Windows Container running with process isolation receives no DNS server address

Docker Desktop
1

Hello All,

Using Docker Desktop v4.34.2 on Windows 11. My container image is built on top of Microsoft Server Core (ltsc2022). When I launch my container using the following run command (specifically using process isolation), I get no DNS address assigned inside the container:

docker run -it --entrypoint cmd --network nat --isolation=process <my-image-name>

Running ipconfig/all from within the container returns:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : 85078ebf23d2
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter vEthernet (Ethernet):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Container Adapter
   Physical Address. . . . . . . . . : 00-15-5D-68-BB-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::7d6d:7518:5103:63d2%54(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.177.153(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 192.168.176.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

If I try an nslookup from inside the container I get no address resolution, eg:

C:\mydir>nslookup "www.google.com"
*** Default servers are not available
Server:  UnKnown
Address:  127.0.0.1

*** UnKnown can't find www.google.com: No response from server

If I specify a DNS server address manually to nslookup (inside the container) I get a response (so clearly the IP routing is working):

C:\mydir>nslookup "www.google.com" 192.168.176.1
Server:  UnKnown
Address:  192.168.176.1

Non-authoritative answer:
Name:    www.google.com
Addresses:  2404:6800:4015:802::2004
          142.250.70.196

When I try the same docker run operation without the “–isolation=process” parameter (ie. Hyper-V isolation) the launched container has a DNS server address assigned, per output below:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : 526fd9d724ad
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : REDACTEDx.REDACTEDy.com.au

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : REDACTEDx.REDACTEDy.com.au
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-68-BD-61
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::58a0:1c7e:b7f:3753%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.191.18(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 192.168.176.1
   DHCPv6 IAID . . . . . . . . . . . : 67114333
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2E-8B-CC-13-00-15-5D-68-BD-61
   DNS Servers . . . . . . . . . . . : 192.168.176.1
                                       172.17.0.2
   NetBIOS over Tcpip. . . . . . . . : Disabled

I have tried to work around this issue by forcibly setting the DNS Server Address using Set-DNSClientServerAddress in powershell (within the container), but the address fails to “stick”, and remains empty when checked with Get-DNSClientServerAddress.

Does anyone have any ideas on how to resolve?

Many thanks for your assistance.

2

Which image did you try? Can you reproduce it with any image that I could try too?

On Linux, the isolation mode is always like the process isolation on Windows, except when you change the runtime. The DNS server is the same that was configured on the host, but depending on how the container is started, it could require changing the configuration on the host. I have no experience about it on Windows, but that 127.0.0.1 doesn’t look good in the output of nslookup.

Have you changed your DNS settings on the Windows host? If you for example had a DNS a custom DNS server, for example because you use the same machine as a DNS server and the DNs resolution would work with the loopback IP, if that config is used in the container similarly to how Linux containers work, the container will not have any DNS server in its own network namespace.

3

No, I have not changed the DNS settings on my host, and my host is a development box (Windows Professional 11), with no DNS server running directly on it. Our “corporate” DNS server is on a separate box.

If you want to try reproduce it, you’ll need to use Windows and spin up a container using:

docker run -it --rm --isolation=process mcr.microsoft.com/windows/servercore:ltsc2022

(This requires the Windows Docker Engine to be running when you do the above, not the WSL/Linux one).

4

Fortunately I’m not that unfamiliar with Windows containers :slight_smile: but I appriciate the precise instructions. I wanted to make sure I use the same image, so didn’t pull another large image. I tried with the hyperv isolation and also with process isolation. DNS didn’t work for me with any of the isolation methods, but the Address in the output of nslookup was never 127.0.0.1 so we could have different issues. I don’t have mor time to test it at the moment.

5

Just an update: I asked a colleague to try the same arrangement using the Windows Server Core base image and process isolation, and it works correctly on his machine. Both on same corporate network, same hardware, same operating system, same anti-virus, same Docker Desktop version, but they are not “identical”. in terms of installed software etc.