moby icon indicating copy to clipboard operation
moby copied to clipboard

Published 20 hours ago verified publisher icon moby

dns and dns_search option break the link between internal dns docker and host dns

Open bdoublet91 opened this issue 2 years ago • 1 comments

Description

Hi, Like I read in docker documentation:

By default, a container inherits the DNS settings of the host, as defined in the /etc/resolv.conf configuration file. Containers that use the default bridge network get a copy of this file, whereas containers that use a [custom network](https://docs.docker.com/network/network-tutorial-standalone/#use-user-defined-bridge-networks) use Docker’s embedded DNS server, which forwards external DNS lookups to the DNS servers configured on the host.

I use a swarm cluster on openstack (ovh) server so containers take openstack dns configuration

host

nameserver 127.0.0.53
search openstacklocal patrowl.local
options edns0 trust-ad

container

search openstacklocal
nameserver 127.0.0.11 #Internal docker dns links to host docker dns according to the documentation
options ndots:0

I can ping google.fr, ip like 8.8.8.8 so it works fine (default configuration)

Now I have to do some dns requests to my internal dns server so I tried to configure it directly to my docker compose service

  uptime:
    image: ${REGISTRY_DOMAIN}/uptime:${UPTIME_TAG?Variable UPTIME_TAG is not set}
    dns:
      - 10.x.x.80
      - 10.x.x.4
    dns_search:
      - openstacklocal
      - toto.local

Now I get this configuration on my container

search openstacklocal toto.local
nameserver 127.0.0.11
options ndots:0

I can resolve all internal dns request but I can't resolve all publics records (I have no resolvers on my internal dns servers) so I hope container keeps host dns plus internal dns configuration.

Do you know what happened ? Maybe I did a missconfig or didn't understand well dns docker configuraton.

It's just to understand because I have already fixed my problem, I configured my internal dns on the docker host which propagate dns configuration to the container to have internal and public dns resolution at the same time.

Thanks for your time

Reproduce

vi docker-compose.yml

  uptime:
    image: ${REGISTRY_DOMAIN}/uptime:${UPTIME_TAG?Variable UPTIME_TAG is not set}
    dns:
      - 10.x.x.80
      - 10.x.x.4
    dns_search: toto.local

Expected behavior

No response

docker version

Client: Docker Engine - Community
 Version:           20.10.8
 API version:       1.41
 Go version:        go1.16.6
 Git commit:        3967b7d
 Built:             Fri Jul 30 19:54:08 2021
 OS/Arch:           linux/amd64
 Context:           admin-swarm-cluster
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.17
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.17.11
  Git commit:       a89b842
  Built:            Mon Jun  6 23:01:03 2022
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.6.6
  GitCommit:        10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
 runc:
  Version:          1.1.2
  GitCommit:        v1.1.2-0-ga916309
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Context:    admin-swarm-cluster
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.6.1-docker)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 27
  Running: 11
  Paused: 0
  Stopped: 16
 Images: 29
 Server Version: 20.10.17
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: active
  Is Manager: true
  Managers: 3
  Nodes: 3
  Default Address Pool: 10.0.0.0/8  
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Manager Addresses:
 Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
 runc version: v1.1.2-0-ga916309
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.4.0-88-generic
 Operating System: Ubuntu 20.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 14.31GiB
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  registry.local:5000
  127.0.0.0/8
 Live Restore Enabled: false
WARNING: No swap limit support

Additional Info

No response

bdoublet91 avatar Aug 10 '22 15:08 bdoublet91

The 127.0.0.11 DNS inside the container is the docker daemon's internal resolver; this resolver only resolves the internal DNS names (on the internal docker-container network); any other DNS resolutions will be forwarded to the DNS server on the host

I can resolve all internal dns request but I can't resolve all publics records (I have no resolvers on my internal dns servers)

So if your host's DNS server is not able to resolve public records, the docker daemon won't be able to resolve those.

thaJeztah avatar Aug 10 '22 20:08 thaJeztah

Closed because it looks like it is stale.

bsousaa avatar Nov 17 '22 11:11 bsousaa