Join Log in
Score:-1
DeBaum avatar Server

Docker Container DNS slow (~ 4 seconds) with DNS resolver as container

nr flag
DeBaum

DNS resolution inside all of my Docker containers is consistently slow (slightly more than 4 seconds). From the host, DNS queries are fast, as well as on the rest of my network.

I must admit I did not try many things up until now because googling did not give me many answers. As you can see below, many TCP packets go to e.g. 172.18.0.12.domain or homeserver.my.tld.domain. I think the .domain suffix is not correct, but I do not know what to do with that information.

Any idea what is wrong with my setup? I would appreciate it if anyone could steer me in the right direction, or give me some ideas on what to try to localize my problem.

If you need any additional info i am happy to provide anything that i can.

EDIT: When i change /etc/resolve.conf inside the container to:

search local
nameserver 172.18.0.1
options ndots:0

Then DNS lookups from within the container are fast again. But that means, of course, that I can't resolve other containers by their names anymore.

My setup is:

  • My Asus Router running DHCP and giving out the DNS-Server address 192.168.1.12
  • Home Network is 192.168.1.0/24
  • Physical machine "Homeserver" (192.168.1.12) is my Docker host
  • Unbound container as DNS server (port forwarding 53/TCP, 53/UDP)
  • Multiple other containers all having the same problem
  • All containers are managed with docker compose (no extra networks section)

Additional info:

IP of Homeserver

me@homeserver ~ » hostname -I
192.168.1.12 172.18.0.1 172.17.0.1

resolve.conf of Homeserver

me@homeserver ~ » cat /etc/resolv.conf
domain local
search local
nameserver 192.168.1.12
nameserver 192.168.1.1

dig from Homeserver (host)

me@homeserver ~ » dig example.com

; <<>> DiG 9.16.42-Debian <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39605
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            84515   IN      A       93.184.216.34

;; Query time: 0 msec
;; SERVER: 192.168.1.12#53(192.168.1.12)
;; WHEN: Thu Jul 06 14:40:26 CEST 2023
;; MSG SIZE  rcvd: 56

ip from container (randomly chosen)

root@917745962ebd:/var/www/html# hostname -I
172.18.0.3

resolve.conf of same container

root@917745962ebd:/var/www/html# cat /etc/resolv.conf 
search local
nameserver 127.0.0.11
options ndots:0

dig from the same container

root@917745962ebd:/var/www/html# dig example.com

; <<>> DiG 9.16.42-Debian <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56875
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            6393    IN      A       93.184.216.34

;; Query time: 4000 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Thu Jul 06 12:38:09 UTC 2023
;; MSG SIZE  rcvd: 56

tcpdump (on host) while runnung obove dig from container I renamed my domain name below to my.tld and my public IP to redacted.correct.ip.address

me@homeserver ~ » sudo tcpdump -n -t -i any -w dns.dump port 53

14:38:04.838058 veth93caf60 P   IP 172.18.0.15.37644 > homeserver.my.tld.domain: 60373+ A? subdomain-a.my.tld. (43)
14:38:04.838058 br-27dccdedb325 In  IP 172.18.0.15.37644 > homeserver.my.tld.domain: 60373+ A? subdomain-a.my.tld. (43)
14:38:04.838288 br-27dccdedb325 Out IP 172.18.0.1.53289 > 172.18.0.12.domain: 60373+ A? subdomain-a.my.tld. (43)
14:38:04.838293 veth777c9f6 Out IP 172.18.0.1.53289 > 172.18.0.12.domain: 60373+ A? subdomain-a.my.tld. (43)
14:38:04.838369 veth777c9f6 P   IP 172.18.0.12.domain > 172.18.0.1.53289: 60373* 1/0/0 A 192.168.1.12 (59)
14:38:04.838369 br-27dccdedb325 In  IP 172.18.0.12.domain > 172.18.0.1.53289: 60373* 1/0/0 A 192.168.1.12 (59)
14:38:04.838424 br-27dccdedb325 Out IP 172.18.0.1.domain > 172.18.0.15.37644: 60373* 1/0/0 A 192.168.1.12 (59)
14:38:04.838429 veth93caf60 Out IP 172.18.0.1.domain > 172.18.0.15.37644: 60373* 1/0/0 A 192.168.1.12 (59)
14:38:05.173253 vethba9d77c P   IP 172.18.0.3.38698 > homeserver.my.tld.domain: 56875+ [1au] A? example.com. (52)
14:38:05.173253 br-27dccdedb325 In  IP 172.18.0.3.38698 > homeserver.my.tld.domain: 56875+ [1au] A? example.com. (52)
14:38:05.173414 br-27dccdedb325 Out IP 172.18.0.1.56291 > 172.18.0.12.domain: 56875+ [1au] A? example.com. (52)
14:38:05.173421 veth777c9f6 Out IP 172.18.0.1.56291 > 172.18.0.12.domain: 56875+ [1au] A? example.com. (52)
14:38:05.173522 veth777c9f6 P   IP 172.18.0.12.domain > 172.18.0.1.56291: 56875$ 1/0/1 A 93.184.216.34 (56)
14:38:05.173522 br-27dccdedb325 In  IP 172.18.0.12.domain > 172.18.0.1.56291: 56875$ 1/0/1 A 93.184.216.34 (56)
14:38:05.173613 br-27dccdedb325 Out IP 172.18.0.1.domain > 172.18.0.3.38698: 56875$ 1/0/1 A 93.184.216.34 (56)
14:38:05.173617 vethba9d77c Out IP 172.18.0.1.domain > 172.18.0.3.38698: 56875$ 1/0/1 A 93.184.216.34 (56)
14:38:06.834972 veth93caf60 P   IP 172.18.0.15.47468 > 192.168.1.1.domain: 10696+ A? subdomain-b.my.tld. (35)
14:38:06.834972 br-27dccdedb325 In  IP 172.18.0.15.47468 > 192.168.1.1.domain: 10696+ A? subdomain-b.my.tld. (35)
14:38:06.835010 eno1  Out IP homeserver.my.tld.47468 > 192.168.1.1.domain: 10696+ A? subdomain-b.my.tld. (35)
14:38:06.835852 eno1  In  IP 192.168.1.1.domain > homeserver.my.tld.47468: 10696 2/0/0 CNAME subdomain-c.my.tld., A redacted.correct.ip.address (91)
14:38:06.835874 br-27dccdedb325 Out IP 192.168.1.1.domain > 172.18.0.15.47468: 10696 2/0/0 CNAME subdomain-c.my.tld., A redacted.correct.ip.address (91)
14:38:06.835879 veth93caf60 Out IP 192.168.1.1.domain > 172.18.0.15.47468: 10696 2/0/0 CNAME subdomain-c.my.tld., A redacted.correct.ip.address (91)
14:38:07.340717 veth93caf60 P   IP 172.18.0.15.52538 > homeserver.my.tld.domain: 60373+ A? subdomain-a.my.tld. (43)
14:38:07.340717 br-27dccdedb325 In  IP 172.18.0.15.52538 > homeserver.my.tld.domain: 60373+ A? subdomain-a.my.tld. (43)
14:38:07.340908 br-27dccdedb325 Out IP 172.18.0.1.55468 > 172.18.0.12.domain: 60373+ A? subdomain-a.my.tld. (43)
14:38:07.340916 veth777c9f6 Out IP 172.18.0.1.55468 > 172.18.0.12.domain: 60373+ A? subdomain-a.my.tld. (43)
14:38:07.341003 veth777c9f6 P   IP 172.18.0.12.domain > 172.18.0.1.55468: 60373* 1/0/0 A 192.168.1.12 (59)
14:38:07.341003 br-27dccdedb325 In  IP 172.18.0.12.domain > 172.18.0.1.55468: 60373* 1/0/0 A 192.168.1.12 (59)
14:38:07.341070 br-27dccdedb325 Out IP 172.18.0.1.domain > 172.18.0.15.52538: 60373* 1/0/0 A 192.168.1.12 (59)
14:38:07.341076 veth93caf60 Out IP 172.18.0.1.domain > 172.18.0.15.52538: 60373* 1/0/0 A 192.168.1.12 (59)
14:38:08.839315 veth93caf60 P   IP 172.18.0.15.56280 > 192.168.1.1.domain: 60373+ A? subdomain-a.my.tld. (43)
14:38:08.839315 br-27dccdedb325 In  IP 172.18.0.15.56280 > 192.168.1.1.domain: 60373+ A? subdomain-a.my.tld. (43)
14:38:08.839366 eno1  Out IP homeserver.my.tld.56280 > 192.168.1.1.domain: 60373+ A? subdomain-a.my.tld. (43)
14:38:08.840220 eno1  In  IP 192.168.1.1.domain > homeserver.my.tld.56280: 60373 2/0/0 CNAME subdomain-c.my.tld., A redacted.correct.ip.address (99)
14:38:08.840244 br-27dccdedb325 Out IP 192.168.1.1.domain > 172.18.0.15.56280: 60373 2/0/0 CNAME subdomain-c.my.tld., A redacted.correct.ip.address (99)
14:38:08.840250 veth93caf60 Out IP 192.168.1.1.domain > 172.18.0.15.56280: 60373 2/0/0 CNAME subdomain-c.my.tld., A redacted.correct.ip.address (99)
14:38:09.173904 vethba9d77c P   IP 172.18.0.3.43473 > 192.168.1.1.domain: 56875+ [1au] A? example.com. (52)
14:38:09.173904 br-27dccdedb325 In  IP 172.18.0.3.43473 > 192.168.1.1.domain: 56875+ [1au] A? example.com. (52)
14:38:09.173952 eno1  Out IP homeserver.my.tld.43473 > 192.168.1.1.domain: 56875+ [1au] A? example.com. (52)
14:38:09.174908 eno1  In  IP 192.168.1.1.domain > homeserver.my.tld.43473: 56875 1/0/1 A 93.184.216.34 (56)
14:38:09.174932 br-27dccdedb325 Out IP 192.168.1.1.domain > 172.18.0.3.43473: 56875 1/0/1 A 93.184.216.34 (56)
14:38:09.174939 vethba9d77c Out IP 192.168.1.1.domain > 172.18.0.3.43473: 56875 1/0/1 A 93.184.216.34 (56)

docker network inspect smarthome_default

[

    {
        "Name": "smarthome_default",
        "Id": "27dccdedb3252ccb0967d8b1f552d3262aecbdaf5bd709088241e648acab1cc2",
        "Created": "2022-11-04T13:27:46.22785411+01:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "18cd21a56368b62752dfb99042ee6305fb680e6dceb5ab79f499ce78fffff053": {
                "Name": "smarthome-unbound-1",
                "EndpointID": "ca5169a1a1244d03756919a78d48b5b6a54a20d898f1293bbcecb9bfb1ea1435",
                "MacAddress": "02:42:ac:12:00:0c",
                "IPv4Address": "172.18.0.12/16",
                "IPv6Address": ""
            },
            "e70f22c6c4581d751061b7353cd32e8ae187f130a0811c3e259d379de9fb3b8b": {
                "Name": "smarthome-other-container-1",
                "EndpointID": "668b6ffa63d2a529ef5f257c763c3ca1731cdf1671c0115c405192b8c89f3ee9",
                "MacAddress": "02:42:ac:12:00:0a",
                "IPv4Address": "172.18.0.10/16",
                "IPv6Address": ""
            },
            // ...
        },
        "Options": {},
        "Labels": {
            "com.docker.compose.network": "default",
            "com.docker.compose.project": "smarthome",
            "com.docker.compose.version": "2.12.2"
        }
    }
]
115
1 + 1
djdomi avatar
za flag
djdomi
Questions on Server Fault must be about managing information technology systems in a business environment. Home and end-user computing questions may be asked on Super User, and also see [ask] as as also [help/on-topic]
0
Reply
Score:0
DeBaum avatar Server
nr flag
DeBaum

Solved:

The underlying problem was this:

root@917745962ebd:/var/www/html# dig @192.168.1.12 example.com   
 
;; reply from unexpected source: 172.18.0.1#53, expected 192.168.1.12#53

When i instead used the suggested IP-Adress from above command output:

root@917745962ebd:/var/www/html# dig @172.18.0.1 example.com

; <<>> DiG 9.16.42-Debian <<>> @172.18.0.1 example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9462
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            85486   IN      A       93.184.216.34

;; Query time: 0 msec
;; SERVER: 172.18.0.1#53(172.18.0.1)
;; WHEN: Mon Jul 10 08:28:06 UTC 2023
;; MSG SIZE  rcvd: 56

So the solution was to add this IP-Adress to my /etc/resolv.conf (on the host) as the first entry:

domain local
search local
nameserver 172.18.0.1
nameserver 192.168.1.12
nameserver 192.168.1.1

Fortunately, this does not cause any DNS issues on the host:

me@homeserver ~ » dig example.com

; <<>> DiG 9.16.42-Debian <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7276
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            85272   IN      A       93.184.216.34

;; Query time: 0 msec
;; SERVER: 172.18.0.1#53(172.18.0.1)
;; WHEN: Mon Jul 10 10:31:40 CEST 2023
;; MSG SIZE  rcvd: 56
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.