DNS Server in Docker Container

Question

I have the DNS server Unbound in a docker container. This container has the following port mapping in the docker deamon: 0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp

The docker host has the IP address 192.168.24.5 and a local DHCP server announces the host's IP as the local DNS server. This works fine all over my local network. The host itself uses this DNS server through the IP 192.168.24.5. That's the address that is put to the host's /etc/resolv.conf. (I know it would not work with docker if there was 127.0.0.1 as the nameserver address.)

I have some other docker containers and they are supposed to use this DNS server as well. The point is, they don't.

What actually happens is this: Whithin a random container I can ping the host's address as well as the address of the unbound-container. But when I use dig inside a container I get these results:

# dig @172.17.0.6 ... ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 22778 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available

# dig @192.168.24.5 ... ;; reply from unexpected source: 172.17.0.1#53, expected 192.168.24.5#53

This looks like some internal DNS server intercepts the queries and tries to answer them. That would be fine if it would use the host's DNS server to get an answer, but it doesn't. DNS doesn't work at all in the containers.

Am I doing wrong or is docker doing something it should not ?

Answer 1

The issue is iptables UDP nat for DNS server. You're querying the host IP while it's the docker bridge network's response.

To fix this issue in at least to ways:

• Use container IP (DNS container) as DNS resolver if possible.

or

• Provide --net=host to your DNS server container and remove port mapping altogether. Then host IP DNS would work as expected.