Docker macvlan drops UDP (DNS) traffic, TCP works

Question

I'm trying to use macvlan to create a container that is a first-class citizen on my lan.

I'm using a static IP (although I understand that using some 'tricks' it's possible to use DHCP as well).

I understand its possible to do it with the host network, but I'm planning to run 2 separate DNS containers, and I want each of them to have a different IP, so host isn't the solution I'm looking for.

My Setup

Details about my network and host setup:

Unifi UGS Router, internal IP: 192.168.1.254
Network mask: 192.168.1.0/24
Host OS: Ubuntu 20.04 LTS (Focal Fossa)
Docker version 20.10.2, build 20.10.2-0ubuntu1~20.04.2
docker-compose version 1.28.5, build c4eb3a1f
Hosts IP is received over a bridge interface (named br-lan) which is attached to my ethernet port.

I'm using [adguard-home][2] as test container's image, below is the docker-compose config output:

version: '3.7'
networks:
  br-lan:
    driver: macvlan
    driver_opts:
      parent: br-lan
    ipam:
      config:
      - gateway: 192.168.1.254
        subnet: 192.168.1.0/24
      driver: default

services:
  adguard:
    dns: # adguards default upstream DNS servers
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
    image: adguard/adguardhome
    mac_address: '00:01:02:03:04:05:06:07' # Some randomized MAC address
    mem_limit: 500mb
    networks:
      br-lan:
        ipv4_address: 192.168.1.53
    restart: unless-stopped
    volumes:
    - /etc/localtime:/etc/localtime:ro
    - /srv/adguard/data/conf:/opt/adguardhome/conf:rw
    - /srv/adguard/data/work:/opt/adguardhome/work:rw

What Works

This actually works for TCP, I can access the WebUI (ports 3000 and 80), and as long as DNS queries are done over TCP it works (tcp port 53).

The container itself can access the web, and in turn the container can be accessed by the host as well as machines on the LAN.

What Doesn't Work

UDP DNS queries fail.

How I'm testing?

On a Windows 10 machine in the network I'm running the following PowerShell command:

# Default (UDP) DNS Query - Fails
❯ Resolve-DnsName -DnsOnly -Server 192.168.1.53 -Name stackoverflow.com # Test regular UDP DNS Query
<# The Error output is
Resolve-DnsName : stackoverflow.com : DNS name does not exist
At line:1 char:1
+ Resolve-DnsName -DnsOnly -Server 192.168.1.53 -Name stackoverflow.c ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (stackoverflow.com:String) [Resolve-DnsName], Win32Exception
    + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName
#>

# TCP DNS Query - works
❯ Resolve-DnsName -DnsOnly -Server 192.168.1.53 -Name stackoverflow.com -TcpOnly

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
stackoverflow.com                              A      2507  Answer     151.101.65.69
stackoverflow.com                              A      2507  Answer     151.101.129.69
stackoverflow.com                              A      2507  Answer     151.101.193.69
stackoverflow.com                              A      2507  Answer     151.101.1.69

What's my question and why I'm posting here?

I can't figure out why UDP fails while TCP works. My searches about UDP and macvlan haven't been fruitful, and I was hoping someone here would be able to guide me on how to troubleshoot this so I can identify the flaw in my design, or explain what I can do to fix this.

check your firewall configurations. try to connect to the DNS daemon from inside the container via 53/UDP. Check if there anything listens on port 53/UDP in the container. — mforsetti, Jul 10 '21 at 06:24

score 0 · Accepted Answer · 2021-07-12T04:32:28.903

Looks like the issue had something to do with my network setup.

After a reboot, the UDP communication started working.

Note (unrelated to the question, but might be of interest), that by default the communication between the container and the host is blocked by default.

Just some more details: I ended up using ipvlan instead, which worked better. To connect to the host (which ipvlan and macvlan block), I added a bridge and use a local ip (hosts file on the local machine resolved this issue).

The original issue is not correctly described, and so I'll be deleting this answer later.

score 0 · Answer 2 · answered Jul 11 '21 at 15:18

0

reboot is not solution.

i guess your problem solved after reboot because automatically start of firewall service is not enable and now your firewall is not started.

in ubuntu 20 you can manage firewall with ufw and you must add port 53 to firewall

sudo systemctl start ufw # start firewall service
sudo systemctl enabled ufw # enable automatically start firewall service
sudo ufw allow 53 # open tcp/udp dns port
sudo ufw reload # apply firewall rule

answered Jul 11 '21 at 15:18

Morteza Mohammadi

3
5

no firewall, never set it up. I agree reboot isn't the solution - but it probably indicated I had messed up the configuration while troubleshooting. – Jul 11 '21 at 17:37