Internal network DNS fails to resolve

[ca0abinary]

Description

Moby version 25 and higher under Linux fail to correctly perform DNS resolution on internal networks using the bridge driver and DNS container option.

Reproduce

docker-compose.yaml

version: '3.8'

services:
  dns:
    image: coredns/coredns:1.11.1
    working_dir: /etc/bind
    volumes: ['./Corefile:/etc/bind/Corefile:ro']
    networks:
      isolated: { ipv4_address: 192.168.254.254 }

  web:
    image: nginx:1.25-alpine3.18
    networks:
      isolated: { ipv4_address: 192.168.254.253 }
    depends_on: [ dns ]

  test:
    init: true
    image: nginx:1.25-alpine3.18
    dns: 192.168.254.254
    networks: [isolated]
    command: [ 'sh', '-c', 'while true; do curl http://webserver.internal.net; sleep 5; done' ]
    depends_on: [ web ]

networks:
  isolated:
    name: isolated
    internal: true
    ipam:
      config:
        - subnet: 192.168.254.0/24
          ip_range: 192.168.254.0/25
          gateway: 192.168.254.1

---

Corefile

. {
    log
}

internal.net {
    template IN ANY {
        match .*
        answer "{{ .Name }} 60 IN A 192.168.254.253"
    }
    log
}

1. Create above files in an empty directory
2. Run docker compose up
   • Under v24 expect the web logs to output "Welcome to nginx!" HTML page
   • Higher versions - expect the web logs to output curl: (6) Could not resolve host: webserver.internal.net

or using dind

Failing Test:

docker run --rm -it -v $(pwd):/src --hostname docker --privileged --workdir /src --name docker-26 docker:26.1-dind
docker exec docker-26 docker compose up
# Note docker:25-dind will also fail.

Passing Test

docker run --rm -it -v $(pwd):/src --hostname docker --privileged --workdir /src --name docker-24 docker:24-dind
docker exec docker-24 docker compose up

Expected behavior

Internal DNS resolution should function identically to version 24 of Moby.

docker version

Client:
 Cloud integration: v1.0.35+desktop.13
 Version:           26.0.0
 API version:       1.45
 Go version:        go1.21.8
 Git commit:        2ae903e
 Built:             Wed Mar 20 15:16:45 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Desktop
 Engine:
  Version:          26.0.0
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.8
  Git commit:       8b79278
  Built:            Wed Mar 20 15:18:01 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    26.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /home/jdemarks/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0
    Path:     /home/jdemarks/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container. (Docker Inc.)
    Version:  0.0.27
    Path:     /usr/local/lib/docker/cli-plugins/docker-debug
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /usr/local/lib/docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.23
    Path:     /usr/local/lib/docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.4
    Path:     /usr/local/lib/docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.1.0
    Path:     /usr/local/lib/docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /usr/local/lib/docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.6.3
    Path:     /usr/local/lib/docker/cli-plugins/docker-scout
WARNING: Plugin "/usr/local/lib/docker/cli-plugins/docker-scan" is not valid: failed to fetch metadata: fork/exec /usr/local/lib/docker/cli-plugins/docker-scan: no such file or directory

Server:
 Containers: 3
  Running: 0
  Paused: 0
  Stopped: 3
 Images: 216
 Server Version: 26.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
 Kernel Version: 5.15.146.1-microsoft-standard-WSL2
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 20
 Total Memory: 15.46GiB
 Name: docker-desktop
 ID: 2fdbb658-ba61-46ad-84ab-ecbb4f49d19a
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///var/run/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: daemon is not using the default seccomp profile

Additional Info

Independently verified in issue docker/for-win#14049

[thaJeztah]

I think this may be related to a security fix that fixed internal-only networks being able to access external DNS servers; GHSA-mq39-4gv4-mvpx

In this case, "external" would be the dns service, which is part of the same network, but the internal resolver likely won't take that into account; @robmry any thoughts?

[thaJeztah]

Oh! Looks like a PR was opened that looks related;

• Forward DNS requests into --internal networks #47821

[robmry]

Ah, yes! Thank you for re-opening this as a moby issue.

As @thaJeztah says, it's fallout from the security fix that went too far. The new PR should sort things out.

[divStar]

While I absolutely see the point if this fix, how are we supposed to work around this issue? I'd use --dns ..., but do I have to use it in every container? Or can I just recreate the network in a manner, that would allow this behavior?
I know I shouldn't do it for security reasons, but it's a homelab and I don't feel like extending every single docker-compose file to contain the DNS entry. Besides: I run Traefik and pihole within the same internal network, but also use pihole with the host IP at port 53.

What's the correct solution and is there a way to restore the previous behavior?

[thaJeztah]

@divStar did you try with docker 26.1.3? A fix was merged and included in that version; #47832

[ca0abinary]

I can verify that the test I wrote in the issue above is fixed with the latest release of docker 26.1. Thanks for the comments, I forgot to loop back around and check this out!

[thaJeztah]

Thanks for confirming!

[divStar]

Thank you! It seems to work for just about any container I use - except Jellyfin, but I suppose it's because of Traefik seeing two networks (I use a regular bridge network and a macvlan) and assigning weird IP addresses. The external access seems fixed though, at least from what I understand.

[akerouanton]

@divStar Without more details it's hard to pinpoint what's going wrong in your environment. You could try to ask on our community Slack, on our forum, or in the Discussions tab here on GH.

If your container is connected to multiple networks, it might be due to bad network precedence during DNS resolution or something along this line. If you're currently using an unqualified container name (eg. foobar), you could try to use a qualified name instead (eg. foobar.<network_name>).