So I've set up a local server in my LAN. Connections from outside my network are not allowed. Still, the server should be reachable under my public domain (example.org).
So I've set a CNAME record pointing to a name only reachable in my local network (myserver.fritz.box).
That way, devices in my local network can reach the server under the public name. Devices outside my network can't.
On my host machine, everything seems to work fine. The public domain name resolves and I can access my server.
host# dig myserver.example.org
; <<>> DiG 9.16.1-Ubuntu <<>> myserver.example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49974
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;myserver.example.org. IN A
;; ANSWER SECTION:
myserver.example.org. 0 IN CNAME myserver.fritz.box.
myserver.fritz.box. 9 IN A 192.168.178.155
;; Query time: 20 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sa Jul 01 16:54:58 CEST 2023
;; MSG SIZE rcvd: 116
Now I'm running a docker container on my host machine. And from inside the container, the resolution of the CNAME seems to be problematic. I'm receiving a NXDOMAIN:
container# dig myserver.example.org
; <<>> DiG 9.18.16 <<>> myserver.example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 177
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;myserver.example.org. IN A
;; ANSWER SECTION:
myserver.example.org. 0 IN CNAME myserver.fritz.box.
;; AUTHORITY SECTION:
box. 1823 IN SOA ns0.centralnic.net. hostmaster.centralnic.net. 1688220651 900 1800 6048000 3600
;; Query time: 4 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Sat Jul 01 14:57:46 UTC 2023
;; MSG SIZE rcvd: 149
That also leads to me being unable to ping the server from inside the container:
container# ping myserver.example.org
ping: bad address 'myserver.example.org'
Note that manually doing another query for the local domain name works fine.
container# dig myserver.fritz.box
; <<>> DiG 9.18.16 <<>> myserver.fritz.box
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2636
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3
;; QUESTION SECTION:
;myserver.fritz.box. IN A
;; ANSWER SECTION:
myserver.fritz.box. 9 IN A 192.168.178.155
;; AUTHORITY SECTION:
myserver.fritz.box. 9 IN NS fritz.box.
;; ADDITIONAL SECTION:
fritz.box. 9 IN A 192.168.178.1
fritz.box. 9 IN AAAA fd00::cece:1eff:fef4:c4db
fritz.box. 9 IN AAAA 2a01:c22:d145:6900:cece:1eff:fef4:c4db
;; Query time: 252 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Sat Jul 01 14:58:27 UTC 2023
;; MSG SIZE rcvd: 158
Why do we have that discrepancy?
Shouldn't docker's DNS server 127.0.0.11 simply forward the request to 127.0.0.53 on the host machine, where everything works fine?
Maybe related
I've noticed the same issue also on my host machine, if I'm explicitly using the DNS server of my router, instead of 127.0.0.53 from resolvectl. I don't understand why this is happening either.
host# dig @fritz.box myserver.example.org
; <<>> DiG 9.16.1-Ubuntu <<>> @fritz.box myserver.example.org
; (3 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13570
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;myserver.example.org. IN A
;; ANSWER SECTION:
myserver.example.org. 0 IN CNAME myserver.fritz.box.
;; AUTHORITY SECTION:
box. 1641 IN SOA ns0.centralnic.net. hostmaster.centralnic.net. 1688220651 900 1800 6048000 3600
;; Query time: 8 msec
;; SERVER: 2a01:c22:d145:6900:cece:1eff:fef4:c4db#53(2a01:c22:d145:6900:cece:1eff:fef4:c4db)
;; WHEN: Sa Jul 01 17:00:48 CEST 2023
;; MSG SIZE rcvd: 149
