@hmarlo - Thanks for your answer. Yes, I can also see the request being processed by the containerized DNS resolver (see below), however the response does not seem to reach the requesting instance (container):

Dec 27 11:29:49 dnsmasq[781]: query[A] heise.de from 172.20.238.1
Dec 27 11:29:50 dnsmasq[781]: forwarded heise.de to 172.20.238.2
Dec 27 11:29:50 dnsmasq[781]: dnssec-query[DS] heise.de to 172.20.238.2
Dec 27 11:29:50 dnsmasq[781]: reply heise.de is no DS
Dec 27 11:29:50 dnsmasq[781]: validation result is INSECURE
Dec 27 11:29:50 dnsmasq[781]: reply heise.de is 193.99.144.80

A possible solution (tested yesterday) might be to attach other containers to the DNS stack’s bridged network and explicitly setting its gateway as DNS, but that is rather a work-around that introduces too many dependencies between otherwise unrelated containers / stacks, and I’d rather avoid that…