From 2fa6b736d0a43532cf19b4baef9fb994e4f02533 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Sat, 14 Feb 2026 14:34:47 +0100
Subject: [PATCH] scripts/build/.variables: don't use "netgo" when building
 Windows binaries

commit 880ef756b76a09d9c8f1ef2b4994265ebb2a1bc8 fixed static builds with
CGO, which included setting the `netgo` build-tag for static builds.

Starting with go1.19, the Go runtime on Windows now supports the `netgo` build-
flag to use a native Go DNS resolver. Prior to that version, the build-flag
only had an effect on non-Windows platforms. From the go1.19 release notes:
https://go.dev/doc/go1.19#net

> Resolver.PreferGo is now implemented on Windows and Plan 9. It previously
> only worked on Unix platforms. Combined with Dialer.Resolver and Resolver.Dial,
> it's now possible to write portable programs and be in control of all DNS name
> lookups when dialing.
>
> The net package now has initial support for the netgo build tag on Windows.
> When used, the package uses the Go DNS client (as used by Resolver.PreferGo)
> instead of asking Windows for DNS results. The upstream DNS server it discovers
> from Windows may not yet be correct with complex system network configurations,
> however.

This originally caused issues in the daemon, because the pure-go implementation
did not respect file-based resolution (`C:\Windows\System32\Drivers\etc\hosts`),
resulting in `localhost` not being resolvable, and custom entries in `.etc/hosts`
not being used.

That specific problem was resolved in go1.22 (through [golang/go@33d4a51]), but
other limitations may still apply, and resolver ordering may not respect VPN
adaptors (such as Twingate) and queries sent through the local network adapter
instead of the VPN tunnel, resulting in DNS resolution failures;

    Get "https://example.com:2376/v1.52/containers/json": dial tcp: lookup example.com: i/o timeout

This patch unsets the `netgo` option when (cross-)compiling for Windows, similar
to the patch used for the daemon (see [moby/moby@53d1b12]).

[golang/go@33d4a51]: https://github.com/golang/go/commit/33d4a5105cf2b2d549922e909e9239a48b8cefcc
[moby/moby@53d1b12]: https://github.com/moby/moby/commit/53d1b12bc014b4243e9439fc2610eb4ef863659f

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 scripts/build/.variables | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/scripts/build/.variables b/scripts/build/.variables
index d37c945893c6..53afc14a21d3 100755
--- a/scripts/build/.variables
+++ b/scripts/build/.variables
@@ -102,6 +102,15 @@ if [ "$CGO_ENABLED" = "1" ] && [ "$GO_LINKMODE" = "static" ]; then
     # compiling statically with CGO enabled requires osusergo and netgo to be set.
     GO_BUILDTAGS="$GO_BUILDTAGS osusergo netgo"
 fi
+# XXX: Disable netgo on Windows and use Windows system resolver instead.
+#
+# go1.19 and newer added support for netgo on Windows (https://go.dev/doc/go1.19#net),
+# which may not respect VPN adaptors (such as Twingate) due to resolver ordering,
+# resulting in queries being sent through the local network adapter instead of the
+# VPN tunnel. See https://github.com/docker/cli/issues/6665
+if [ "$(go env GOOS)" = "windows" ]; then
+    GO_BUILDTAGS=$(echo "$GO_BUILDTAGS" | sed 's/\(^\| \)netgo\( \|$\)/\1/g')
+fi
 if [ -n "$GO_STRIP" ]; then
     # if stripping enabled and building with llvm < 12 against darwin/amd64
     # platform, it will fail with: