No internet connection in containers when using dnscrypt-proxy

$ docker run --rm  nicolaka/netshoot nslookup localhost
;; communications error to connection refused
;; communications error to connection refused
;; communications error to connection refused
;; no servers could be reached

no, I get a timeout and I have a firewall on the host, yes!

curl: (28) Failed to connect to port 80 after 129519 ms: Couldn't connect to server

What rule do I need to add on the host firewall to make i work?

I would go back to start and check what’s in there

I wanted to recommend running nslookup localhost on the host, not in a container. It won’t work in a container. Please, try to run it on the host. If that shows you can access the dns container, the problem could be the firewall, but otherwise it may be a dnscrypt proxy configuration issue and indeed, checking what happens during build as @bluepuma77 suggested could be the next step.

I took this as reference!

sorry, from the host system:

$ nslookup localhost

Server:         localhost
Address:        ::1#53

Non-authoritative answer:

Then I think it is probably the firewall, but I can’t tell you what rules you need to set. If I needed it I would just try some settings until it works, but it would be better playing with it in another environment on the same operating system version.

Speaking of operating system, I don’t see that we ever asked about what operating system you are using and how you installed Docker. Can you share that?

1 Like

Ubuntu 22.04 and installed Docker via the official repo installation instructions

So you probably have UFW as firewall. Did you configured it or have the default config?

Default Deny on incoming connections and Allow on Outgoing

I could reproduce it by enabling ufw in my virtual machine.

This is a quote from the docker documentation::

Docker and ufw

Uncomplicated Firewall (ufw) is a frontend that ships with Debian and Ubuntu, and it lets you manage firewall rules. Docker and ufw use iptables in ways that make them incompatible with each other.

When you publish a container’s ports using Docker, traffic to and from that container gets diverted before it goes through the ufw firewall settings. Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.


I found this blogpost which seems good

1 Like

so the only option is to disable UFW?
Anyway I found a possible solution: got the IP of the docker0 network on my host and used it as nameserver in /etc/resolv.conf. This way containers resolve addresses and also the rest of my system works fine in resolving addresses. I’m not sure why and whether it could be a possible definitive solution!

1 Like

No. I edited my previous post to add a blogpost which describes other solutions, but using your docker gateway is good too. In your case it is the best actually :slight_smile: as long as the only problem is accessing the DNS

1 Like

ok got it, thank for your patience and help!