Hi everyone,
I have trouble fixing a bug in our small company docker setup (let’s call it mycompany for the rest of this post :), with the domain name mycompany.tld )
We work a lot with an Ubuntu:18.04 image, and since the pandemic we do a lot of remote work as well.
When at home, I have a local DNS server provided by my router. Its adress is 192.168.1.1.
When I’m connected to the company network through VPN, my host gets configured with an additionnal VPN, at adress 192.168.50.10.
On the host
At this point, my /etc/resolv.conf looks like this
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0
search home local.mycompany.tld
And the resolvectl output
❯ resolvectl | cat
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 44 (veth089b8a7)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 8 (tun0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.50.10
DNS Servers: 192.168.50.10
DNS Domain: local.mycompany.tld
Link 4 (docker0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Link 3 (wlp0s20f3)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.1.1
DNS Servers: 192.168.1.1
aaaa::aaaa
aaaa::aaaa
DNS Domain: ~.
home
Link 2 (enp0s31f6)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
In the above extract, you see my WiFi network as link 3, and the VPN in Link 1. I masked the ipv6 adresses for anonymity.
Resolvectl is aware of both nameservers, and dnsmask (if I understood properly) takes care of resolving properly both global and internal domains.
In the container
Let’s get into a container with
docker run -it --rm ubuntu:18.04 /bin/bash
And try some resolutions
root@b3909ed06679:/# apt update
...
root@b3909ed06679:/# apt install dnsutils
...
root@b3909ed06679:/# nslookup google.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: google.com
Address: 216.58.206.238
Name: google.com
Address: 2a00:1450:4007:809::200e
root@b3909ed06679:/# nslookup gitlab.local.mycompany.tld
Server: 192.168.1.1
Address: 192.168.1.1#53
** server can't find gitlab.local.wandercraft.eu: NXDOMAIN
I can’t resolve company-local domains ! Global website are resolved well though.
What bothers me is the container’s /etc/resolv.conf:
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 192.168.1.1
# Too many DNS servers configured, the following entries may be ignored.
nameserver 192.168.50.10
search home local.mycompany.tld
In fact it seems that the second DNS entry is ignored. In practice, all scripts involving the local site fail.
Found workaround
I found out that deleting the first nameserver entry fixes my problem. But now my company DNS is used for every request, which is not optimal. And I have to do that every time.
I can also manually set the container DNS with --dns, or with /etc/docker/daemon.json, but the setup will break every time our DNS change. And I’m still using the company DNS for every request.
So I’m left with the question:
Is there a way to make the container handle two DNS nameservers together ?
Thanks in advance for your pointers ! Have a nice day !
Additional infos
Host PC:
- ubuntu 20.04 LTS, well updated
- Docker version 19.03.12, build 48a66213fe
I could reproduce the problem with the ubuntu:18.04 and ubuntu:20.04 images