Inside a container, how to resolve DNS on the host, on a specific port

Question

I've an instance running a consul agent & docker. Consul agent can be used to resolve DNS queries on 0.0.0.0:8600. I'ld like to use this from inside a container.

A manual test works, running dig @172.17.0.1 -p 8600 rabbitmq.service.consul inside a container resolve properly.

A first solution is to run --network-mode host. It works. I'll do this until better. But I don't like it, security-wise.

Another idea, use docker's --dns and associated options. Even if I can script grabbing the IP, I can't get how to specify port=8600. Maybe in --dns-opts, but how ?

Along this line, writing the container's resolv.conf could do. But again, how to specify the port, I saw no hints in man resolv.conf, I believe it's not possible.

Last, I can set up a dnsmasq inside the container or in a sidecar container, along the line of this Q/A. But it's a bit heavy.

Anyone can help on this one ?

Answer 1

You can achieve this with the following configuration.

1. Configure each Consul container with a static IP address.
2. Use Docker's --dns option to provide these IPs as resolvers to other containers.
3. Create an iptables rule on the host system which redirects traffic destined to port 53 of the Consul server to port 8600.

For example:

$ sudo iptables --table nat --append PREROUTING --in-interface docker0 --proto udp \
  --dst 1920.2.4 --dport 53 --jump DNAT --to-destination 192.0.2.4:8600

# Repeat for TCP
$ sudo iptables --table nat --append PREROUTING --in-interface docker0 --proto tcp \
  --dst 192.0.2.4 --dport 53 --jump DNAT --to-destination 192.0.2.4:8600