How does embedded DNS work?

I am wondering how does embedded DNS work.
In container, DNS requests go to 127.0.0.11:53 which are redirected by iptables DNAT rule to an arbitrary port (which we can see with # ss -apn)
I would like to know how can docker daemon ‘trap’ these packets?
I do not succeed to understand how these packets reach docker daemon.

This is just a question for general information.

Please, nobody can explain me how it is working?