Docker Community Forums

Share and learn in the Docker community.

Ubuntu container ignores all but one nameserver

Hi everyone,

I have trouble fixing a bug in our small company docker setup (let’s call it mycompany for the rest of this post :), with the domain name mycompany.tld )
We work a lot with an Ubuntu:18.04 image, and since the pandemic we do a lot of remote work as well.
When at home, I have a local DNS server provided by my router. Its adress is 192.168.1.1.
When I’m connected to the company network through VPN, my host gets configured with an additionnal VPN, at adress 192.168.50.10.

On the host

At this point, my /etc/resolv.conf looks like this

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0
search home local.mycompany.tld

And the resolvectl output

❯ resolvectl | cat
Global
       LLMNR setting: no                  
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
          DNSSEC NTA: 10.in-addr.arpa     
                      16.172.in-addr.arpa 
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa 
                      18.172.in-addr.arpa 
                      19.172.in-addr.arpa 
                      20.172.in-addr.arpa 
                      21.172.in-addr.arpa 
                      22.172.in-addr.arpa 
                      23.172.in-addr.arpa 
                      24.172.in-addr.arpa 
                      25.172.in-addr.arpa 
                      26.172.in-addr.arpa 
                      27.172.in-addr.arpa 
                      28.172.in-addr.arpa 
                      29.172.in-addr.arpa 
                      30.172.in-addr.arpa 
                      31.172.in-addr.arpa 
                      corp                
                      d.f.ip6.arpa        
                      home                
                      internal            
                      intranet            
                      lan                 
                      local               
                      private             
                      test                

Link 44 (veth089b8a7)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 8 (tun0)
      Current Scopes: DNS                 
DefaultRoute setting: yes                 
       LLMNR setting: yes                 
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
  Current DNS Server: 192.168.50.10       
         DNS Servers: 192.168.50.10       
          DNS Domain: local.mycompany.tld

Link 4 (docker0)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 3 (wlp0s20f3)
      Current Scopes: DNS                                   
DefaultRoute setting: yes                                   
       LLMNR setting: yes                                   
MulticastDNS setting: no                                    
  DNSOverTLS setting: no                                    
      DNSSEC setting: no                                    
    DNSSEC supported: no                                    
  Current DNS Server: 192.168.1.1                           
         DNS Servers: 192.168.1.1                           
                      aaaa::aaaa 
                      aaaa::aaaa           
          DNS Domain: ~.                                    
                      home                                  

Link 2 (enp0s31f6)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no 

In the above extract, you see my WiFi network as link 3, and the VPN in Link 1. I masked the ipv6 adresses for anonymity.

Resolvectl is aware of both nameservers, and dnsmask (if I understood properly) takes care of resolving properly both global and internal domains.

In the container

Let’s get into a container with

docker run -it --rm ubuntu:18.04 /bin/bash

And try some resolutions

root@b3909ed06679:/# apt update
...
root@b3909ed06679:/# apt install dnsutils
...
root@b3909ed06679:/# nslookup google.com
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	google.com
Address: 216.58.206.238
Name:	google.com
Address: 2a00:1450:4007:809::200e

root@b3909ed06679:/# nslookup gitlab.local.mycompany.tld
Server:		192.168.1.1
Address:	192.168.1.1#53

** server can't find gitlab.local.wandercraft.eu: NXDOMAIN

I can’t resolve company-local domains ! Global website are resolved well though.

What bothers me is the container’s /etc/resolv.conf:

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 192.168.1.1
# Too many DNS servers configured, the following entries may be ignored.
nameserver 192.168.50.10
search home local.mycompany.tld

In fact it seems that the second DNS entry is ignored. In practice, all scripts involving the local site fail.

Found workaround
I found out that deleting the first nameserver entry fixes my problem. But now my company DNS is used for every request, which is not optimal. And I have to do that every time.

I can also manually set the container DNS with --dns, or with /etc/docker/daemon.json, but the setup will break every time our DNS change. And I’m still using the company DNS for every request.

So I’m left with the question:

Is there a way to make the container handle two DNS nameservers together ?

Thanks in advance for your pointers ! Have a nice day !

Additional infos

Host PC:

  • ubuntu 20.04 LTS, well updated
  • Docker version 19.03.12, build 48a66213fe

I could reproduce the problem with the ubuntu:18.04 and ubuntu:20.04 images

In./etc/resolv.conf all dns servers need to be able to resolve all addresses. If you want to use a special dns server for particular domains then you need to use a dns forwarder that can be configured.

Your host uses systemd resolved which is a configurable forwarder.

But apparently the systemd resolved forwarder isn’t used with dockers default bridge. I usually use user configured networks in which case it uses a 127.0.0.x name server which I guess uses the host resolver. I think you should do the same and configure systemd resolved appropriately to allow forwarding of the company domain via the vpn dns.