“nameserver 127.0.0.11” is just fine, if the dns server in the hosts /etc/resolv.conf points to a valid dns server that is able to resolve the query (in other words: if name resolution works on the host, it should do the same in the container). Sounds like something doesn’t work as suppossed in docker’s network magic. Can you tell wether your system uses nftables or iptables? See: iptables - Debian Wiki. Afaik, it needs to be iptables. I am not sure wether you need to restart the docker engine after switching to iptables.