Terraform IaC / networking terraform dns networking
Ben Whitfield Senior Full-Stack Engineer

Terraform Error: dial tcp: no such host

Encountering "dial tcp: no such host" in Terraform means your system can't resolve the DNS of a crucial endpoint; this guide explains how to diagnose and fix it.

What This Error Means

When Terraform reports dial tcp: no such host, it's signaling a fundamental network communication failure. Specifically, this error occurs when Terraform attempts to establish a TCP connection to a remote server or service endpoint, but the operating system fails to translate the provided hostname into an IP address.

In simpler terms, Terraform asked the system's DNS resolver, "Hey, what's the IP address for example.com?", and the system responded, "I have no idea what example.com is." This isn't a problem with Terraform's logic or your Infrastructure as Code (IaC) configuration directly, but rather an underlying network or system-level issue preventing successful DNS resolution. Terraform relies heavily on these network connections to interact with cloud providers (AWS, Azure, GCP), Kubernetes clusters, custom services, or even remote state backends like S3 or Azure Blob Storage. If it can't find the host, it can't proceed.

Why It Happens

This error isn't a bug in Terraform itself; it's a symptom of your execution environment's inability to perform a crucial networking task: DNS lookup. Terraform, when initialized or applying a plan, makes API calls to various services. Before it can make these calls, it needs to know where to send them. This "where" is usually a hostname (e.g., s3.amazonaws.com, management.azure.com, kubernetes.default.svc.cluster.local).

The dial tcp part of the error indicates that Terraform is trying to initiate a TCP connection, which is the standard protocol for most internet communications. The no such host is the critical piece of information, signifying that the DNS lookup for the hostname failed. The operating system's DNS client couldn't find a record for that specific hostname in any configured DNS server or local hosts file.

I've seen this in production environments where network segmentation or proxy settings were misconfigured, leading to Terraform attempts to resolve hostnames that were simply unreachable from its execution context.

Common Causes

In my experience, the dial tcp: no such host error almost always boils down to one of these common scenarios:

  1. Typo in Hostname/Endpoint: This is, by far, the most frequent culprit. A simple misspelling in a provider block, backend configuration, or a data source referencing an external service can lead to an unresolvable hostname. For example, s3.us-est-1.amazonaws.com instead of s3.us-east-1.amazonaws.com.
  2. Incorrect Provider Region or Endpoint: Cloud providers often have region-specific endpoints. Specifying an invalid region (e.g., a non-existent AWS region us-south-1) or an incorrect custom endpoint URL will result in an unresolvable hostname.
  3. DNS Server Misconfiguration:
    • Local Machine: Your resolv.conf (Linux/macOS) or network adapter DNS settings (Windows) might be pointing to an incorrect, unreachable, or non-responsive DNS server.
    • Docker Containers: Containers often inherit DNS settings from the host, but can also be explicitly configured. If the container can't reach its configured DNS server, resolution fails.
    • CI/CD Environments: Build agents or runners might operate in isolated networks with different DNS configurations, or their network access might be restricted.
  4. Network Connectivity Issues:
    • No Internet Access: If your system lacks general internet connectivity, it won't be able to reach public DNS servers or cloud provider endpoints.
    • Firewall Rules: Outbound firewall rules (on your machine, network, or cloud VPC security groups) might be blocking DNS queries on port 53 (UDP/TCP) or blocking access to the target endpoint's IP.
    • VPN Interference: Sometimes a VPN can route DNS queries incorrectly or prevent resolution of internal or external hostnames.
  5. Private DNS Zones / hosts File Issues: If you're trying to resolve a private hostname (e.g., a service within your VPC, or an on-premises resource), your system might not have access to the internal DNS servers, or the hosts file (/etc/hosts on Linux/macOS, C:\Windows\System32\drivers\etc\hosts on Windows) might be missing the entry.
  6. Proxy Server Problems: If your environment uses an HTTP/HTTPS proxy, and it's misconfigured or failing, it can prevent proper DNS resolution or connection establishment.
  7. Service Unavailable/Removed: While less common for major cloud providers, if you're connecting to a custom service or an older endpoint that has been decommissioned, its DNS record might no longer exist.

Step-by-Step Fix

Diagnosing and fixing dial tcp: no such host requires a systematic approach, starting from the most obvious potential issues.

  1. Identify the Failing Hostname:

    • Carefully read the full Terraform error message. It often includes the specific hostname or URL that couldn't be resolved. For example, it might say error establishing connection to S3 backend: dial tcp: lookup s3.us-est-1.amazonaws.com: no such host. This is your primary clue.

  2. Verify the Hostname for Typos:

    • Open your Terraform configuration (.tf files) and search for the identified hostname.
    • Scrutinize provider blocks, backend configurations, data sources, and any variables that define endpoints. Look for subtle misspellings, incorrect hyphens, or missing characters.
    • Common areas to check: region attribute in providers, endpoint attributes in backend configurations.

  3. Test DNS Resolution from Your Environment:

    • Open a terminal (or command prompt).
    • Use standard network tools to try and resolve the hostname identified in step 1.
    • ping <hostname>: A quick check, but relies on ICMP, not TCP. If this fails, DNS is definitely broken.
    • nslookup <hostname>: Specifically queries DNS. This is very useful.
    • dig <hostname> (Linux/macOS): Another powerful DNS lookup tool, often providing more detail.
    • If any of these fail for the target hostname (but work for public sites like google.com), your DNS resolver is the problem.
    • Check your local DNS configuration:
      • Linux/macOS: cat /etc/resolv.conf
      • Windows: ipconfig /all or check your network adapter settings in Control Panel. Ensure the listed DNS servers are correct and reachable.

  4. Check Network Connectivity and Firewalls:

    • Can your system reach the internet generally? ping 8.8.8.8 (Google's public DNS) or ping google.com.
    • If ping 8.8.8.8 works but ping google.com fails, your DNS resolver is likely the issue.
    • If neither works, you have a fundamental network connectivity problem.
    • Firewall: Check if your local firewall (e.g., ufw on Linux, macOS Firewall, Windows Defender) or network firewall (security groups, NACLs in cloud environments) is blocking outbound connections on port 53 (for DNS) or the specific port of the target service (e.g., 443 for HTTPS).
    • VPN: If you're connected to a VPN, try disconnecting and re-running Terraform. Some VPNs can interfere with local or corporate DNS resolution.

  5. Review Provider and Backend Configurations:

    • Double-check the official documentation for the provider or service you're trying to connect to. Ensure the endpoint URLs, regions, or service names are precisely correct.
    • For example, if you're explicitly setting an endpoint for an S3 backend, make sure it's valid. Often, for standard cloud provider regions, you don't even need an endpoint as Terraform infers it from the region.

  6. Consider Private DNS or hosts File:

    • If the hostname is for an internal resource (e.g., a private VPC endpoint, an on-premises server), ensure that:
      • Your system's DNS configuration includes the necessary corporate or VPC-specific DNS resolvers.
      • The hostname is correctly entered in your local hosts file with the correct IP address.
      • For cloud environments: VPC DNS resolution settings are enabled (enableDnsHostnames, enableDnsSupport in AWS VPCs).

  7. Check Proxy Settings:

    • If you're behind an HTTP/HTTPS proxy, ensure the environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY are correctly configured for your Terraform execution environment. A misconfigured proxy can prevent DNS resolution or direct connections.

Code Examples

Here are some common configuration issues that lead to dial tcp: no such host and how to fix them.

1. Typo in AWS Provider Region:

provider "aws" {
  region = "us-est-1" # Typo: Should be "us-east-1"
}

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-unique-bucket-name"
}

Correction:

provider "aws" {
  region = "us-east-1" # Corrected
}

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-unique-bucket-name"
}

2. Incorrect S3 Backend Endpoint:

terraform {
  backend "s3" {
    bucket         = "my-tf-state-bucket"
    key            = "path/to/terraform.tfstate"
    region         = "us-east-1"
    endpoint       = "s3.us-eaast-1.amazonaws.com" # Typo: Should be "s3.us-east-1.amazonaws.com"
    # Or, for standard regions, often best to omit 'endpoint'
  }
}

Correction (removing redundant endpoint for standard region):

terraform {
  backend "s3" {
    bucket         = "my-tf-state-bucket"
    key            = "path/to/terraform.tfstate"
    region         = "us-east-1" # Terraform will infer the correct endpoint
  }
}

3. Diagnosing DNS with Shell Commands:

# Attempt to ping the problematic hostname
ping s3.us-est-1.amazonaws.com

# Use nslookup to query DNS specifically
nslookup s3.us-est-1.amazonaws.com

# On Linux/macOS, dig provides more verbose DNS information
dig s3.us-est-1.amazonaws.com

# Check your current DNS resolver configuration
cat /etc/resolv.conf # Linux/macOS
ipconfig /all        # Windows (look for DNS Servers)

# Check network connectivity to a known good public DNS server
ping 8.8.8.8

Environment-Specific Notes

The troubleshooting steps can vary slightly depending on where you're running Terraform.

Cloud Environments (EC2, Fargate, Lambda, Azure VM, GCP Instance)

  • VPC/VNet DNS Settings: Ensure your Virtual Private Cloud (VPC) or Virtual Network (VNet) has DNS resolution enabled. For AWS, check enableDnsHostnames and enableDnsSupport attributes on your VPC. If you're using custom DNS resolvers, verify their configuration within the VPC.
  • Security Groups/Network ACLs: These act as firewalls for your cloud resources. Ensure outbound rules allow traffic on:
    • Port 53 (UDP/TCP) to your DNS servers (e.g., VPC default DNS, public DNS like 8.8.8.8, or custom DNS).
    • Port 443 (HTTPS) to the API endpoints of the cloud provider or external services Terraform needs to connect to.
  • IAM Roles/Permissions: While less directly related to no such host, incorrect IAM roles could theoretically prevent a resource from being able to route to DNS servers. It's rare, but worth a quick sanity check if all else fails.
  • VPC Endpoints/PrivateLink: If you're trying to reach cloud provider services (e.g., S3, EC2 APIs) via a private VPC endpoint, ensure the endpoint is correctly configured and that its associated security groups allow traffic from your Terraform execution environment.

Docker Containers

  • Container DNS: Docker containers often inherit DNS settings from the host. However, they can be overridden.
    • Check the container's /etc/resolv.conf inside the container (docker exec <container_id> cat /etc/resolv.conf).
    • You can specify DNS servers using the --dns flag when running docker run.
    • If using a Docker Compose setup, check the network configuration for any custom DNS settings.
  • Network Mode: If the container is running with a specific network mode (e.g., host or a custom bridge network), ensure that network mode allows outbound access and proper DNS resolution.
  • Proxy within Container: If Terraform inside Docker needs a proxy, ensure the HTTP_PROXY/HTTPS_PROXY environment variables are correctly passed into the container.

Local Development Machine

  • hosts File: Check your local hosts file (/etc/hosts on Linux/macOS, C:\Windows\System32\drivers\etc\hosts on Windows) for any conflicting or incorrect entries that might be overriding DNS.
  • Network Adapter DNS Settings: Verify the DNS servers configured for your primary network adapter. Sometimes public Wi-Fi or corporate networks can temporarily override these.
  • Local Firewall: Your operating system's firewall (Windows Defender, macOS Firewall, ufw/firewalld on Linux) might be blocking outbound connections to DNS servers or specific API endpoints.
  • VPN Client: As mentioned, a VPN client can route all traffic, including DNS queries, through its tunnel. This can lead to issues if the VPN's DNS servers can't resolve your target hostnames (e.g., internal corporate resources when off the VPN, or public cloud resources when on a restrictive corporate VPN).

Frequently Asked Questions

Q: Is "dial tcp: no such host" a bug in Terraform?
A: No, this is not a Terraform bug. It's an error reported by the underlying operating system's networking stack, indicating that it could not resolve a hostname to an IP address. Terraform is simply surfacing this critical system-level error.

Q: Why does this error appear intermittently? It works sometimes, but fails others.
A: Intermittent no such host errors often point to flaky network conditions or DNS server instability. This could be due to:
* Temporary network congestion or packet loss affecting DNS queries.
* DNS server caching issues or delays in propagation.
* VPN connection flapping.
* Running in different environments (e.g., local vs. CI/CD) where DNS configurations differ slightly.

Q: Can I just use an IP address instead of a hostname to avoid this error?
A: While technically possible for simple connections, it's generally not recommended for cloud providers or complex services. Many services use virtual hosting (SNI - Server Name Indication) and expect a hostname in the request. Also, IP addresses for cloud provider endpoints can change. Stick to hostnames and fix the underlying DNS issue.

Q: My ping command works for the hostname, but Terraform still fails with "no such host." What gives?
A: If ping works but nslookup or dig also fail, this suggests ping might be resolving the name from a local hosts file entry that Terraform's network stack isn't utilizing, or that your system's DNS resolution path is inconsistent. If ping, nslookup, and dig all work, then the no such host error is highly unusual. In that specific scenario, I'd then investigate deeper network layers like proxy configurations, or even temporary DNS resolver timeouts that Terraform might be hitting faster than your manual ping attempts. It could also mean the DNS is resolving, but the connection is failing for another reason, and the error message is slightly misleading (though that's rare for no such host).