DNS servers show requests from 169.254.1.2 (also for domains that shouldn't be requested by any running container)

[dozenposture]

I run my own DNS servers (primary and secondary), both based on Technitium containers running via Podman on separate hosts.

While reviewing queries on the primary server, I noticed a large number of requests originating from the IP address 169.254.1.2. Upon inspection, these requests appear to match traffic from containers I’m running.

From what I understand, 169.254.1.2 belongs to the link-local address range, typically used when a device cannot obtain an IP address from a DHCP server. Could this behavior be related to a recent Podman or Pasta update?

Previously, I would see queries coming from my server’s actual IP address, not from 169.254.1.2.

Additionally, I see requests to domains such as conncheck.opensuse.org, which is just a health-check endpoint. However, these should originate from my server’s IP address, not 169.254.1.2. I also notice queries to apple.com, microsoft.com, and similar domains, which I don’t believe any of my containers are directly requesting.

Can someone explain what’s going on here? Do I have something misconfigured?
Thanks!

[Luap99]

169.254.1.2 is the address we use inside the container namespace for dns which should make pasta map that to the real host nameserver address from the host.
I guess it may be that the mapping happens in both directions so incoming packages also get remapped?
cc @sbrivio-rh @dgibson

Could this behavior be related to a recent Podman or Pasta update?

It would help if you provide the versions you are using and on which versions it used to work.

[dozenposture]

I'm currently using podman version 5.6.0 and pasta 20250611.0293c6f-3.2.
I simply noticed the change recently, I can't remember since when exactly.

I guess it may be that the mapping happens in both directions so incoming packages also get remapped?

In the DNS server, I see queries coming from other device on the network, showing the correct IP address.
I set my own DNS server network wide via DHCP so I think every device connected gets both the primary and secondary address.

[Luap99]

I guess it may be that the mapping happens in both directions so incoming packages also get remapped?

In the DNS server, I see queries coming from other device on the network, showing the correct IP address.

Actually 169.254.1.1 is the dns address and 169.254.1.2 is --map-guest-addr (host address mapping).

So assuming you host ip is 192.168.1.10 for example this option then creates a NAT mapping between 192.168.1.10 on the host and 169.254.1.2 in the container. We typically have to use that because pasta copies the same host ip address into the container so connecting to the host ip directly will just result in a local connection inside the namespace. The idea is that by connecting to 169.254.1.2 (host.containers.internal) the container reaches services running on the host address. My guess is that is also maps the other way around. So only the connections coming from 192.168.1.10 will be translated to 169.254.1.2 in the container.

Podman started to use --map-guest-addr in v5.3 last year, I am not sure if there were any pasta changes since then.

[dozenposture]

Is there perhaps any test I can do or something I can change to have at least the queries coming from other devices showing up in the DNS server with their original IP addresses?

I still don't get why some queries to domains like apple.com are coming from 169.254.1.2 and some other show their original IP.
If it's a translation "issue" it should be for any query, from any device. But again, I still see a lot of devices showing up with their original IP address in the DNS server admin console.

[sbrivio-rh]

I guess it may be that the mapping happens in both directions so incoming packages also get remapped?

Yes, incoming packets from the initial namespace on the host itself, going to a local (non-loopback) IP address are mapped using the same address. If 88.198.0.164 is a local address, then:

$ pasta -qp test.pcap --config-net --map-guest-addr 169.254.1.2 -u 31337 -- socat UDP4-LISTEN:31337 OPEN:/dev/null & { sleep 0.1; socat EXEC:'echo x' UDP:88.198.0.164:31337; tshark -r test.pcap -Y udp; }
    3   0.082812  169.254.1.2 → 88.198.0.164 UDP 44 49395 → 31337 Len=2

Is there perhaps any test I can do or something I can change to have at least the queries coming from other devices showing up in the DNS server with their original IP addresses?

I would say let's try to understand exactly what's going on first.

I still don't get why some queries to domains like apple.com are coming from 169.254.1.2 and some other show their original IP.

I guess some DNS queries are from your own host (initial namespace, not from a container), and some are from containers or other hosts, correct? Could it be that the queries from the host are seen as coming from 169.254.1.2 and the other ones aren't?

Do you see perhaps a difference between TCP and UDP, by the way?

[dozenposture]

I checked the again the queries logs on both DNS servers and now no logs are showing up anymore from 169.254.1.2! Which is strange I would say, after what has been said above (and from @dgibson below as well).
Unfortunately old logs are gone now so I can't show how I saw the dashboard last week.

I do see only queries using the UDP protocol btw.

See below the full answer after a few hours of investigation.

[dgibson]

Right. This is expected behaviour with pasta as configured by podman. Requests coming from the container's host will appear to come from 169.254.1.2. It can't show the host's regular IP address, because that IP is shared by the container itself.

While this is counter-intuitive for this specific case, sharing the IP that way makes things simpler and more obvious for communication with any other peer.

Note that pasta can be configured with any address you like, not just 169.254.1.2. The choice of 169.254.1.2 comes from podman. Using one of the link-local addresses seemed like the safest option - anything else would mean you're shadowing some other host on your local net or the internet.

[dozenposture]

Alright, I spent some time investigating the situation and this is outcome at the moment:
Server IP is 192.168.1.138 and all DNS queries done from containers are showing up with IP... 192.168.1.138!

Here a simple output from a test done with a container called backrest:

backrest:/$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 9e:7d:b1:1c:19:00 brd ff:ff:ff:ff:ff:ff
    inet 169.254.2.1/16 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fe80::9c7d:b1ff:fe1c:1900/64 scope link flags 02
       valid_lft forever preferred_lft forever
backrest:/$ cat /etc/resolv.conf
search localdomain
nameserver 169.254.1.1
nameserver 192.168.1.138
nameserver 192.168.1.108

I do see the internal IP being 169.254.2.1 (associated to the tap0 interface), but I tried to run nslookup with a random domain and that query showed up in the DNS server with IP 192.168.1.138.

backrest:/$ nslookup theverge.com
Server:		169.254.1.1
Address:	169.254.1.1:53

Non-authoritative answer:

Non-authoritative answer:
Name:	theverge.com
Address: 151.101.65.91
Name:	theverge.com
Address: 151.101.1.91
Name:	theverge.com
Address: 151.101.193.91
Name:	theverge.com
Address: 151.101.129.91

And here the DNS logs:

RowNumber,Timestamp,ClientIpAddress,Protocol,ResponseType,ResponseRtt,RCODE,Domain,Type,Class,Answer
3662,2025-09-13T21:16:39.8919119Z,192.168.1.138,Udp,Recursive,13.742,NoError,theverge.com,AAAA,IN,
3663,2025-09-13T21:16:39.8926520Z,192.168.1.138,Udp,Recursive,14.4815,NoError,theverge.com,A,IN,"A 151.101.65.91, A 151.101.1.91, A 151.101.193.91, A 151.101.129.91"

I do not understand this at all. After the initial replies from @Luap99, @sbrivio-rh and now @dgibson, I thought that was normal to see the source IP as 169.254.1.2 but now there's not a single query done from that IP address.

Regarding queries done from my laptop and showing up with the server IP is because (I think) a VPN container I'm running called Tailscale. If I enable the Tailscale VPN tunnel on my laptop, queries are showing as 192.168.1.138. If I disable it, queries are showing up with my laptop IP address. Why? I have no idea, but there must be a technical explanation (perhaps traffic is routed via the tailscale container, so again the experienced behavior seen above).

I'm attaching the output of ip addr; ip route in case is needed to understand better the situation:

From the host:

podman@host:~/.config/containers> ip addr; ip route
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 70:85:c2:70:cd:b1 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    altname enx7085c270cdb1
    inet 192.168.1.138/24 brd 192.168.1.255 scope global dynamic noprefixroute eno1
       valid_lft 83136sec preferred_lft 83136sec
    inet6 fe80::7285:c2ff:fe70:cdb1/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eno1 proto dhcp src 192.168.1.138 metric 100
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.138 metric 100

From podman unshare --rootless-netns:

host:~/.config/containers # ip addr; ip route
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo
       valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether ea:f9:dc:5a:07:1e brd ff:ff:ff:ff:ff:ff
    inet 169.254.2.1/16 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fe80::e8f9:dcff:fe5a:71e/64 scope link nodad proto kernel_ll
       valid_lft forever preferred_lft forever
3: podman1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d6:1f:46:e0:10:93 brd ff:ff:ff:ff:ff:ff
    inet 10.89.0.1/24 brd 10.89.0.255 scope global podman1
       valid_lft forever preferred_lft forever
    inet6 fe80::d41f:46ff:fee0:1093/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
4: veth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether 9a:e1:67:61:d6:f9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::98e1:67ff:fe61:d6f9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
5: veth1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether de:7b:6c:3c:16:f8 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::dc7b:6cff:fe3c:16f8/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
6: veth2@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether fa:6d:07:fa:8f:2b brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::f86d:7ff:fefa:8f2b/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
7: veth3@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether be:a8:7c:ac:f0:ca brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet6 fe80::bca8:7cff:feac:f0ca/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
8: veth4@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether 9a:f1:fc:ce:66:e5 brd ff:ff:ff:ff:ff:ff link-netnsid 4
    inet6 fe80::98f1:fcff:fece:66e5/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
9: veth5@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether 82:a9:82:18:8f:40 brd ff:ff:ff:ff:ff:ff link-netnsid 5
    inet6 fe80::80a9:82ff:fe18:8f40/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
10: veth6@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether 32:0e:f4:b2:b0:b7 brd ff:ff:ff:ff:ff:ff link-netnsid 6
    inet6 fe80::300e:f4ff:feb2:b0b7/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
11: veth7@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether c6:42:4e:9c:15:13 brd ff:ff:ff:ff:ff:ff link-netnsid 7
    inet6 fe80::c442:4eff:fe9c:1513/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
12: veth8@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether 6a:4b:d7:b5:ed:28 brd ff:ff:ff:ff:ff:ff link-netnsid 8
    inet6 fe80::684b:d7ff:feb5:ed28/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
13: veth9@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether 82:82:9d:e1:05:15 brd ff:ff:ff:ff:ff:ff link-netnsid 9
    inet6 fe80::8082:9dff:fee1:515/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
14: veth10@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether 06:e5:9f:a5:fc:33 brd ff:ff:ff:ff:ff:ff link-netnsid 10
    inet6 fe80::4e5:9fff:fea5:fc33/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
15: veth11@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether 4a:28:da:7d:11:26 brd ff:ff:ff:ff:ff:ff link-netnsid 11
    inet6 fe80::4828:daff:fe7d:1126/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
16: veth12@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether f6:cc:87:22:31:3e brd ff:ff:ff:ff:ff:ff link-netnsid 12
    inet6 fe80::f4cc:87ff:fe22:313e/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
17: veth13@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether ea:25:47:fa:2a:d3 brd ff:ff:ff:ff:ff:ff link-netnsid 13
    inet6 fe80::e825:47ff:fefa:2ad3/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
18: veth14@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether 7e:7e:56:17:0a:ee brd ff:ff:ff:ff:ff:ff link-netnsid 14
    inet6 fe80::7c7e:56ff:fe17:aee/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
19: veth15@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master podman1 state UP group default qlen 1000
    link/ether c6:34:ad:34:a6:03 brd ff:ff:ff:ff:ff:ff link-netnsid 15
    inet6 fe80::c434:adff:fe34:a603/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
default via 169.254.2.2 dev tap0
10.89.0.0/24 dev podman1 proto kernel scope link src 10.89.0.1
169.254.0.0/16 dev tap0 proto kernel scope link src 169.254.2.1

Thank you in advance for your time.

[dgibson]

Alright, I spent some time investigating the situation and this is outcome at the moment: Server IP is 192.168.1.138 and all DNS queries done from containers are showing up with IP... 192.168.1.138!

When you say "Server IP", do you mean the IP of the container in which the named is running? Or the IP of the host on which that container is running?

Here a simple output from a test done with a container called backrest:

backrest:/$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 9e:7d:b1:1c:19:00 brd ff:ff:ff:ff:ff:ff
    inet 169.254.2.1/16 scope global tap0

Oh that's odd. I'd expect things from the container host to appear in the container as 169.254.x.y. I would not expect such a link local address on the container itself. Particularly not as the only address on the container.

   valid_lft forever preferred_lft forever
inet6 fe80::9c7d:b1ff:fe1c:1900/64 scope link flags 02
   valid_lft forever preferred_lft forever

backrest:/$ cat /etc/resolv.conf
search localdomain
nameserver 169.254.1.1
nameserver 192.168.1.138
nameserver 192.168.1.108

I do see the internal IP being `169.254.2.1` (**associated to the `tap0` interface**), but I tried to run nslookup with a random domain and that query showed up in the DNS server with IP `192.168.1.138`.

Uh... that's not what the quote below shows. It shows a server at 169.254.1.1.

backrest:/$ nslookup theverge.com
Server:		169.254.1.1
Address:	169.254.1.1:53

Non-authoritative answer:

Non-authoritative answer:
Name:	theverge.com
Address: 151.101.65.91
Name:	theverge.com
Address: 151.101.1.91
Name:	theverge.com
Address: 151.101.193.91
Name:	theverge.com
Address: 151.101.129.91

And here the DNS logs:

RowNumber,Timestamp,ClientIpAddress,Protocol,ResponseType,ResponseRtt,RCODE,Domain,Type,Class,Answer
3662,2025-09-13T21:16:39.8919119Z,192.168.1.138,Udp,Recursive,13.742,NoError,theverge.com,AAAA,IN,
3663,2025-09-13T21:16:39.8926520Z,192.168.1.138,Udp,Recursive,14.4815,NoError,theverge.com,A,IN,"A 151.101.65.91, A 151.101.1.91, A 151.101.193.91, A 151.101.129.91"

I do not understand this at all. After the initial replies from @Luap99, @sbrivio-rh and now @dgibson, I thought that was normal to see the source IP as 169.254.1.2 but now there's not a single query done from that IP address.

Regarding queries done from my laptop and showing up with the server IP is because (I think) a VPN container I'm running called Tailscale. If I enable the Tailscale VPN tunnel on my laptop, queries are showing as 192.168.1.138. If I disable it, queries are showing up with my laptop IP address. Why? I have no idea, but there must be a technical explanation (perhaps traffic is routed via the tailscale container, so again the experienced behavior seen above).

If the VPN is configured to tunnel everything - which is probably what it would be - then, yes I'd expect queries from the laptop to run via the VPN which would affect things. The DNS container will only pick one of the host's IPs - traffic from other IPs of the host will not be translated.

I'm attaching the output of ip addr; ip route in case is needed to understand better the situation:

From the host:

podman@host:~/.config/containers> ip addr; ip route
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 70:85:c2:70:cd:b1 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    altname enx7085c270cdb1
    inet 192.168.1.138/24 brd 192.168.1.255 scope global dynamic noprefixroute eno1
       valid_lft 83136sec preferred_lft 83136sec
    inet6 fe80::7285:c2ff:fe70:cdb1/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eno1 proto dhcp src 192.168.1.138 metric 100
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.138 metric 100

From podman unshare --rootless-netns:

Oh... you're using podman's shared netns. That adds its own extra NAT layer which is probably what's confusing things. I don't know much about how that works.

host:~/.config/containers # ip addr; ip route
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo
       valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether ea:f9:dc:5a:07:1e brd ff:ff:ff:ff:ff:ff
    inet 169.254.2.1/16 scope global tap0

I think this address must be being picked by podman.

[snip]

default via 169.254.2.2 dev tap0

... and I guess this address for the default gateway.

10.89.0.0/24 dev podman1 proto kernel scope link src 10.89.0.1
169.254.0.0/16 dev tap0 proto kernel scope link src 169.254.2.1

Thank you in advance for your time.

[Luap99]

Oh that's odd. I'd expect things from the container host to appear in the container as 169.254.x.y. I would not expect such a link local address on the container itself. Particularly not as the only address on the container.

These are the ips picked by pasta when it doesn't find a suitable interface with addresses on the host. (local mode)

So what happen sis that sometimes pasta starts to early before the host network is fully configured. As such in this case the mapping --map-guest-addr happens between 169.254.2.1 and 169.254.1.2. Thus no remapping between the host ip which comes online later.

This ties back to #24970 as there no update in pasta when said host address changes (netlink monitor feature)

[sbrivio-rh]

Oh that's odd. I'd expect things from the container host to appear in the container as 169.254.x.y. I would not expect such a link local address on the container itself. Particularly not as the only address on the container.

These are the ips picked by pasta when it doesn't find a suitable interface with addresses on the host. (local mode)

Right, thanks, I was about to comment on this and I forgot. See also https://passt.top/passt/commit/?id=14b84a7f077ecb734bb0e724f70bafeaa6d35a61 and the description of -a / --address in pasta(1).

default via 169.254.2.2 dev tap0

... and I guess this address for the default gateway.

Also picked by pasta, see commit above and the description of -g / --gateway.

[dgibson]

These are the ips picked by pasta when it doesn't find a suitable interface with addresses on the host. (local mode)

So what happen sis that sometimes pasta starts to early before the host network is fully configured. As such in this case the mapping --map-guest-addr happens between 169.254.2.1 and 169.254.1.2. Thus no remapping between the host ip which comes online later.

This ties back to #24970 as there no update in pasta when said host address changes (netlink monitor feature)

Ah, right this makes sense. I didn't recognize at a glance which link-local IPs were which.