Is there some way to inspect the Docker DNS server? It’s not behaving as expected.

Two different containers running on the same server. Same network (Macvlan), with neighboring public IP addresses. Same resolv.conf:

nameserver 127.0.0.11
options ndots:0

I can ping 127.0.0.11 from both containers. But when doing a DNS request, one of them times out.

Container 1:

root@test1:/# dig @127.0.0.11 google.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.11 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28557
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             250     IN      A       216.58.204.46

;; AUTHORITY SECTION:
google.com.             42304   IN      NS      ns2.google.com.
google.com.             42304   IN      NS      ns3.google.com.
google.com.             42304   IN      NS      ns1.google.com.
google.com.             42304   IN      NS      ns4.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.         215115  IN      A       216.239.34.10
ns1.google.com.         215115  IN      A       216.239.32.10
ns4.google.com.         215115  IN      A       216.239.38.10
ns3.google.com.         215115  IN      A       216.239.36.10

;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Mon Oct 30 23:02:12 UTC 2017
;; MSG SIZE  rcvd: 191

Container 2:

root@test2:/# dig @127.0.0.11 google.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.11 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Querying Googles DNS servers:

root@test2:/# dig @8.8.8.8 google.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49681
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             299     IN      A       172.217.23.14

;; Query time: 9 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Oct 30 23:20:19 UTC 2017
;; MSG SIZE  rcvd: 55

Version 17.09.0-ce

Hi, Has it been solved?

I think it could behave different if those 2 containers, even being int he same ip-space, are attached or not to a docker network when starting up.

It seems that 127.0.0.11 also resolves the “local names” for connected containers. If one of your containers is connected to a docker network and the other to another one, the DNS resolvers “phantomly appearing” into 127.0.0.11 could behave different.

Remember that 127.0.0.11 is not a networked address, but it is a localhost loopback, as it is 127.0.0.1 or it is 127.0.0.33. So for each container, docker maintains a separate instance of “what to see there” depending on other factors beyond the private IP address itself.

docker container inspect and docker network inspect could help at this point.