I have a Docker container that uses the host network and when I run the container it takes the same resolv.conf of the host machine.
docker run -ti --network host ubuntu:18.04 /bin/bash
I have configured a VPN interface in my host that use an additional DNS server 10.10.0.5 and one search domain using the DNS server myvpndomain.com.
But the problem is when I start the container without being connected to the VPN it takes my usual /etc/resolv.conf. But once the container is started if I turn on my VPN interface I can see all machines on the VPN network including the VPN's DNS server: 10.10.0.5 (I can ping to it), but the DNS resolution configuration doesn't get updated automatically from host, I need to restart the container to get the new DNS configuration.
DNS configuration in the host machine after connected to VPN:
cat /etc/resolv.conf
search myvpndomain.com
nameserver 10.10.0.5
nameserver 80.58.61.250
nameserver 80.58.61.254
DNS configuration inside the container the container after connected to VPN:
cat /etc/resolv.conf
nameserver 80.58.61.250
nameserver 80.58.61.254
To update the DNS configuration after connecting my VPN I tried two solutions so far:
1) Adding a bind mount to host /etc/resolv.conf file into the container -v /etc/resolv.conf:/etc/resolv.conf to run command, but it does not work, I don't know why even updating host resolv.conf, the mounted resolv.conf in container does not update.
2) Adding --dns 127.0.0.53 --dns-search myvpndomain.com to run command, this works well as it uses the systemd-resolver and also adds the required search domain. But I would want to not rely on systemd-resolver to accomplish this.
Do you know a more clean solution that does not involve to use the systemd-resolver?
Maybe use Docker internal DNS 127.0.0.11 + dnsmasq?
PD: It's mandatory to use the host network the container --network host
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 months ago.
The community reviewed whether to reopen this question 4 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
Docker is a software tool primarily used by programmers as it is the mechanism programmers use to produce container images.
My machine is on a private network with private DNS servers, and a private zone for DNS resolution. I can resolve hosts on this zone from my host machine, but I cannot resolve them from containers running on my host machine.
Host:
root#host:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
root#host:~# ping privatedomain.io
PING privatedomain.io (192.168.0.101) 56(84) bytes of data.
Container:
root#container:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8
nameserver 8.8.4.4
root#container:~# ping privatedomain.io
ping: unknown host privatedomain.io
It's fairly obvious that Google's public DNS servers won't resolve my private DNS requests. I know I can force it with docker --dns 192.168.0.1, or set DOCKER_OPTS="--dns 192.168.0.1" in /etc/default/docker, but my laptop frequently switches networks. It seems like there should be a systematic way of solving this problem.
Docker populates /etc/resolv.conf by copying the host's /etc/resolv.conf, and filtering out any local nameservers such as 127.0.1.1. If there are no nameservers left after that, Docker will add Google's public DNS servers (8.8.8.8 and 8.8.4.4).
According to the Docker documentation:
Note: If you need access to a host’s localhost resolver, you must modify your DNS service on the host to listen on a non-localhost address that is reachable from within the container.
The DNS service on the host is dnsmasq, so if you make dnsmasq listen on your docker IP and add that to resolv.conf, docker will configure the containers to use that as the nameserver.
1 . Create/edit /etc/dnsmasq.conf† and add these lines:
interface=lo
interface=docker0
2 . Find your docker IP (in this case, 172.17.0.1):
root#host:~# ifconfig | grep -A2 docker0
docker0 Link encap:Ethernet HWaddr 02:42:bb:b4:4a:50
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
3 . Create/edit /etc/resolvconf/resolv.conf.d/tail and add this line:
nameserver 172.17.0.1
4 . Restart networking, update resolv.conf, restart docker:
sudo service network-manager restart
sudo resolvconf -u
sudo service docker restart
Your containers will now be able to resolve DNS from whatever DNS servers the host machine is using.
† The path may be /etc/dnsmasq.conf, /etc/dnsmasq.conf.d/docker.conf, /etc/NetworkManager/dnsmasq.conf, or /etc/NetworkManager/dnsmasq.d/docker.conf depending on your system and personal preferences.
For Ubuntu 18.04, and other systems that use systemd-resolved, it may be necessary to install dnsmasq and resolvconf. systemd-resolved is hard-coded to listen on 127.0.0.53, and Docker filters out any loopback address when reading resolv.conf.
1 . Install dnsmasq and resolvconf.
sudo apt update
sudo apt install dnsmasq resolvconf
2 . Find your docker IP (in this case, 172.17.0.1):
root#host:~# ifconfig | grep -A2 docker0
docker0 Link encap:Ethernet HWaddr 02:42:bb:b4:4a:50
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
3 . Edit /etc/dnsmasq.conf and add these lines:
interface=docker0
bind-interfaces
listen-address=172.17.0.1
4 . Create/edit /etc/resolvconf/resolv.conf.d/tail and add this line:
nameserver 172.17.0.1
5 . Restart networking, update resolv.conf, restart docker:
sudo service network-manager restart
sudo resolvconf -u
sudo service dnsmasq restart
sudo service docker restart
Your containers will now be able to resolve DNS from whatever DNS servers the host machine is using.
As you know, Docker copy host /etc/resolv.conf file to containers but removing any local nameserver.
My solution to this problem is to keep using systemd-resolvd and NetworkManager but add dnsmasq and use it to "forward" Docker containers DNS queries to systemd-resolvd.
Step by step guide:
Make /etc/resolv.conf a "real" file
sudo rm /etc/resolv.conf
sudo touch /etc/resolv.conf
Create file /etc/NetworkManager/conf.d/systemd-resolved-for-docker.conf to tell NetworkManager to inform systemd-resolvd but to not touch /etc/resolv.conf
[main]
# NetworkManager will push the DNS configuration to systemd-resolved
dns=systemd-resolved
# NetworkManager won’t ever write anything to /etc/resolv.conf
rc-manager=unmanaged
Install dnsmasq
sudo apt-get -y install dnsmasq
Configure dnsmasq in /etc/dnsmasq.conf for listening DNS queries comming from Docker and using systemd-resolvd name server
# Use interface docker0
interface=docker0
# Explicitly specify the address to listen on
listen-address=172.17.0.1
# Looks like docker0 interface is not available when dnsmasq service starts so it fails. This option makes dynamically created interfaces work in the same way as the default.
bind-dynamic
# Set systemd-resolved DNS server
server=127.0.0.53
Edit /etc/resolv.conf to use systemd-resolvd nameserver (127.0.0.53) and the host IP (172.17.0.1) in Docker network
# systemd-resolvd name server
nameserver 127.0.0.53
# docker host ip
nameserver 172.17.0.1
Restart services
sudo service network-manager restart
sudo service dnsmasq restart
sudo service docker restart
For more info see my post (in spanish) https://rubensa.wordpress.com/2020/02/07/docker-no-usa-los-mismos-dns-que-el-host/
I had problems with the DNS resolver in our docker containers. I tried a lot of different things, and in the end, I just figured that my CentOS VPS in Hostgator didn't have installed by default NetworkManager-tui (nmtui), I just installed and reboot it.
sudo yum install NetworkManager-tui
And reconfigured my resolv.conf with default DNS as 8.8.8.8.
nano /etc/resolv.conf
My case with many images from docker hub (nodered, syncthing and another):
container is running under not-root user
/etc/resolv.conf inside container has permissions 600 and owned by root
So my solution is very simple
root#container:~# chmod 644 /etc/resolv.conf
Profit! :))
If you are using a VPN, the VPN protocol might be appending to outbound packets beyond the configured MTU on your private network.
A typical MTU is 1500.
Try adding this content to /etc/docker/daemon.json
{
"mtu": 1300,
"dns": ["<whatever DNS server you need in your private network>"]
}
Then systemctl restart docker.
I have the same error message in my systemctl status docker.
I run a Nextcloud and a nextcloud nginx proxy container and used docker compose to install it. It worked for multiple months without big hickups, but on Friday it wasn't accessable. The server had shut down.
I restarted it, my icecast2 instance is working fine and was used this sunday for the service in our church. But the docker containers are gone. docker ps -a doesn't show any, I can't access the nextcloud via docker exec like I would do normally. And I have the error message:
No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]"
Feb 06 19:04:58 ncxxxxxxxxx dockerd[21551]: time="2022-02-06T19:04:58.894366765Z" level=info msg="IPv6 enabled; Adding default IPv6 external servers: [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]
My resolv.conf looks like this:
GNU nano 4.8
/etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search fritz.box
Based on answer from #rubensa, but simpler and more integrated IMHO:
Install dnsmasq
sudo apt-get -y install dnsmasq
Configure dnsmasq in /etc/dnsmasq.d/docker-dns-fix.conf for listening to DNS queries coming from Docker and using systemd-resolvd name server
# Use interface docker0
interface=docker0
# Explicitly specify the address to listen on
listen-address=172.17.0.1
# Looks like docker0 interface is not available when dnsmasq service starts so it fails. This option makes dynamically created interfaces work in the same way as the default.
bind-dynamic
# Set systemd-resolved DNS server
server=127.0.0.53
Tell Docker to use dnsmasq by editing/creating /etc/docker/daemon.json
{
"dns": ["172.17.0.1"]
}
Restart services
sudo service dnsmasq restart
sudo service docker restart
It was enough for Ubuntu 18.04 LTS:
sudo service network-manager restart
sudo resolvconf -u
sudo service dnsmasq restart
sudo service docker restart
I've been trying to run Docker build on various files which previously worked before, which are now no longer working.
As soon as the Docker file included any line that was to install software it would fail with a message saying that the package was not found.
RUN apt-get -y install supervisor nodejs npm
The common message which showed up in the logs was
Could not resolve 'archive.ubuntu.com'
Any idea why any software will not install?
Uncommenting DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4" in /etc/default/docker as Matt Carrier suggested did NOT work for me. Nor did putting my corporation's DNS servers in that file. But, there's another way (read on).
First, let's verify the problem:
$ docker run --rm busybox nslookup google.com # takes a long time
nslookup: can't resolve 'google.com' # <--- appears after a long time
Server: 8.8.8.8
Address 1: 8.8.8.8
If the command appears to hang, but eventually spits out the error "can't resolve 'google.com'", then you have the same problem as me.
The nslookup command queries the DNS server 8.8.8.8 in order to turn the text address of 'google.com' into an IP address. Ironically, 8.8.8.8 is Google's public DNS server. If nslookup fails, public DNS servers like 8.8.8.8 might be blocked by your company (which I assume is for security reasons).
You'd think that adding your company's DNS servers to DOCKER_OPTS in /etc/default/docker should do the trick, but for whatever reason, it didn't work for me. I describe what worked for me below.
SOLUTION:
On the host (I'm using Ubuntu 16.04), find out the primary and secondary DNS server addresses:
$ nmcli dev show | grep 'IP4.DNS'
IP4.DNS[1]: 10.0.0.2
IP4.DNS[2]: 10.0.0.3
Using these addresses, create a file /etc/docker/daemon.json:
$ sudo su root
# cd /etc/docker
# touch daemon.json
Put this in /etc/docker/daemon.json:
{
"dns": ["10.0.0.2", "10.0.0.3"]
}
Exit from root:
# exit
Now restart docker:
$ sudo service docker restart
VERIFICATION:
Now check that adding the /etc/docker/daemon.json file allows you to resolve 'google.com' into an IP address:
$ docker run --rm busybox nslookup google.com
Server: 10.0.0.2
Address 1: 10.0.0.2
Name: google.com
Address 1: 2a00:1450:4009:811::200e lhr26s02-in-x200e.1e100.net
Address 2: 216.58.198.174 lhr25s10-in-f14.1e100.net
REFERENCES:
I based my solution on an article by Robin Winslow, who deserves all of the credit for the solution. Thanks, Robin!
"Fix Docker's networking DNS config." Robin Winslow. Retrieved 2016-11-09. https://robinwinslow.uk/2016/06/23/fix-docker-networking-dns/
After much headache I found the answer. Could not resolve 'archive.ubuntu.com' can be fixed by making the following changes:
Uncomment the following line in /etc/default/docker
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
Restart the Docker service
sudo service docker restart
Delete any images which have cached the invalid DNS settings.
Build again and the problem should be solved.
Credit goes to Andrew SB
I run into the same problem, but neither uncommenting /etc/default/docker dns entries nor editing the /etc/resolv.conf in the build container or the /etc/docker/daemon.json helps for me.
But after I build with the option --network=host the resolving was fine again.
docker build --network=host -t my-own-ubuntu-like-image .
Maybe this will help someone again.
I believe that Matt Carrier's answer is the correct solution for this problem. However, after implementing it, I still observed the same behavior: could not resolve 'archive.ubuntu.com'.
This led me to eventually find that the network I was connected to was blocking public DNS. The solution to this problem was to configure my Docker container to use the same name server that my host (the machine from which I was running Docker) was using.
How I triaged:
Since I was working through the Docker documentation, I already had an example image installed on my machine. I was able to start a new container to run that image and create a new bash session in that container: docker run -it docker/whalesay bash
Does the container have an Internet connection?: ping 172.217.4.238 (google.com)
Can the container resolve hostnames? ping google.com
In my case, the first ping resulted in responses, the second did not.
How I fixed:
Once I discovered that DNS was not working inside the container, I verified that I could duplicate the same behavior on the host. nslookup google.com resolved just fine on the host. But, nslookup google.com 8.8.8.8 or nsloookup google.com 8.8.4.4 timed out.
Next, I found the name server(s) that my host was using by running nm-tool (on Ubuntu 14.04). In the vein of fast feedback, I started up the example image again, and added the IP address of the name server to the container's resolv.conf file: sudo vi /etc/resolv.conf. Once saved, I attempted the ping again (ping google.com) and this time it worked!
Please note that the changes made to the container's resolv.conf are not persistent and will be lost across container restarts. In my case, the more appropriate solution was to add the IP address of my network's name server to the host's /etc/default/docker file.
After adding local dns ip to default docker file it started working for me... please find the below steps...
$ nm-tool # (will give you the dns IP)
DNS : 172.168.7.2
$ vim /etc/default/docker # (uncomment the DOCKER_OPTS and add DNS IP)
DOCKER_OPTS="--dns 172.168.7.2 --dns 8.8.8.8 --dns 8.8.4.4"
$ rm `docker ps --no-trunc -aq` # (remove all the containers to avoid DNS cache)
$ docker rmi $(docker images -q) # (remove all the images)
$ service docker restart #(restart the docker to pick up dns setting)
Now go ahead and build the docker... :)
For anyone who is also having this problem, I solved my problem by editing the /etc/default/docker file, as suggested by other answers and questions. However I had no idea what IP to use as the DNS.
It was only after a while I figured out I had to run ifconfig docker on the host to show the IP for the docker network interface.
docker0 Link encap:Ethernet Endereço de HW 02:42:69:ba:b4:07
inet end.: 172.17.0.1 Bcast:0.0.0.0 Masc:255.255.0.0
endereço inet6: fe80::42:69ff:feba:b407/64 Escopo:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Métrica:1
pacotes RX:8433 erros:0 descartados:0 excesso:0 quadro:0
Pacotes TX:9876 erros:0 descartados:0 excesso:0 portadora:0
colisões:0 txqueuelen:0
RX bytes:484195 (484.1 KB) TX bytes:24564528 (24.5 MB)
It was 172.17.0.1 in my case. Hope this helps anyone who is also having this issue.
I found this answer after some Googleing. I'm using Windows, so some of the above answers did not apply to my file system.
Basically run:
docker-machine ssh default
echo "nameserver 8.8.8.8" > /etc/resolv.conf
Which just overwrites the existing nameserver used with 8.8.8.8 I believe. It worked for me!
Based on some comments, you may have to be root. To do that, issue sudo -i.
I just wanted to add a late response for anyone coming across this issue from search engines.
Do NOT do this: I used to have an option in /etc/default/docker to set iptables=false. This was because ufw didn't work (everything was opened even though only 3 ports were allowed) so I blindly followed the answer to this question: Uncomplicated Firewall (UFW) is not blocking anything when using Docker and this, which was linked in the comments
I have a very low understanding of iptables rules / nat / routing in general, hence why I might have done something irrational.
Turns out that I've probably misconfigured it and killed DNS resolution inside my containers. When I ran an interactive container terminal: docker run -i -t ubuntu:14.04 /bin/bash
I had these results:
root#6b0d832700db:/# ping google.com
ping: unknown host google.com
root#6b0d832700db:/# cat /etc/resolv.conf
search online.net
nameserver 8.8.8.8
nameserver 8.8.4.4
root#6b0d832700db:/# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=1.76 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=1.72 ms
Reverting all of my ufw configuration (before.rules), disabling ufw and removing iptables=false from /etc/default/docker restored the DNS resolution functionality of the containers.
I'm now looking forward to re-enable ufw functionality by following these instructions instead.
I have struggled for some time with this now as well, but here it is what solved it for me on Ubuntu 16.04 x64. I hope it saves someone's time, too.
In /etc/NetworkManager/NetworkManager.conf:
comment out
#dns=dnsmasq
Create (or modify) /etc/docker/daemon.json:
{
"dns": ["8.8.8.8"]
}
Restart docker with:
sudo service docker restart
I have the same issue, and tried the steps mentioned, but seems none works until refresh the network settings.
The steps:
As mentioned, add DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --ip-masq=true" to /etc/default/docker.
Manually flush the PREROUTING table contents using the iptables -t nat -F POSTROUTING . After running this, restart docker and it will initialize the nat table with the new IP range.
Same issue for me (on Ubuntu Xenial).
docker run --dns ... for containers worked.
Updating docker daemon options for docker build (docker-compose etc.) did not work.
After analyzing the docker logs (journalctl -u docker.service) if found some warning about bad resolvconf applied.
Following that i found that our corporate nameservers were added to the network interfaces but not in resolvconf.
Applied this solution How do I configure my static DNS in interfaces? (askubuntu), i.e. adding nameservers to /etc/resolvconf/resolv.conf.d/tail
After updating resolvconf (or reboot).
bash
docker run --rm busybox nslookup google.com
worked instantly.
All my docker-compose builds are working now.
I got same issue today, I just added line below to /etc/default/docker
DOCKER_OPTS="--dns 172.18.20.13 --dns 172.20.100.29 --dns 8.8.8.8"
and then I restarted my Laptop.
In my case restarting docker daemon is not enough for me, I have to restart my Laptop to make it work.
Before spending too much time on any of the other solutions, simply restart Docker and try again.
Solved the problem for me, using Docker Desktop for Windows on Windows 10.
In my case, since my containers were in a cloud environment the MTU of the interfaces were not usual 1500 and was like 1450, so I had to configure my docker daemon to set the MTU to 1450 for containers.
{
"mtu": 1454
}
look at this : https://mlohr.com/docker-mtu/
In my case, firewall was the issue. Disabling it for the moment solved the issue. I use nftables. Stopping the service did the trick.
sudo systemctl stop nftables.service
With the recent updates, the following line in (/etc/docker/daemon.json) was the cause of the issue:
{
"bridge": "none"
}
Remove it, and restart the docker service with: sudo systemctl restart docker
OS (Ubuntu 20.04.3 LTS) and Docker (version 20.10.11, build dea9396)
On my system (macOS High Sierra 10.13.6 with Docker 2.1.0.1) this was due to a corporate proxy.
I solved this by two steps:
Manually configure proxy settings in Preferences>Proxies
Add the same settings to your config.json inside ~/.docker/config.json like:
"proxies":
{
"default":
{
"httpProxy": "MYPROXY",
"httpsProxy": "MYPROXY",
"noProxy": "MYPROXYWHITELIST"
}
}
I have dnsmasq in my system for dns resolution that had the nameservers to resolve the URL. Docker copies /etc/resolv.conf of the host system as it is into the container's /etc/resolv.conf and thus didn't have the right nameservers. From docs:
By default, a container inherits the DNS settings of the host, as
defined in the /etc/resolv.conf configuration file.
Adding the nameservers in /etc/resolv.conf of the host fixed the issue.