Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Configure Docker container with static IP and DNS

Featured Replies

I'm still trying to work through this and please excuse my ignorance as I am learning as I go. :)  I also did not want to hijack another thread.  @bonienl since you seem to be dialed into this stuff.

 

I want my SAB and Deluge containers to be tunneled through my VPN provider using firewall rules/aliases in pfsense.  Right now I use the Pipework container to handle the static IP assignment and use the Extra Parameters fields in the container to assign static DNS entries (--dns=xx.xx.xx.xx).  I am trying to move away from this and and retire my Pipework container.

 

I have edited my Deluge container as shown below:

 

Deluge.thumb.PNG.9a3a4ac4bdbce4e766809394482b9bb4.PNG

 

However, the DNS entries are not sticking...

 

root@UNRAID:~# docker exec -ti Deluge /bin/bash
root@663c25303022:/$ cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0

 

As a reference, this is what I see in the resolv.conf for my SAB container which is still using the Pipework container.

 

root@UNRAID:~# docker exec -ti SABnzbd /bin/bash
root@e8fe4bb265ba:/# cat /etc/resolv.conf
nameserver 209.222.18.218
nameserver 209.222.18.222

 

Do I need to create a new custom network instead of using br0?  Also, the piece the I don't know how to configure (and honestly don't even know if it will help) is the --dns-opt= parameter.  I haven't had much luck finding good documentation on what exactly the options are.

 

Other than the DNS snafu, the good news is that I am able to reach the Deluge webui.  The bad news is that Sonarr is not able to reach the Deluge container using the same IP/Port.

 

TIA for any help!

 

John
 

Edited by johnodon

This is from the docker documentation regarding DNS in custom networks, which óperates differently from the standard 'bridge'network.

 

--dns=[IP_ADDRESS...]

The IP addresses passed via the --dns option is used by the embedded DNS server to forward the DNS query if embedded DNS server is unable to resolve a name resolution request from the containers. These --dns IP addresses are managed by the embedded DNS server and will not be updated in the container's /etc/resolv.conf file.

 

--dns-opt=OPTION...

Sets the options used by DNS resolvers. These options are managed by the embedded DNS server and will not be updated in the container's /etc/resolv.conffile.

See documentation for resolv.conf for a list of valid options

 

The embedded DNS server uses address 127.0.0.11

Edited by bonienl

  • Author

OK...so while using the --dns=xx.xx.xx.xx Extra Parameter does not modify the resolv.conf within the container, it does appear that the container is using the entries.

 

I am using this method to test for DNS leaks:  https://www.privateinternetaccess.com/forum/discussion/23924/easy-quick-dns-and-ipv6-leak-testing-via-command-prompt-line-method-no-browser-or-website-needed

 

If I do not set DNS entries in the Extra Parameters, my public IP is exposed when I perform an nslookup as described above.  (I replaced my public IP with xx.xx.xx.xx)

 

root@fff1d16a37d1:/$ nslookup whoami.fluffcomputing.com
nslookup: can't resolve '(null)': Name does not resolve

Name:      whoami.fluffcomputing.com
Address 1: xx.xx.xx.xx xx-xx-xx-xx.rest.of.fqdn

 

If I include my VPN's DNS entries in Extra Parameters, my VPN IP is returned (replaced with yy.yy.yy.yy):

 

root@154df63b5b93:/$ nslookup whoami.fluffcomputing.com
nslookup: can't resolve '(null)': Name does not resolve

Name:      whoami.fluffcomputing.com
Address 1: yy.yy.yy.yy ip-yy-yy-yy-yy.rest.of.fqdn

 

  • Author

UPDATE:

 

While this seems to work from a DNS leak perspective, it is also having a negative impact on speeds (namely NNTP).  I am seeing speeds being throttled at around 1.3MB/s even though I have my pipe fully open (100Mbit).  From what I read online, one of the factors that could impact NNTP speeds is name resolution failure.

 

If I set DNS entries to my VPN providers servers via Extra Parameters, speed is throttled.

If I remove those entries I get full speed.

 

In both instances the traffic is tunneling though the OVPN client on my pfsense box via an alias and firewall rules.

 

Back to that drawing board.

 

Have you considered handling DNS in pfSense instead of in the containers?

  • Author
12 hours ago, unevent said:

Have you considered handling DNS in pfSense instead of in the containers?

 

My understanding is that the local host will override it but I have not tried.  I guess it is worth a shot.

  • Author

Wait...maybe I misunderstood...

 

Are you saying to use PIAs DNS servers as the default and only servers in pfsense?  Or, assign PIA's DNS servers as part of a static mapping for individual IPs?

 

If the latter...no worky.  The container still shows only 127.0.0.1 for the DNS and a leak is present when I nslookup.

I find it easiest to not specify DNS servers (neither ISP, VPN or public) and use the resolver in pfSense handle DNS vs. forwarding.  The resolver sends requests to the root servers and down to authoritative servers directly vs using ISP, VPN or any other specific DNS servers and supports DNSSEC.  If you think your ISP sniffs port 53 DNS traffic you can also pipe it through the VPN so ISP never sees the port 53 traffic.

31 minutes ago, johnodon said:

Wait...maybe I misunderstood...

 

Are you saying to use PIAs DNS servers as the default and only servers in pfsense?  Or, assign PIA's DNS servers as part of a static mapping for individual IPs?

 

If the latter...no worky.  The container still shows only 127.0.0.1 for the DNS and a leak is present when I nslookup.

 

If you specify DNS servers you are in forwarding mode where all DNS servers you specify plus the resolver are used together and the quickest response wins.  Because it includes the resolver and your specified DNS you will get the leak. If you disable forwarding and just use the resolver and pipe the resolver through the VPN you have no leak and don't have to juggle with specifying DNS servers for open vs VPN Internet.  Your existing policy routing using aliases to direct IPs over open Internet and VPN will work the same.  Going directly to the roots with DNSSEC for DNS and not using DNS caching servers (ISP, VPN, Google, etc.) to me beats juggling DNS servers for open Internet vs VPN traffic.  Just have it all the same and piped through the VPN and is probably more secure (in my opinion) than using the VPN caching DNS servers.

Edited by unevent

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.