[GH-ISSUE #2913] newt holepunch does not re-resolve endpoint hostname after connection loss (stale IP on reconnect) #11029

New Issue

Open

opened 2026-05-06 15:43:17 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-06 15:43:17 -05:00

Owner

Copy Link

Originally created by @timootten on GitHub (Apr 28, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2913

Describe the Bug

newt/holepunch does not re-resolve endpoint hostname after connection loss (stale IP on reconnect)

Summary

When the IP address behind the configured gerbil/exit-node hostname changes (e.g. due to a failover, migration, or DNS record update), newt does not perform a fresh DNS lookup on reconnect. Instead, it continues using the IP it resolved at startup, leaving the tunnel in a permanently broken state until newt is manually restarted.

This affects any dynamic IP environment — including setups using tools like external-dns that automatically update DNS records at the provider level during cluster events.

Actual Behavior

Holepunch keeps sending to the originally resolved IP for the entire runtime. No re-resolution occurs even well past the DNS TTL. The only recovery path is manually restarting newt.

Evidence / Logs

Starting hole punch to <exit-node-hostname>
Resolved exit node: <Address B>
Sent UDP hole punch to <Address B>
Sent UDP hole punch to <Address B>
... (repeated indefinitely, no re-resolution to Address A)

No subsequent resolution attempt is visible in the logs after the DNS record changes.

Environment

• Tool: newt + holepunch
• DNS managed externally (e.g. Cloudflare via external-dns)
• Deployment: Kubernetes

Suggested Fix

On each reconnect attempt (or periodically, respecting TTL), re-resolve the exit-node hostname from DNS rather than caching the IP from the initial startup resolution.

Environment

• OS Type & Version: Debian 13
• Pangolin Version: 1.17.1
• Gerbil Version: 1.3.1
• Traefik Version: 3.6
• Newt Version: 11.0
• Olm Version: (if applicable)

To Reproduce

1. Point the exit-node hostname DNS record to Address A
2. Start newt — confirm holepunch targets Address A in the logs
3. Update the DNS record to point to Address B (simulating a failover)
4. Restart newt — confirm holepunch correctly targets Address B
5. Update the DNS record back to Address A
6. Wait longer than the DNS TTL (e.g. 8+ minutes with a TTL of ~60s)
7. Observe holepunch logs — it continues targeting Address B

Expected Behavior

After the DNS TTL expires, newt/holepunch should re-resolve the exit-node hostname and reconnect using the updated IP address — without requiring a manual restart.

Originally created by @timootten on GitHub (Apr 28, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2913 ### Describe the Bug # newt/holepunch does not re-resolve endpoint hostname after connection loss (stale IP on reconnect) ## Summary When the IP address behind the configured gerbil/exit-node hostname changes (e.g. due to a failover, migration, or DNS record update), `newt` does not perform a fresh DNS lookup on reconnect. Instead, it continues using the IP it resolved at startup, leaving the tunnel in a permanently broken state until `newt` is manually restarted. This affects any dynamic IP environment — including setups using tools like [external-dns](https://github.com/kubernetes-sigs/external-dns) that automatically update DNS records at the provider level during cluster events. ## Actual Behavior Holepunch keeps sending to the originally resolved IP for the entire runtime. No re-resolution occurs even well past the DNS TTL. The only recovery path is manually restarting `newt`. ## Evidence / Logs ``` Starting hole punch to <exit-node-hostname> Resolved exit node: <Address B> Sent UDP hole punch to <Address B> Sent UDP hole punch to <Address B> ... (repeated indefinitely, no re-resolution to Address A) ``` No subsequent resolution attempt is visible in the logs after the DNS record changes. ## Environment - Tool: `newt` + holepunch - DNS managed externally (e.g. Cloudflare via external-dns) - Deployment: Kubernetes ## Suggested Fix On each reconnect attempt (or periodically, respecting TTL), re-resolve the exit-node hostname from DNS rather than caching the IP from the initial startup resolution. ### Environment - OS Type & Version: Debian 13 - Pangolin Version: 1.17.1 - Gerbil Version: 1.3.1 - Traefik Version: 3.6 - Newt Version: 11.0 - Olm Version: (if applicable) ### To Reproduce 1. Point the exit-node hostname DNS record to **Address A** 2. Start `newt` — confirm holepunch targets **Address A** in the logs 3. Update the DNS record to point to **Address B** (simulating a failover) 4. Restart `newt` — confirm holepunch correctly targets **Address B** 5. Update the DNS record back to **Address A** 6. Wait longer than the DNS TTL (e.g. 8+ minutes with a TTL of ~60s) 7. Observe holepunch logs — it continues targeting **Address B** ### Expected Behavior After the DNS TTL expires, `newt`/holepunch should re-resolve the exit-node hostname and reconnect using the updated IP address — without requiring a manual restart.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/qs-6.15.2

rdp-ssh

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-4aaf4dbce4

dependabot/go_modules/install/minor-updates-a249525a56

crowdin_dev

auto-update

dev

fix-site-delete

fix-3104

exit-node-reconnect

fix-logoUrl

button-to-rebuild-association

dependabot/npm_and_yarn/brace-expansion-5.0.6

copilot/fix-documentation-input-output-types

dependabot/github_actions/sigstore/cosign-installer-4.1.2

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

breakout-sites-tables

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-rc.0

1.17.1

1.17.0

1.17.0-rc.0

1.16.2

1.16.1

1.16.0

1.16.0-rc.0

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.15.0-rc.0

1.14.1

1.14.0

1.14.0-rc.0

1.13.1

1.13.0

1.13.0-rc.0

1.12.3

1.12.2

1.12.1

1.12.0

1.12.0-rc.0

1.11.1

1.11.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#11029