DNS resolution fails on ESXi host with error "Temporary failure in name resolution"
search cancel

DNS resolution fails on ESXi host with error "Temporary failure in name resolution"

book

Article ID: 394990

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

DNS resolution is not working on an ESXi host even though the DNS server configuration is correct.

The following symptoms are observed:

  • Running nslookup from the ESXi host returns:
  ;; connection timed out; no servers could be reached

or

  Temporary failure in name resolution
  • The DNS server is reachable via ping from the ESXi host
  • DNS configuration appears correct when checking:
  esxcli network ip dns server list
  cat /etc/hosts
  • DNS resolution works from other systems on the same network (such as vCenter or NSX Manager)
  • The issue may appear after a power outage, host reboot, or configuration change

Environment

VMware vSphere ESXi 8.x

Cause

The ESXi host firewall outbound rules for the DNS Client (dnsClient) ruleset are configured to allow connections only from specific IP addresses rather than allowing all outbound connections. This prevents the host from sending DNS queries to the configured DNS servers.

To verify this is the cause, run the following command from the ESXi shell:

esxcli network firewall ruleset allowedip list -r dnsClient

If the output shows Allowed IP Addresses with specific IPs listed instead of All, the firewall is blocking DNS traffic.

Resolution

Modify the ESXi firewall to allow DNS client connections to any IP address using one of the following methods:

Option 1: Using the vSphere Client (vCenter UI)

  1. Log in to vCenter Server using the vSphere Client.
  2. Browse to the affected ESXi host.
  3. Click Configure, then click Firewall under System.
  4. Click Outgoing to view outbound firewall rules.
  5. Click Edit.
  6. Expand the DNS Client service under Ungrouped.
  7. Select Allow connections from any IP address.
  8. Ensure the DNS Client service itself is selected (enabled).
  9. Click OK.
  10. Verify DNS resolution by running nslookup <hostname> from the ESXi shell.

Option 2: Using the VMware Host Client (ESXi UI)

  1. Connect directly to the ESXi host using the VMware Host Client (https://<esxi-host-ip>/ui).
  2. Click Networking in the inventory, then click Firewall rules.
  3. Locate the DNS Client service and click Edit settings.
  4. In the Allowed IP Addresses section, select Allow connections from any IP address.
  5. Click OK.
  6. Verify DNS resolution by running nslookup <hostname> from the ESXi shell.

Option 3: Using ESXCLI (Command Line)

  1. Connect to the ESXi host via SSH or direct console.
  2. Run the following command to allow DNS client connections from any IP address:
   esxcli network firewall ruleset set -a true -r dnsClient
  1. Verify the change:
   esxcli network firewall ruleset allowedip list -r dnsClient

The output should show Allowed IP Addresses: All.

  1. Verify DNS resolution:
   nslookup <hostname>

If the error persists after following these steps, contact Broadcom Support for further assistance.

When opening a support request, provide the following information:

  • Output of esxcli network firewall ruleset list
  • Output of esxcli network firewall ruleset allowedip list -r dnsClient
  • Output of esxcli network ip dns server list
  • Contents of /etc/hosts

Additional Information

Powered by Wolken Software