Networking – “reply from unexpected source” when DNS server is running as docker container in the docker host

dnsdockernetworking

In a machine with IP 192.168.100.6, I can run a docker container and perform dns without issues from within the container:

$ docker run --rm -it xenial-networking bash

root@255c2ffc38cb:/# dig registry.mynet

; <<>> DiG 9.10.3-P4-Ubuntu <<>> registry.mynet
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1540
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;registry.mynet.              IN      A

;; ANSWER SECTION:
registry.mynet.       0       IN      A       192.168.100.16

;; Query time: 0 msec
;; SERVER: 192.168.100.16#53(192.168.100.16)
;; WHEN: Thu May 17 07:54:28 UTC 2018
;; MSG SIZE  rcvd: 61

(as you can see, the registry.mynet is in the same host as the dns server, 192.168.100.16)

For reference, the resolver is configured as follows in the docker container:

root@255c2ffc38cb:/# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.100.16
nameserver 192.168.100.4
nameserver 192.168.100.3
nameserver 192.168.100.2
search openstacklocal

(which is a copy of the resolver config in the docker host), as per these rules

In the 192.168.100.16 machine, where the DNS server is actually running (as a docker service, see below for the compose config), the same does not work: although the resolver config is exactly the same: I get a "reply from unexpected source", and no name resolution:

root@e7de85671e86:/# dig registry.mynet
;; reply from unexpected source: 172.17.0.1#53, expected 192.168.100.16#53

; <<>> DiG 9.10.3-P4-Ubuntu <<>> registry.mynet
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12820
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;registry.mynet.              IN      A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2018051700 1800 900 604800 86400

;; Query time: 97 msec
;; SERVER: 192.168.100.4#53(192.168.100.4)
;; WHEN: Thu May 17 07:58:25 UTC 2018
;; MSG SIZE  rcvd: 120

The resolver configuration for this container is the same:

root@e7de85671e86:/# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.100.16
nameserver 192.168.100.4
nameserver 192.168.100.3
nameserver 192.168.100.2
search openstacklocal

Why is the reply coming from 172.17.0.1.

Note

The compose configuration for the dns service is as follows:

  dnsmasq:
    image: andyshinn/dnsmasq:2.78
    volumes:
      - ./dnsmasq/conf/dnsmasq.conf:/etc/dnsmasq.conf
      - ./dnsmasq/conf/dnsmasq.d:/etc/dnsmasq.d
      - ./dnsmasq/conf/hosts:/etc/hosts
    network_mode: "host"
    cap_add:
      - NET_ADMIN
    restart: always
    command: --log-facility=- --log-queries=extra --all-servers --conf-file=/etc/dnsmasq.conf

Update

Changing the resolver in the docker host with problems (the 192.168.100.16 machine) to:

$ cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 172.17.0.1
nameserver 192.168.100.4
nameserver 192.168.100.3
nameserver 192.168.100.2
search openstacklocal

Gets rid of the problem. I still do no understand why 192.168.100.16 nameserver is not working properly in containers running in the 192.168.100.16 host (in the host itself it is working fine)

Best Answer

I had the same problem.

For everyone out there facing the same issue:

I'm working in Linux (specifically Ubuntu), I had dnsmasq setup in my host machine. Same setup works in mac, but in Linux, the container inside is not able to resolv to my local dnsmasq, even though I use the correct IP address to point to my machine (not localhost/127.0.0.1). Basically the same setup as above. It didn't work.

After I specifically use network: bridge in all my services,the same IP now connected. So, the problem is, default network in docker engine in Linux is not connected by default to host interfaces. We have to specifically use bridged network for this. Now, why does it work on Mac? I don't know. Probably because the host interfaces were bridged by default in Mac.

Related Solutions

Networking – DD-WRT: dnsmasq headaches with static hosts

I have quite a bit of experience with dnsmasq on dd-wrt and especially close to the date of this comment. I can share with you my working solution to each of the answers to each requirement. I will resist adding more.

Each option in your active /tmp/dnsmasq.conf posted above comes directly from the config options you have selected as described

Except

for your hostname= entry which you should not use imo. You want

Used Domain: [WAN/LAN] not Used Domain [WAN].

This will allow wired (LAN) and wireless (WAN) devices to work on your network.

Also pick a short Lan Domain: [dom ] or any short word besides local. Some use lan some use localdomain . This is required for your requirements and will provide an anchor faux internal only domain that only you and internal users will see/use. The value you choose will be put into each DHCP client's search dom resolver. I will use dom for the remainder but you can make it whatever you like.

I will start with the first two requirements.

DNS queries from the LAN/WLAN for hosts on the LAN/WLAN should be answered for both short names and FQDNs.
Since some of the devices are portable (like my phone), I need host.mydyndomain.net to resolve to a LAN IP when connected to the LAN and to the external IP when queried from outside the LAN.

For hosts having a different internal vs external ip but the same name on both sides of dd-wrt you need to have:

Add one line per resolvable host in your Static Leases just below your correctly empty Additional DHCP Options text area. Note the internal name web.dom or just web is for convenience when on the lan.

Note:

 [Static Leases++++++++++++++++++++++++++++++++++++++++++++++++++++++++]    
  [MAC Address]       [Host Name   ][IP Address    ][Client Lease Time]
  [00:19:B9:5B:2B:A5] [web         ][192.168.2.5   ][             1440]

Notes: I thought this was used only for udhcpcd but this is also used by dnsmasq and will write both the actual dnsmasq.conf with correct dhcp-host= lines and puts a `ip host.dom entry for each in /tmp/hosts used by DNSMasq to do all the local name resolution.

I have a script and text file to create these entries as the web interface is a bit cumbersome. Here's what the script does in a nutshell.

macToHostNames.txt:
# comment lines ignored unless embedded set:tag values like set:kids 
# note the ip is just the HOST portion of the subnet, eg: 192.168.1.32 -> 1.32
# host      id       mac address        cnames/aliases for same box
kidhost1    1.32     00:MA:CA:DD:E5     alias1 nabi2 # in-line comment set:kid 
web         1.5      00:AM:AC:AD:ES     www homeweb  # web server with aliases
EOF
generate_Files_Then_Send_Then_Activate_If_Tests_Are_Ok.sh < macToHostNames.txt
# this script file creates 3 files which are sent along with a test script:
dnsmasq_options.new # nvram set dnsmasq_options="$(cat dnsmasq_options.new)"
static_leases.new   # nvram set static_leases="$(cat static_leases.new)"
static_leasenum.new # nvram set static_leasenum="$(cat static_leasnum.new)"
testDnsMasqOpts.sh  # scp -p *.new test*.sh admin@gw:/tmp && ssh admin@gw "/tmp/test*.sh"

add address=/web.dynip.org/<ip> lines in your DNSMasq Options box address=/web.mydyndomain.net/192.168.2.5 # add as many of these as you need
finally you need to update your DDNS config to provide the DDNS service mapping your external ISP provided dynamic ip address to resolve as web.mydyndomain.net. I presume you have successfully configured this part.

With this configuration you can ping web or ping web.dom or ping web.mydyndomain.net will return 192.168.2.5 while inside the firewall and access from outside by the name web.mydyndomain.org still works.

The other requirements are met by your other config but you can safely add these lines as I have tested MANY times (to the point of writing a script to execute one dnsmasq line at a time and showing me the offending line since ALL dns logging is left out for space in my latest dnsmasq build and all you can rely on is the return status of the dnsmasq: $?).

For the last requrements I will show you lines of my config with comments (note you can put comments in the DNSMasq Additional Options box).

Queries for DHCP leased hosts are being correctly returned (dd-wrt's "Local DNS" option for dnsmasq).
Queries to any random non-existant host incorrectly return the external WAN IP address. So, "nslookup foobarbaz" gives a result when it should return an error.

  domain-needed    # dont fwd to ext DNS names with no domain
  address=/web.mydnsdomain.org/192.168.2.5 # resolve to this internally!
  expand-hosts     # add .dom to host names without a domain 
  local=/dom/      # map all host.dom request to *this* dns
  bogus-priv       # reject local lookups not in hosts
  localise-queries # for local servers

I will throw in some non-related freebies of questionable value (and for offsite backup).

 no-ping          # some swear by this one to get DNSMasq to work!
 filterwin2k      # junk from MSFT boxen (remove this if ldap SRV used)
 cache-size=3000  # fast local DNS lookups 
 clear-on-reload  # clear ifr.c changes and sig received

To Limit the number of DNS servers you can do with the dhcp-options=6 as follows:

dhcp-options=lan,6,8.8.8.8 # this will send only one nameserver entry for all hosts

Linux – would xbcd.com resolve to the localhost (127.0.0.1) on Linux (Ubuntu) and Android

The owner could have pointed it to 127.0.0.1 I get 0.0.0.0 when I check it.