Score:0

Unable to use Docker DNS with nftables

pw flag

I have a bind9 DNS container running on 10.64.128.53, which is on the docker network "servers" on the subnet 10.64.128.0/24. this works fine and if I run: nslookup google.com 10.64.128.53

I get the output:

Server:         10.64.128.53
Address:        10.64.128.53#53

Non-authoritative answer:
Name:   google.com
Address: 216.58.193.142

When I run the same command in a docker container: docker run --rm -it --network servers --dns 10.64.128.53 alpine nslookup google.com 10.64.1 28.53

I get the output:

Server:         10.64.128.53
Address:        10.64.128.53:53

Non-authoritative answer:
Name:   google.com
Address: 216.58.193.142

This is expected Now if I run: docker run --rm -it --network servers --dns 10.64.128.53 alpine nslookup google.com I get the output:

nslookup: write to '127.0.0.11': Connection refused
;; connection timed out; no servers could be reached

This doesn't make much sense to me because I specified my docker DNS server but I'm assuming that docker runs it through an internal proxy on 127.0.0.11. This would be great if I was using it but I don't need it. The best solution I can think of is overwriting /etc/resolv.conf with my DNS server but this seems like an awful solution. I saw this https://github.com/moby/moby/issues/19474#issuecomment-173093011 but can't get this working in nftables but I guess this is the only way because it seems the docker DNS server requires connections from 127.0.0.11:53

The host is Gentoo Linux, I know the networking works when iptables is installed. I see these errors in dockers's logs whenever I start a VM:

time="2022-01-25T03:08:56Z" level=warning msg="Failed to find iptables: exec: \"iptables\": executable file not found in $PATH"
time="2022-01-25T03:08:56Z" level=error msg="set up rule failed, [-t nat -I DOCKER_OUTPUT -d 127.0.0.11 -p udp --dport 53 -j DNAT --to-destination 127.0.0.11:50360]"
time="2022-01-25T03:08:56Z" level=error msg="set up rule failed, [-t nat -I DOCKER_POSTROUTING -s 127.0.0.11 -p udp --sport 50360 -j SNAT --to-source :53]"
time="2022-01-25T03:08:56Z" level=error msg="set up rule failed, [-t nat -I DOCKER_OUTPUT -d 127.0.0.11 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.11:46531]"
time="2022-01-25T03:08:56Z" level=error msg="set up rule failed, [-t nat -I DOCKER_POSTROUTING -s 127.0.0.11 -p tcp --sport 46531 -j SNAT --to-source :53]"

I also see this error every time I try to run the nslookup commands in the docker containers but I'm not sure how related it is:

time="2022-01-25T03:20:08.094540639Z" level=error msg="Handler for POST /v1.41/exec/d52b964c2e34acb78b67e5d2f02a8143e1efb3c45da0936fe128ed14fb6296ce/resize returned error: cannot resize a stopped container: unknown"

Just using iptables isn't really a solution here, I want it to be purely nftables and that doesn't seem unreasonable.

If I have iptables running, Docker DNS seems to work but there are no rules added to iptables. I don't understand this, why does it require iptables but make no rules?

jp flag
Docker doesn't support `nftables`.
Desultory avatar
pw flag
That isn't helpful. There should be a way to use purely nftables with docker, iptables and nftables are both similar enough.
jp flag
Docker heavily depends on `iptables` to configure its networking but it doesn't support `nftables` at all. If you search google `site:docs.docker.com nftables` you'll find exactly one hit.
Desultory avatar
pw flag
Everything but DNS works perfectly with nftables, the issue here is that docker uses hacks to get internal DNS working
Ginnungagap avatar
gu flag
I have a mostly identical setup with Gentoo without the legacy iptables kernel option and the only way I get Docker to actually work is to alter containers' entrypoint to fix the `/etc/resolve.conf` before starting up the real entrypoint. I'm stumped that Docker is this dirty especially when they supposedly have an option in the daemon config to not alter iptables configuration which is mostly disregarded anyway.
Desultory avatar
pw flag
@Ginnungagap what is your exact method for altering the container's resolv.conf? I agree it shouldn't have to be this dirty. I feel like specifying dns options should just overwrite resolv.conf or something instead of docker using the dns proxying inside
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.