dns-proxy-server
dns-proxy-server copied to clipboard
mageddo
OSX Compatibility
What is expected
Support OSX
Currently per default you can not access container with their IPs directly on OSX. There are some workarounds and for me the best working thing is https://github.com/AlmirKadric-Published/docker-tuntap-osx . Using this (after setup the routing), I can ping and dig/nslookup directly to DPS
What is Happening
An issue for me is, that the DPS overwrites all *.docker.internal DNS entries, that also used on windows. That are e.g. host.docker.internal or gateway.docker.internal There is a pull-request, to add this also to linux to provide an "same behaviour on all OSes": https://github.com/docker/libnetwork/pull/2348 . Hopefully it is merged in the next months.
Cause of the Docker-for-Mac (DfM) implementation, all others containers can not reach the dns, if I add the volume mapping to /etc/resolv.conf, so all builds fails (DNS e.g. for apt update) and so on...
Changes
I tried this locally and think, that this should work:
- [ ] ignore *.docker.internal and let resolve them from the docker-daemon
- [ ] add a flag or an IP option, that is populating to the
resolv.conf
What I expect:
Mapping the dns-proxy to localhost:53 (localhost = host), populate in the resolv.conf as host.docker.internal (resolved to ip).
ignore *.docker.internal and let resolve them from the docker-daemon
What's supposed to ignore this entries and forward them to docker daemon?
add a flag or an IP option, that is populating to the resolv.conf
Do you wanna to parameterize which DNS server IP should be written to resolv.conf
Okay,
Can you elaborate which is your use case?
DPS will not be useful for the host machine in this case since overlay network is only accessible by the containers connected to it, any swarm container solved IP will not be accessible from the host machine due network scope limitations and bridge networks are not allowed in swarm stack services
The only useful DPS features probably will be cname , the local store entries and the remote proxy DNS.
@mageddo Thanks for the fast response
The use case is, that we have some developer machines, that should be available on the host machine. eg mydev.docker. On Linux this works pretty well, but on OSX not. (Windows I don't known, but there is a documentation for that, I think this also works).
add a flag or an IP option, that is populating to the resolv.conf
Do you wanna to parameterize which DNS server IP should be written to resolv.conf
What I want is, that we add in the resolv.conf the gateway.docker.internal (for me this is 192.168.65.1). If I map the port 53 from DPS to the "localhost", than all containers can access them. Now it is in its own network like 172.17.20.0/24 and on build 172.17.21.0/24 can not resolve any dns queries. I think, do allow some ip is not pretty well. Maybe we can make a os switch inside your code or an option like: auto-os or something (For me: we want the dev-ENV on OSX/Linux/Win)
ignore *.docker.internal and let resolve them from the docker-daemon
What's supposed to ignore this entries and forward them to docker daemon?
How i can ignore them? I added host.* and gateway.* as predefined entries in the config. On OSX per default all containers use as NS the IP of gateway.docker.internal, which is for me 192.168.65.1. The best, I think, is to resolve everything from docker.internal to this IP. Should be possible or?!
@mageddo Got you any time, to what at this?
With binding *:53 to "localhost" and avoid mapping of the resolv.conf, it is run fine for me, but i have to add host.docker.internal and gateway.docker.internal as preconfigured values in the config.json .
Any progress with this? would love this feature
Also a detailed instructions of the workaround could be useful
@TheKnightCoder I'm trying to figure out yet exactly must be did to get DPS working on Mac yet.
@jwundrak
So if you
- Configure your
config.jsonlike attach 1 - Start DPS publishing the 53 port like attach 2
- Configure
/etc/resolv.confon host machine like attach 3
Then you get DPS fully working?
Attach 3
nameserver 127.0.0.1
Attach 2
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 53:53 \
-v -v config.json:/app/conf/config.json \
defreitas/dns-proxy-server
Attach 1
{
"version": 2,
"remoteDnsServers": [],
"envs": [
{
"name": "",
"hostnames": [
{
"hostname": "host.docker.internal",
"ip": "",
"target": "host.docker",
"ttl": 60,
"type": "CNAME"
},
{
"hostname": "gateway.docker.internal",
"ip": "",
"target": "host.docker",
"ttl": 60,
"type": "CNAME"
}
]
}
],
"activeEnv": "",
"webServerPort": 0,
"dnsServerPort": 0,
"defaultDns": null,
"logLevel": "",
"logFile": "",
"registerContainerNames": false,
"hostMachineHostname": "",
"domain": "",
"dpsNetwork": false,
"dpsNetworkAutoConnect": false
}
I tried and it is not working.
I made a couple of corrections still.
The docker run must specify the port as udp 53:53/udp. In addition the current command mounts config.json as a directory. It thus needs to be $(pwd)/config.json:... . Finally, at least macos 10.14 does not use resolv.conf. To add the localhost as a nameserver I run the following command: sudo networksetup -setdnsservers Wi-Fi 127.0.0.1.
After this corrections DPS starts logging requests. However the resolution is failing.
nslookup google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 172.217.172.78
❯ nslookup dns.mageddo
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find dns.mageddo: NXDOMAIN
I think you get close @gchari-asapp , probably networksetup -setdnsservers Wi-Fi will work correctly only when specifying a IP which isn't a loopback address, need to specify your network interface IP, something like '192.168.0.x'.
I'm finally with access to a MacBook so I did some tests using DPS 3.7.0, my conclusion is it's now working the best it can on Mac due Docker for Mac limitations, can you confirm that or am I missing some feature? Got the following results after ran the steps below:
$ sudo ./dns-proxy-server
A nginx container:
$ docker run --rm --hostname nginx.docker nginx
Running a container to make some tests
$ docker run --rm -it --hostname alpine.docker alpine sh
# Docker gateway is solving
$ nslookup gateway.docker.internal
Server: 192.168.65.7
Address: 192.168.65.7:53
Non-authoritative answer:
Name: gateway.docker.internal
Address: 192.168.65.2
Non-authoritative answer:
$ nslookup host.docker.internal
Server: 192.168.65.7
Address: 192.168.65.7:53
Non-authoritative answer:
Non-authoritative answer:
Name: host.docker.internal
Address: 192.168.65.2
# DPS docker container feature is also solving
$ nslookup alpine.docker
Server: 192.168.65.7
Address: 192.168.65.7:53
Non-authoritative answer:
Name: alpine.docker
Address: 172.17.0.4
Non-authoritative answer:
# Internet resolution also working
$ nslookup google.com
Server: 192.168.65.7
Address: 192.168.65.7:53
Non-authoritative answer:
Name: google.com
Address: 2800:3f0:4001:833::200e
Non-authoritative answer:
Name: google.com
Address: 142.250.219.238
# Other container also solving
$ wget -q -S -O - nginx.docker
HTTP/1.1 200 OK
Server: nginx/1.23.3
Date: Sat, 04 Mar 2023 03:50:52 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 13 Dec 2022 15:53:53 GMT
Connection: close
ETag: "6398a011-267"
Accept-Ranges: bytes