Error "Failed to receive DNS query response on UDP socket." when trying to connect to Gmail

One of my users has a persistent problem trying to connect to Gmail. I’m using the Chilkat plugin and have communicated with Matt. He tried to make some improvements to the plugin. But the problem remains. The user is connected to the internet and can use his email client.

But I’m really out of ideas why a simple connection to Gmail does not work. The log shows the following information:

             dnsHostsFileLookup:
                 domainName: imap.gmail.com
               --dnsHostsFileLookup
               doDnsQuery:
                 dns_over_udp:
                   recv_profile_2:
                     idleTimeoutMs: 60000
                   --recv_profile_2
                   socketErrno: 51
                   socketError: Network is unreachable
                   Failed to receive DNS query response on UDP socket.

Any idea what might cause this?

May it be, the Firewall is blocking access to the DNS Server for Mail Archiver only?
Or the Cillkat Plugin is not respecting a System Proxy?

It must be something like this. I’ve asked the user to check if the Firewall is active.

What do you mean with “not respecting a system proxy”?

It is possible the OS is using a Proxy but the Plugin may try to reach the Gmail Server using a public DNS Server Address (like 8.8.8.8, 8.8.4.4, …). That’s not very likely but possible.

In this case general access to Gmail wouldn’t work, I think. So far only one user has this problem.

We also use proxy servers in the company. If we try to bypass this, our firewall steps in and blocks access. However, access is often prevented locally on the computer by local security software. Apps that follow the rules can continue to work normally. Other computers are not affected by this either.

But as written, that is very unlikely anyway. Most likely it’s a local security policy that doesn’t allow the app to access the DNS server (for whatever reason…).

These are the nameservers the plugin tried to contact:

                Failed to do DNS query.
                namservers:
                  ip: 194.187.251.67
                  ip: 10.0.0.243
                  ip: 185.93.180.131

I remember having fun after the hosting changed something. I could get emails but not send them. The Telekom router had a security policy where I had to change the allowed domains for sending emails. That was fun!

All 3 addresses are non-public addresses. It is still very likely that the user can access Gmail via the browser, for example, but another app cannot access these servers due to a local security policy.

Do the system have TCP fallback?

If it had, shouldn’t it be possible to access Gmail successfully despite this error?

And as far as I know, TCP fallback only becomes active when a UDP packet is too large.

Her problem is DNS not solving using UDP

Firewalls can block UDP or TCP separately

Blocking UDP, all or a range including 53, would cause something like that, and TCP could work.

Switching modes yes. But if the software had a “force use” it could bypass the problem (if TCP ok and UDP off)

The user should do some network scans at port 53 pointing to target address and check the behavior. Probably they need to involve the network people of the presumable company.

Test DNS over UDP:

dig @8.8.8.8 google.com

Test DNS over TCP:

dig @8.8.8.8 google.com +tcp

Change the @8.8.8.8 to any of those:

Those IPs could be blocked at his endpoint too

1 Like

Thanks, guys. The problem is solved. The user had wrong DNS addresses in the System Settings. Why this only affected my app is a question for another day.

3 Likes

Some browsers such as Chrome now use DoH (DNS over HTTPS) by default:

So it’s possible that even if the OS’s Network settings / DNS nameservers could be broken, DNS would still work in the Browser.

In this case, I would expect every app (other than Chrome) to have DNS failures, so it wouldn’t be something specific to your app.

The latest trend in web browser privacy features involves bypassing the system set DNS servers. Adblockers, so called safe search and any other search scraping add-ins may also interfere. Suffice to say I stopped trusting web browsers as a way to verify DNS several years ago. If in doubt, open a command prompt and use nslookup to verify connectivity with the name servers. If nslookup is not available try dig.

2 Likes