DNS resolution fails under nix-build

joelreymont · August 29, 2025, 3:59pm

I’m trying to build a package on NixOS (unstable), set up with flakes enabled.

The package wraps Bazel using bazelisk so the latter tries to download the former first thing.

This doesn’t work if I use nix-build, though. There’s a DNS resolution failure that looks like missing name servers. A manual attempt to get the packet using wget works fine, though, and it also works under nix-shell.

What could be the reason?

[nix-shell:~/Work/Elodin/elodin]$ nix-build
this derivation will be built:
  /nix/store/nr559jszbbh75qfj60manm4q05akgkm3-xla-ext.drv
building '/nix/store/nr559jszbbh75qfj60manm4q05akgkm3-xla-ext.drv'...
Running phase: unpackPhase
Running phase: patchPhase
Running phase: updateAutotoolsGnuConfigScriptsPhase
Running phase: buildPhase
2025/08/29 15:55:02 Downloading https://releases.bazel.build/7.4.1/release/bazel-7.4.1-linux-arm64...
2025/08/29 15:55:18 could not download Bazel: failed to download bazel: failed to download bazel: HTTP GET https://releases.bazel.build/7.4.1/release/bazel-7.4.1-linux-arm64 failed: unable to complete 5 requests to https://releases.bazel.build/7.4.1/release/bazel-7.4.1-linux-arm64 within 30s. Most recent failure: Get "https://releases.bazel.build/7.4.1/release/bazel-7.4.1-linux-arm64": dial tcp: lookup releases.bazel.build on [::1]:53: read udp [::1]:50231->[::1]:53: read: connection refused
error: builder for '/nix/store/nr559jszbbh75qfj60manm4q05akgkm3-xla-ext.drv' failed with exit code 1;
       last 6 log lines:
       > Running phase: unpackPhase
       > Running phase: patchPhase
       > Running phase: updateAutotoolsGnuConfigScriptsPhase
       > Running phase: buildPhase
       > 2025/08/29 15:55:02 Downloading https://releases.bazel.build/7.4.1/release/bazel-7.4.1-linux-arm64...
       > 2025/08/29 15:55:18 could not download Bazel: failed to download bazel: failed to download bazel: HTTP GET https://releases.bazel.build/7.4.1/release/bazel-7.4.1-linux-arm64 failed: unable to complete 5 requests to https://releases.bazel.build/7.4.1/release/bazel-7.4.1-linux-arm64 within 30s. Most recent failure: Get "https://releases.bazel.build/7.4.1/release/bazel-7.4.1-linux-arm64": dial tcp: lookup releases.bazel.build on [::1]:53: read udp [::1]:50231->[::1]:53: read: connection refused
       For full logs, run:
         nix log /nix/store/nr559jszbbh75qfj60manm4q05akgkm3-xla-ext.drv

I can download using wget, e.g.

[nix-shell:~/Work/Elodin/elodin]$ !wget
wget https://releases.bazel.build/7.4.1/release/bazel-7.4.1-linux-arm64
--2025-08-29 18:58:45--  https://releases.bazel.build/7.4.1/release/bazel-7.4.1-linux-arm64
Resolving releases.bazel.build (releases.bazel.build)... 130.211.22.235
Connecting to releases.bazel.build (releases.bazel.build)|130.211.22.235|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 58277622 (56M) [application/octet-stream]
Saving to: ‘bazel-7.4.1-linux-arm64.4’

bazel-7.4.1-linux-arm64.4     12%[====>                                          ]   6,72M  4,78MB/s               ^C

P.S.

uname -a
Linux nixos 6.12.43 #1-NixOS SMP Wed Aug 20 16:30:58 UTC 2025 aarch64 GNU/Linux

tejing · August 29, 2025, 4:02pm

The build sandbox does not have network access by design, as network access would defeat the goal of reproducibility. Everything that needs to access the internet needs to happen in a fixed-output derivation with a specified hash, which needs to be separate from where the actual build process happens. Some projects and ecosystems deal with these restrictions better than others. For those that deal with it poorly, there’s often some code in nixpkgs to help get around the problems in a somewhat systematic way.

joelreymont · August 29, 2025, 5:16pm

I understand the rationale.

I’m also confused as I saw no such behavior on macOS.

tejing · August 29, 2025, 5:19pm

The sandboxing primitives available on macos apparently cause too many problems, so the build sandbox is disabled by default there.

joelreymont · August 29, 2025, 5:28pm

How does this work then?

    src = fetchzip {
      url = "https://github.com/openxla/xla/archive/2a6015f068e4285a69ca9a535af63173ba92995b.tar.gz";
      sha256 = "sey2yXF3tofTgmS1wXJZS6HwngzBYzktl/QRbMZfrYE=";
    };

Does it get a special dispensation?

tejing · August 29, 2025, 5:29pm

fetchzip is a fixed-output derivation. They’re allowed network access since reproducibility is guaranteed by the supplied output hash. (Before you go thinking you can run your build in a fixed-output derivation, you can’t. Fixed-output derivations fail if their result contains any runtime dependencies (in other words, nix store paths).)