puma-dev: DNS resolution not working on macOS with "bind: operation not permitted"
Puma dev’s DNS resolution doesn’t appear to work at all anymore on MacOS Catalina.
I’ve done puma-dev -cleanup and even uninstalled/reinstalled from homebrew, then sudo puma-dev -setup; puma-dev -install again.
dig @127.0.0.1 -p 9253 blah.test
; <<>> DiG 9.10.6 <<>> @127.0.0.1 -p 9253 blah.test
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
However everything looks good otherwise. Puma is running, resolver file in place, responds to HTTP but not DNS on port
$ ls -l /etc/resolver
total 8
-rw-r--r-- 1 thom staff 55B Mar 24 10:22 test
$ cat /etc/resolver/test
# Generated by puma-dev
nameserver 127.0.0.1
port 9253
$ ps ax|grep puma
39752 ?? S 0:00.04 /usr/local/Cellar/puma-dev/0.13/bin/puma-dev -launchd -dir ~/.puma-dev -d test -timeout 15m0s
$ cat ~/.puma-dev/blah
2999
$ curl -vH "Host: blah.test" localhost
* Trying ::1...
* TCP_NODELAY set
* Connection failed
* connect to ::1 port 80 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: blah.test
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 500 Internal Server Error
< Date: Wed, 25 Mar 2020 13:18:25 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact
* Closing connection 0
$ tail -n20 ~/Library/Logs/puma-dev.log
2020/03/24 10:22:09 Existing valid puma-dev CA keypair found. Assuming previously trusted.
* Directory for apps: /Users/thom/.puma-dev
* Domains: test
* DNS Server port: 9253
* HTTP Server port: inherited from launchd
* HTTPS Server port: inherited from launchd
! Puma dev listening on http and https
* Generated proxy connection for 'blah' to http://127.0.0.1:2999
2020/03/25 09:18:21 http: proxy error: dial tcp 127.0.0.1:2999: connect: connection refused
Summary: HTTP proxy works, but DNS does not.
About this issue
- Original URL
- State: open
- Created 4 years ago
- Comments: 27 (13 by maintainers)
I just hit this as well, and wanted to report that the suggested firewall whitelisting worked, but only with the physical path to puma-dev (homebrew sets a symlink from
/usr/local/bin/puma-devto/usr/local/Cellar/puma-dev/0.14/bin/puma-dev). Just going to leave this here in case anyone else hits the same issue:Ah. Excellent find @stevenkaras! Adding a bit of portability for new versions, since
0.15is right around the corner…@nonrational - fair point! I tried on another machine today and was not able to reproduce.
I tried restarting my machine today and the issue is resolved. 🤷 Thanks for you help!
I suspect it’s because
puma-devis not signedI’ve had
puma-devworking without issue for a long time. Today it stopped working 😦 (possibly related to me doingbrew updateandbrew upgradetoday)I’ve tried uninstalling (
/etc/resolver/becomes empty) then reinstalling:But then in
~/Library/Logs/puma-dev.log:Note that here it shows the DNS port not binding.
However a bit different if I run in the foreground:
Here the HTTP port isn’t binding.
I have no issue binding an HTTP port e.g. with
python3 -m http.server 34999. Only puma-dev has an issue it seems.I have tried repeating all this after running this:
Didn’t help.
Same issue with custom ports:
Any advice or suggestions?
@nonrational I use zsh so at first I couldn’t get your
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp $(which puma-dev)to work because I think it was getting confused by the symlink action (installed via brew, so lots of symlinks). I replaced the$(which puma-dev)with the actual location of the binary and suddently (after a few puma-dev restarts) everything is working again.For those using homebrew, the binary is somewhere like this:
/usr/local/Cellar/puma-dev/0.13/bin/puma-devbut YMMV based on homebrew install and version of puma-dev, etc.Finished latest security patches, still not having any issues with port bindings with firewall and gatekeeper enabled. ☹️
@swiknaba I’m upgrading my mojave machine w/ latest security patches now and will attempt to reproduce.
For anyone who can reproduce the issue and is comfortable at the command-line, I’d ask that you try to disable gatekeeper temporarily and see if that fixes the port binding issue. That, at least, will allow us to test the unsigned hypothesis.
sudo spctl --master-disablewill disable gatekeeper (and bring back the previous “allow from anywhere” option in system preferences).sudo spctl --master-enablewill then re-enable gatekeeper, once you’re done testing.For some reason when I try to run on OSX, puma-dev can’t seem to bind to any HTTP/S port…?
This may be part of the root cause of the issue I’m facing. Although the HTTP bind doesn’t fail when running as a launch daemon, but then again in that case HTTP/S are being forwarded via launchd socket.
Confirmed that DNS port bind will fail silently. I have a WIP branch that will expose the error messages and bail.