dns-proxy-server: Breaks DNS resolution within containers

What is Happening

Without DPS:

% docker run --rm -it alpine nslookup docker.io
[…]

Non-authoritative answer:
Name:   docker.io
Address: 34.206.129.162
Name:   docker.io
Address: 54.145.113.149
[…]
% docker run --rm -it alpine getent hosts docker.io
54.145.113.149    docker.io  docker.io
[…]
% docker run --rm -it debian getent hosts docker.io
52.87.84.72     docker.io
[…]

While DPS is running (wait a few seconds):

% docker run --rm -it alpine nslookup docker.io
nslookup: bad address '172.24.0.2 # dps-entry'
% time docker run --rm -it alpine getent hosts docker.io || echo failed with $?
docker run --rm -it alpine getent hosts docker.io  0,03s user 0,02s system 0% cpu 10,803 total
failed with 2
% time docker run --rm -it debian getent hosts docker.io || echo failed with $?
docker run --rm -it debian getent hosts docker.io  0,02s user 0,03s system 0% cpu 40,797 total
failed with 2

As soon as I quit DPS, containers can resolve hosts again.

What is expected

DNS resolution should work fine in containers regardless of DPS being run.

Steps to Reproduce

  • I’m using this docker-compose.yml to run DPS:
version: '3'
services:
  dns:
    image: defreitas/dns-proxy-server
    hostname: dns.mageddo
    environment:
      - MG_REGISTER_CONTAINER_NAMES=1
      - MG_RESOLVCONF=/host/etc/resolv.conf
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      #- /etc/resolv.conf:/etc/resolv.conf
      # this is because some app on host will periodically overwrite resolve.conf
      - /etc:/host/etc
  • Then, docker run --rm -it alpine nslookup docker.io should expose the problem

Specs:

  • OS: Debian stable
  • Docker Version: 20.10.5+dfsg1
  • DPS Version: 2.19.0

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 15 (10 by maintainers)

Most upvoted comments

I’ve found the problem … we should start DNS Proxy within the same Network as any Service that wants to reach the DNS Proxy 😉

Create a new Network: docker network create foobar

Start DPS within the Network:

docker run \
--rm \
--network=foobar \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/resolv.conf:/etc/resolv.conf \
defreitas/dns-proxy-server

Test within the Nework: docker run--rm --network=foobar -it alpine nslookup docker.io

Result:

Server:		127.0.0.11
Address:	127.0.0.11:53

Non-authoritative answer:
Name:	docker.io
Address: 18.210.197.188
Name:	docker.io
Address: 3.228.146.75
Name:	docker.io
Address: 18.206.20.10

Non-authoritative answer:
+2
sh3bang on Oct 6, 2022

The feature is alive at DPS 3.4, please check it out and give me a feedback if possible. See #321 for some instructions of how to use it, I will update the docs later.

I’m using the following command:

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v /etc/systemd/:/host/etc/systemd --network host \
defreitas/dns-proxy-server:3.4.0-beta
+1
mageddo on Feb 26, 2023
Read more comments on GitHub
← mage-ai: Too many open files even with large ulimits
dns-proxy-server: Does not work when using on OSX →