercepting (to Kubernetes inside), everything works fine when accessing by IP. If I configure host intercepting (http://hello.ziti), then from WSL the resolving to IP does not work as in my original post.

I see that your host (mattermost.tools.netfoundry.io), is registered in a real DNS server and so it is resolving to WSL without any problem.

$ host mattermost.tools.netfoundry.io
mattermost.tools.netfoundry.io has address 15.197.139.43
mattermost.tools.netfoundry.io has address 3.33.149.198

Yes it's an overloaded DNS entry. When I'm using ziti, it'll resolve to a100.x.x.x address. When not on ziti it'll resolve to the public IP. Try curling there and see what response you get. You should get a forbidden reply. I'm away from my machine but i could demonstrate another intercept working as well.

Like I said before, wsl can be finicky. I don't recall if I had to set something up like DNS forwarding. It's one of those things I do once and then forget about. I'm not sure if I'll be able to help you here.

@TheLumberjack
If it's not too much trouble, could you please check if your WSL is successfully resolving to a private address.

I did traffic mirroring from the Windows interface itself, with that option:

[wsl2]
networkingMode=mirrored

But nothing has changed.

It's here from the Windows itself:

C:\Users\kinsei>curl -v http://hello.ziti
* Host hello.ziti:80 was resolved.
* IPv6: (none)
* IPv4: 100.64.0.4
*   Trying 100.64.0.4:80...
* Connected to hello.ziti (100.64.0.4) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: hello.ziti
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Thu, 13 Feb 2025 05:13:05 GMT
< Connection: close
< Content-type: text/html
< Accept-Ranges: bytes
< Last-Modified: Tue, 05 Sep 2023 20:26:01 GMT
< ETag: "64f78ed9-9dd"
< Content-Length: 2525
<
<pre>
Hello World


                        ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
                        :::::::::::::::::::,::$77777777777777,:,::::::::::::::::::::
                        ::::::::::::::::::77777777777777777777777~,:::::::::::::::::
                        :::::::::::::::77777777777777II7777777777777,:::::::::::::::
                        ::::::::::::$777777777777777I.:7777777777777777,::::::::::::
                        ::::::::::77777777777777777I...I7777777777777777I:::::::::::
                        :::::::::77777777777777777I....?777777777777777777::::::::::
                        :::::::$77777777777777777I......77777777777777777777::::::::
                        ::::::777777777777777777I.......I77777777777777777777,::::::
                        :::::777777777777777777I....?...?777777777777777777777::::::
                        :::,777777777777777777I....I7?...777777777777777777777$:::::
                        :::777777777777777777I....I77I...I777777777777777777777$::::
                        :::77777777777777777I....I7777...?7777777777777777777777::::
                        ::77777777777777777I....I77777?..,77777777777777777777777:::
                        ::7777777777777777I....I777777I...I77777777777777$7$$$$7$,::
                        :$777777777777777I....I77777777...?7777777777777$$77777777::
                        :777777777777777I ...I777II7777?...I.I7777777$777777777777::
                        :77777777777777I....I777I..7777I.......?I777$$$$$77$$$$7$$::
                        :7777777777777I....?I77I...I7777..........I777777$$$$$7$$$,:
                        :77777777777777?..  .??.   ?7777?  ..??.   .?7$7$$$7$$$$$7::
                        ,7777777777777777I..........I$77I...I777?....77777$7$$$$$$,,
                        :7777777777777777777?.......I7$$7..I777I....7$$$$$$$$$$$$$::
                        :777777777777777777777I.I=..?77777777$7....77$$$$$$$$7$$$$::
                        :777777777777777777777777I...I$7777777....77$$$$$$$$$$$$$$::
                        ::77777777777777$7$7$$$$$I...?7$$7$77....7$$$$$$$$$$$$$$$:::
                        ::777777777777777777$$$777+..~77$$7I....77$$$$$$$$$$$$$$$:::
                        :::77777777777777777777$$7I...7$$$I....7$7$$$$$$$$$$$$$$::::
                        :::Z77777777$7777777777$77I...?$77....I$$$$$$$$$$$$$$$$$::::
                        ::::77777$$$$$7777$$$$$$$$7:..+77....I$$$$$$$$$$$$$$$$$:::::
                        :::::77777$777$$$$777$$$$77I...I....I$$$$$$$$$$$$$$$$$::::::
                        ::::::$7777777$7777$$$7$$$$I...... I$$$$$$$$$$$$$$$$7:::::::
                        :::::::?$$$$$$$$$$$$$$$$$$$7=.....I$$$$$$$$$$$$$$$$=::::::::
                        :::::::::7$$$$$7$$$$$$$$$$$$?....77$$$$$$$$$$$$$$$::::::::::
                        ::::::::::,7$$7$$$$$$$$$$$$$7...I$$$$$$$$$$$$$$$::::::::::::
                        ::::::::::::~$$$$$$$$$$$$$$$7?.I$$$$$$$$$$$$$$::::::::::::::
                        :::::::::::::::$$$$$$$$$$$$$$77$$$$$$$$$$$$$::::::::::::::::
                        ::::::::::::::::::7$$$$$$$$$$$$$$$$$$$$$$:::::::::::::::::::
                        :::::::::::::::::::::::$$$$$$$$$$$$$::::::::::::::::::::::::
                        ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


</pre>
* shutting down connection #0

And here in the WSL:

$ curl -vvv http://hello.ziti
* Could not resolve host: hello.ziti
* Closing connection 0
curl: (6) Could not resolve host: hello.ziti

$ curl -vvv http://100.64.0.4
*   Trying 100.64.0.4:80...
* Connected to 100.64.0.4 (100.64.0.4) port 80 (#0)
> GET / HTTP/1.1
> Host: 100.64.0.4
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Thu, 13 Feb 2025 05:16:34 GMT
< Connection: close
< Content-type: text/html
< Accept-Ranges: bytes
< Last-Modified: Tue, 05 Sep 2023 20:26:01 GMT
< ETag: "64f78ed9-9dd"
< Content-Length: 2525
<
<pre>
Hello World


                        ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
                        :::::::::::::::::::,::$77777777777777,:,::::::::::::::::::::
                        ::::::::::::::::::77777777777777777777777~,:::::::::::::::::
                        :::::::::::::::77777777777777II7777777777777,:::::::::::::::
                        ::::::::::::$777777777777777I.:7777777777777777,::::::::::::
                        ::::::::::77777777777777777I...I7777777777777777I:::::::::::
                        :::::::::77777777777777777I....?777777777777777777::::::::::
                        :::::::$77777777777777777I......77777777777777777777::::::::
                        ::::::777777777777777777I.......I77777777777777777777,::::::
                        :::::777777777777777777I....?...?777777777777777777777::::::
                        :::,777777777777777777I....I7?...777777777777777777777$:::::
                        :::777777777777777777I....I77I...I777777777777777777777$::::
                        :::77777777777777777I....I7777...?7777777777777777777777::::
                        ::77777777777777777I....I77777?..,77777777777777777777777:::
                        ::7777777777777777I....I777777I...I77777777777777$7$$$$7$,::
                        :$777777777777777I....I77777777...?7777777777777$$77777777::
                        :777777777777777I ...I777II7777?...I.I7777777$777777777777::
                        :77777777777777I....I777I..7777I.......?I777$$$$$77$$$$7$$::
                        :7777777777777I....?I77I...I7777..........I777777$$$$$7$$$,:
                        :77777777777777?..  .??.   ?7777?  ..??.   .?7$7$$$7$$$$$7::
                        ,7777777777777777I..........I$77I...I777?....77777$7$$$$$$,,
                        :7777777777777777777?.......I7$$7..I777I....7$$$$$$$$$$$$$::
                        :777777777777777777777I.I=..?77777777$7....77$$$$$$$$7$$$$::
                        :777777777777777777777777I...I$7777777....77$$$$$$$$$$$$$$::
                        ::77777777777777$7$7$$$$$I...?7$$7$77....7$$$$$$$$$$$$$$$:::
                        ::777777777777777777$$$777+..~77$$7I....77$$$$$$$$$$$$$$$:::
                        :::77777777777777777777$$7I...7$$$I....7$7$$$$$$$$$$$$$$::::
                        :::Z77777777$7777777777$77I...?$77....I$$$$$$$$$$$$$$$$$::::
                        ::::77777$$$$$7777$$$$$$$$7:..+77....I$$$$$$$$$$$$$$$$$:::::
                        :::::77777$777$$$$777$$$$77I...I....I$$$$$$$$$$$$$$$$$::::::
                        ::::::$7777777$7777$$$7$$$$I...... I$$$$$$$$$$$$$$$$7:::::::
                        :::::::?$$$$$$$$$$$$$$$$$$$7=.....I$$$$$$$$$$$$$$$$=::::::::
                        :::::::::7$$$$$7$$$$$$$$$$$$?....77$$$$$$$$$$$$$$$::::::::::
                        ::::::::::,7$$7$$$$$$$$$$$$$7...I$$$$$$$$$$$$$$$::::::::::::
                        ::::::::::::~$$$$$$$$$$$$$$$7?.I$$$$$$$$$$$$$$::::::::::::::
                        :::::::::::::::$$$$$$$$$$$$$$77$$$$$$$$$$$$$::::::::::::::::
                        ::::::::::::::::::7$$$$$$$$$$$$$$$$$$$$$$:::::::::::::::::::
                        :::::::::::::::::::::::$$$$$$$$$$$$$::::::::::::::::::::::::
                        ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


</pre>
* Closing connection 0

Could you tell me how the intercept works for hosts?

I'll see if I can dig up what I might have done to forward the DNS request to the Windows tunneler. We can see that it'll work as long as the wsl environment sends a request to the tunneler running in Windows.

Here you can see my dig before, and after I turn on the ziti desktop edge for windows tunneler, in bash, in wsl:

$ dig mattermost.tools.netfoundry.io +short
15.197.139.43
3.33.149.198
cd@192.168.253.239:sg4: ~
$ dig mattermost.tools.netfoundry.io +short
100.100.0.38

I run ubuntu 24 currently. Looking at my dns setup, I remember now that I have setup my dns to use the global stub resolver, which I think I found using resolvectl:

$ resolvectl
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub
Current DNS Server: 10.255.255.254
       DNS Servers: 10.255.255.254

That made me remember I had setup a "resolved.conf.d/ziti-intercept.conf", commented out the 127.0.0.1 entry (as you can see) and then set it to use the stub resolver

$ cat /etc/systemd/resolved.conf.d/ziti-intercept.conf
[Resolve]
#DNS=127.0.0.1
DNS=10.255.255.254

I'm not a linux pro still, so hopefully that's enough info to help you out? (and who knows, maybe it'll help ME someday after I upgrade to ubuntu 26 lol)