Duo Setup: Failed to validate

Hi!

While trying to setup Duo as the as a 2FA provider for my instance I am getting a 400 Bad Request from the backend, with the log showing the following. Everything is working otherwise.

For a bit of background, my vaultwarden instance is hosted on a docker container, and DNS seems to be otherwise working on the other containers with the same settings. I do override the default docker DNS on the compose file and set the internal DNS server, which is confirmed to be working with both other containers and bare metal machines.

Any insight on what this may be or how to get around it? Is it a issue that I need to report? Thanks!

[2025-01-03 00:16:13.989][error][ERROR] Failed to validate Duo credentials.
[CAUSE] reqwest::Error {
    kind: Request,
    url: "https://api-########.duosecurity.com/auth/v2/check",
    source: hyper_util::client::legacy::Error(
        Connect,
        ConnectError(
            "dns error",
            Error {
                kind: InvalidInput,
                message: "invalid socket address",
            },
        ),
    ),
}

Check the /admin/diagnostics page.
But if DNS isn’t working, that isn’t an issue with Vaultwarden.
Either the container can’t connect to the DNS servers, or something else is configured incorrectly or blocking.

As an update to this, which I didn’t expect to be related, I had an issue with setting up Bitwarden push:

[2025-01-03 02:07:27.993][vaultwarden::api::push][ERROR] Error getting push token from bitwarden server: error sending request for url (https://identity.bitwarden.com/connect/token)

And found this little tidbit only above either error but only on the first attempt at using DNS, which ironically turns out to be the reason why neither worked for me:

[2025-01-03 02:07:27.916][vaultwarden::http_client][WARN] Error creating Hickory resolver, falling back to default: ResolveError { kind: Io(Custom { kind: Other, error: "Error parsing resolv.conf: directive at line 7 is not recognized" }) }

Whether I do or do not have any DNS options, resolvers, or search order on the compose file it does not matter. Anything but nameserver entries or comments in /etc/resolv.conf inside the container seems to break DNS, whether using latest or latest-alpine tags.

Deeper we go…