Internal network DNS fails to resolve #47822

ca0abinary · 2024-05-10T17:43:08Z

Description

Moby version 25 and higher under Linux fail to correctly perform DNS resolution on internal networks using the bridge driver and DNS container option.

Reproduce

docker-compose.yaml

version: '3.8'

services:
  dns:
    image: coredns/coredns:1.11.1
    working_dir: /etc/bind
    volumes: ['./Corefile:/etc/bind/Corefile:ro']
    networks:
      isolated: { ipv4_address: 192.168.254.254 }

  web:
    image: nginx:1.25-alpine3.18
    networks:
      isolated: { ipv4_address: 192.168.254.253 }
    depends_on: [ dns ]

  test:
    init: true
    image: nginx:1.25-alpine3.18
    dns: 192.168.254.254
    networks: [isolated]
    command: [ 'sh', '-c', 'while true; do curl http://webserver.internal.net; sleep 5; done' ]
    depends_on: [ web ]

networks:
  isolated:
    name: isolated
    internal: true
    ipam:
      config:
        - subnet: 192.168.254.0/24
          ip_range: 192.168.254.0/25
          gateway: 192.168.254.1

Corefile

. {
    log
}

internal.net {
    template IN ANY {
        match .*
        answer "{{ .Name }} 60 IN A 192.168.254.253"
    }
    log
}

Create above files in an empty directory
Run docker compose up
- Under v24 expect the web logs to output "Welcome to nginx!" HTML page
- Higher versions - expect the web logs to output curl: (6) Could not resolve host: webserver.internal.net

or using dind

Failing Test:

docker run --rm -it -v $(pwd):/src --hostname docker --privileged --workdir /src --name docker-26 docker:26.1-dind
docker exec docker-26 docker compose up
# Note docker:25-dind will also fail.

Passing Test

docker run --rm -it -v $(pwd):/src --hostname docker --privileged --workdir /src --name docker-24 docker:24-dind
docker exec docker-24 docker compose up

Expected behavior

Internal DNS resolution should function identically to version 24 of Moby.

docker version

Client:
 Cloud integration: v1.0.35+desktop.13
 Version:           26.0.0
 API version:       1.45
 Go version:        go1.21.8
 Git commit:        2ae903e
 Built:             Wed Mar 20 15:16:45 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Desktop
 Engine:
  Version:          26.0.0
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.8
  Git commit:       8b79278
  Built:            Wed Mar 20 15:18:01 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    26.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /home/jdemarks/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0
    Path:     /home/jdemarks/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container. (Docker Inc.)
    Version:  0.0.27
    Path:     /usr/local/lib/docker/cli-plugins/docker-debug
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /usr/local/lib/docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.23
    Path:     /usr/local/lib/docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.4
    Path:     /usr/local/lib/docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.1.0
    Path:     /usr/local/lib/docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /usr/local/lib/docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.6.3
    Path:     /usr/local/lib/docker/cli-plugins/docker-scout
WARNING: Plugin "/usr/local/lib/docker/cli-plugins/docker-scan" is not valid: failed to fetch metadata: fork/exec /usr/local/lib/docker/cli-plugins/docker-scan: no such file or directory

Server:
 Containers: 3
  Running: 0
  Paused: 0
  Stopped: 3
 Images: 216
 Server Version: 26.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
 Kernel Version: 5.15.146.1-microsoft-standard-WSL2
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 20
 Total Memory: 15.46GiB
 Name: docker-desktop
 ID: 2fdbb658-ba61-46ad-84ab-ecbb4f49d19a
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///var/run/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: daemon is not using the default seccomp profile

Additional Info

Independently verified in issue docker/for-win#14049

The text was updated successfully, but these errors were encountered:

thaJeztah · 2024-05-10T18:28:01Z

I think this may be related to a security fix that fixed internal-only networks being able to access external DNS servers; GHSA-mq39-4gv4-mvpx

In this case, "external" would be the dns service, which is part of the same network, but the internal resolver likely won't take that into account; @robmry any thoughts?

thaJeztah · 2024-05-10T18:30:29Z

Oh! Looks like a PR was opened that looks related;

Forward DNS requests into --internal networks #47821

robmry · 2024-05-10T18:35:55Z

Ah, yes! Thank you for re-opening this as a moby issue.

As @thaJeztah says, it's fallout from the security fix that went too far. The new PR should sort things out.

ca0abinary added kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. status/0-triage labels May 10, 2024

ca0abinary mentioned this issue May 10, 2024

Internal network DNS fails to resolve in Docker Desktop 4.29 on WSL2 docker/for-win#14049

Closed

thaJeztah added area/networking area/networking/dns version/25.0 version/26.0 version/26.1 labels May 10, 2024

robmry mentioned this issue May 10, 2024

Forward DNS requests into --internal networks #47821

Merged

vvoland mentioned this issue May 14, 2024

[26.1 backport] Forward DNS requests into --internal networks #47832

Merged

akerouanton closed this as completed in #47821 May 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Internal network DNS fails to resolve #47822

Internal network DNS fails to resolve #47822

ca0abinary commented May 10, 2024 •

edited

thaJeztah commented May 10, 2024 •

edited

thaJeztah commented May 10, 2024

robmry commented May 10, 2024

Internal network DNS fails to resolve #47822

Internal network DNS fails to resolve #47822

Comments

ca0abinary commented May 10, 2024 • edited

Description

Reproduce

Expected behavior

docker version

docker info

Additional Info

thaJeztah commented May 10, 2024 • edited

thaJeztah commented May 10, 2024

robmry commented May 10, 2024

ca0abinary commented May 10, 2024 •

edited

thaJeztah commented May 10, 2024 •

edited