compose icon indicating copy to clipboard operation
compose copied to clipboard
verified publisher icon docker

Is it possible to change the DNS TTL of embedded DNS server?

Open outsinre opened this issue 1 year ago • 4 comments

With Docker Desktop on macOS, I have launched multiple containers via Docker Compose. Those containers can communicate with each other.

Within one of the containers, I can see the default DNS server is 127.0.0.11 as follows.

root@0087d71929bd:/data# cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0

When I tried to dig another container (e.g. postgres), the TTL is 600 as shown below.

root@0087d71929bd:/data# dig postgres

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> postgres
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50693
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;postgres.                      IN      A

;; ANSWER SECTION:
postgres.               600     IN      A       172.18.0.5

;; Query time: 1 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Mon Feb 05 14:26:45 UTC 2024
;; MSG SIZE  rcvd: 50

I know that containerd has an embedded DNS server. Can we configure the TTL value? And how?

outsinre avatar Feb 06 '24 02:02 outsinre

internal DNS service is implemented by Docker engine and can't be configured by Compose. Please ask on https://github.com/moby/moby

Can you please clarify the reason you want to tweak DNS TTL ?

ndeloof avatar Feb 07 '24 07:02 ndeloof

@ndeloof the current DNS TTL value is fixed to 600s (5m). Container A connects to container B periodically at an interval of 2s, and suddenly container B changes its IP address (crashed and recreated with a new IP). For 600s, container A cannot connect to container B any longer due to the cached deprecated IP address.

If we can tweak the DNS TTL to a lower value, container A can recover the connection to container B quickly.

outsinre avatar Feb 20 '24 03:02 outsinre

For this scenario, a possible workaround is to access the other service trough a proxy, which can manage load-balancing and new instance discovery, see https://medium.com/@aedemirsen/load-balancing-with-docker-compose-and-nginx-b9077696f624. nginx used in this example can be configured as resolver 127.0.0.11 valid=5s; to discover available replicas with a lower TTL

ndeloof avatar Feb 20 '24 08:02 ndeloof

@ndeloof brilliant reference.

For future reference:

  1. https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver
  2. https://nginx.org/en/docs/stream/ngx_stream_upstream_module.html#resolver

By default, nginx caches answers using the TTL value of a response. An optional valid parameter allows overriding it:

resolver 127.0.0.1 [::1]:5353 valid=30s;

outsinre avatar Feb 21 '24 12:02 outsinre