Docker cant resolve DNS-Names outside of docker network. Receiving "read from DNS server failed"

Question

I have deployed an Adguard Home docker container which i want to use as my DNS server/proxy. DNS resolution is working fine when i'm making an nslookup from a machine (as well as the docker host) on my local network. (resolving local and external dns names successfully)

However when making an nslookup from within a container the following message is returned:

;; connection timed out; no servers could be reached

If i take a look at the docker daemon log (in debug mode) i see this message

Aug 13 22:56:27 host dockerd[641]: time="2020-08-13T22:56:27.646666208+02:00" level=debug msg="Name To resolve: host.local."
Aug 13 22:56:27 host dockerd[641]: time="2020-08-13T22:56:27.647142480+02:00" level=debug msg="[resolver] query host.local. (A) from 172.22.0.4:32939, forwarding to udp:192.168.178.39"
Aug 13 22:56:27 host dockerd[641]: time="2020-08-13T22:56:27.756187183+02:00" level=debug msg="[resolver] read from DNS server failed, read udp 172.24.0.2:56565->192.168.178.39:53: i/o timeout"

In the log of adguard home there are no noticeable problems. All requests (also the ones matching the timestamps of the request from within the containers) are answered and the correct address is returned.

To make the nslookup i used a busybox container (I can ping the adguard container):

docker run --network=adguardhome_default busybox nslookup -debug -type=A host.local

I'm running docker on raspian 10. Docker version is 19.03.12. Docker-compose version is 1.21.0.

There are a few things i tried so far which include:

• setting DNS in /etc/docker/daemon.json
• setting DNS with --DNS option
• setting DNS in compose file
• editing containers resolv.conf
• resetting the docker bridge

It seems as if the embedded docker DNS doesn't understand the response from the adguard service or is otherwise not behaving as i'd expect it to. I'm thankful for any help and hope i provided enough detail.

I tried to use the paramter --dns-opt=use-vc to force dns over tcp like suggested here. The option used is reflected in the resolv.conf of the container but doesn't seem to have any effect/isn't honored. Request are still made using UDP.

resolv.conf of host:

# Generated by resolvconf
domain fritz.box
nameserver 192.168.178.39

resolv.conf of container:

nameserver 127.0.0.11
options ndots:0

docker-compose file for adguard:

version: '3.2'
services:
  adguardhome:
    image: adguard/adguardhome:latest
    container_name: adguardhome
    restart: unless-stopped
    ports:
      - 53:53/tcp
      - 53:53/udp
        #- 67:67/udp
        #- 68:68/tcp
        #- 68:68/udp
      - 853:853/tcp
      - 3000:3000/tcp
    volumes:
      - type: volume
        source: data
        target: /opt/adguardhome/work
      - type: volume
        source: config
        target: /opt/adguardhome/conf

volumes:
  data:
  config:

adguard DNS servers:

192.168.178.1
tcp://192.168.178.1

Answer 1

I have the exact same issue. A dockerized adguard which works perfectly for everything except for other docker hosted on the same Raspberry.

From the other docker i can ping the adguard, i can access the port 53. From the adguard in debug i see the request coming in, i see no error, but no response going back to the docker.

Weirdly, in the log of the Adguard, i see that it has correctly dealed with my DNS request but the client IP adress is not from the orignal docker, but it is the IP of the adguard itself.

Finally if it tried an nslookup with the google DNS it works perfectly.

As i understand, it look like that the adguard server is answering the DNS request on its own ip and not on the orignal source IP.

Edit : I have been able to solve my issue by using macvlan networks on all my docker.