No DNS for Docker VLAN [Solved]


Recommended Posts

I setup a VLAN (30) to be used for my UniFi docker container.  The UniFi (by linuxserver.io) docker appears to be running with the exception that the docker app is not able to resolve hosts using fqdn.

 

For example, inside the UniFi app, you can configure it to send an SMTP alert (like with unRAID).  However, if I used the fqdn for the SMTP server (i.e. smtp.mail.yahoo.com), I get an unknown smtp host error.  If I use the IP address of the SMTP server (98.138.105.21) then the test smtp alert email gets sent with no problem.

 

Looking on the Network settings, I see a DNS for the main eth0 interface, but none for VLAN portion.  I have setup my VLAN to be a separate network, and a PC hooked into the VLAN works fine.  However, it appears the docker container is not using my local DNS or any DNS?

 

Update:

I did not know if this belongs in the Docker Engine or the General Support thread.  I think since it is a general unRAID Network setting issue, I chose the general support thread.

Edited by mifronte
Mark solved.
Link to comment

Containers use host’s DNS settings by default, so there is normaly no need to configure DNS servers.

If the container can't reach the DNS configured servers, it defaults to google's public DNS normally.

 

You could test DNS from inside the docker:

root@UnNASty:~# docker exec -it unifi /bin/bash

root@5dde08f1d295:/usr/lib/unifi# /bin/s6-dnsip4 google.com
172.217.20.110
 

You could try add a --dns to your run config: https://docs.docker.com/engine/userguide/networking/default_network/configure-dns/

I think your best of in the ls.io unifi topic for help with this issue further.

 

 

 

Link to comment

Adding the --dns to my run config solved the problem.  Without the --dns option, I get host unknown host errors.  So I still believe that either unRAID is not setting the DNS for VLANS, or it is setting the DNS of the primary interface.  Which for VLANS that are not using the same network, the primary DNS is not reachable since it is in a different subnet.

Edited by mifronte
Link to comment

@mifronte Glad it fixed your issues, i myself run separate VLAN's as well for my LR AP's that i manage with unify and do not have issues with DNS.
But that VLAN has access to internet, and my DNS and IP configuration is supplied by a router and not by docker or Unraid.

 

Did u set a IP Configuration on your Unraid Vlan interface? Or did u only supply a Configuration in Docker? Or both?

Maybe that if u don't set a IP configuration on your Unraid interface that it won't set a DNS configuration either?

Don't feel like messing up my configuration to test this, maybe someone else knows? 

 

 

Link to comment
2 hours ago, SiNtEnEl said:

@mifronte Glad it fixed your issues, i myself run separate VLAN's as well for my LR AP's that i manage with unify and do not have issues with DNS.
But that VLAN has access to internet, and my DNS and IP configuration is supplied by a router and not by docker or Unraid.

 

Did u set a IP Configuration on your Unraid Vlan interface? Or did u only supply a Configuration in Docker? Or both?

Maybe that if u don't set a IP configuration on your Unraid interface that it won't set a DNS configuration either?

Don't feel like messing up my configuration to test this, maybe someone else knows? 

 

 

 

This issue is not with the AP's being in VLANs, but running the UniFi Docker container on unRAID in its own VLAN interface.  It appears that I get no DNS configuration for the docker container that uses the unRAID VLAN interface.  If I run the UniFi docker in Host mode, then it gets the DNS from the primary unRAID host.

 

The DNS is handed out by my DHCP server and so when unRAID gets an IP form the DHCP server for the VLAN interface, it would also get the DNS configuration.  However, there is no DNS field in the Network Settings for VLAN like there is for Default Gateway.  This leads me to suspect that unRAID is not passing on the correct DNS to the Docker Engine?

Edited by mifronte
Link to comment
42 minutes ago, mifronte said:

 

This issue is not with the AP's being in VLANs, but running the UniFi Docker container on unRAID in its own VLAN interface.  It appears that I get no DNS configuration for the docker container that uses the unRAID VLAN interface.  If I run the UniFi docker in Host mode, then it gets the DNS from the primary unRAID host.

My docker runs in the same (separate, different from the host, macvlan) VLAN as the AP's else i wouldn't be able to access them. :)

Maybe @bonienl can confirm if --DNS options have to be set if VLAN's (macvlan) are used? but kind of contradicts the documentation.
Since it only removes the localhost DNS entry's if it's checking the /etc/resolve.conf and if its empty defaults towards google DNS.
 

 

 


 

Edited by SiNtEnEl
Link to comment

@SiNtEnEl If I understand you correctly, your UniFi docker container is configured as something like br0.VLANID for network mode and you configured a VLAN interface on your unRAID server in Network settings.  Did you assign a separate static IP or configured the Docker DHCP for your container?

 

I am trying to see if I configured something incorrectly where my Docker container has no DNS or is using the primary DNS on the man unRAID interface, which is not reachable from the VLAN (i.e using 192.168.1.1 which the main unRAID is using, but the VLAN is configured for 192.168.30.0/24).

 

BTW, your APs and UniFi Controller do not need to be in the same network.  You just need to ssh into the AP and perform a set-inform to point it to the controller just as long as there is a valid network route.  I have APs coming in from the Internet to my UniFi controller.

Edited by mifronte
Link to comment
16 minutes ago, mifronte said:

@SiNtEnEl If I understand you correctly, your UniFi docker container is configured as something like br0.VLANID for network mode and you configured a VLAN interface on your unRAID server in Network settings.  Did you assign a separate static IP or configured the Docker DHCP for your container?

 

I am trying to see if I configured something incorrectly where my Docker container has no DNS or is using the primary DNS on the man unRAID interface, which is not reachable from the VLAN (i.e using 192.168.1.1 which the main unRAID is using, but the VLAN is configured for 192.168.30.0/24).

 

BTW, your APs and UniFi Controller do not need to be in the same network.  You just need to ssh into the AP and perform a set-inform to point it to the controller just as long as there is a valid network route.  I have APs coming in from the Internet to my UniFi controller.

DHCP Leased, yes with the macvlan driver (br0.300). I don't want my AP's to access my internal network, unless its allowed trough my firewall on my edgemax. That' s why i put the unify in the same VLAN. Need to sleep now.

Link to comment

I would like to view the network configuration within the docker container.  I logged into the container with 

docker exec -it unifi /bin/bash

and tried 

ifconfig

but it says command not found.  What are the commands that I would use to see the network settings from within the docker container?  I am just curious what is the default DNS without the --dns option.

Link to comment

@ken-ji Only the cat command worked, but the resolv.conf file inside the docker container is the same regardless if I supply the --dns option or not.

 

I suspect that when spinning up a container, Docker will by default check for a DNS server defined in /etc/resolv.conf in the host OS, and if it doesn't find one, or finds only 127.0.0.1, will opt to use Google's public DNS server 8.8.8.8.  So the host OS is unRAID and the DNS server defined in unRAID's /etc/resolv.conf is the DNS server for unRAID's primary interface.  I even logged into unRAID on the VLAN interface, and the /ect/resolv.conf shows the DNS of the primary interface and not of the VLAN.  So this may mean the Docker container on the VLAN interface is using an unreachable DNS server defined in the unRAID host.

 

Somehow unRAID must pass the VLAN's DNS server to Docker if the container is using the VLAN interface.

Edited by mifronte
Link to comment

its a bit odd. as my containers have this

root@MediaStore:~# docker exec Transmission cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0
root@MediaStore:~# docker exec NGINX cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0
root@MediaStore:~# cat /etc/resolv.conf 
# Generated entries:
nameserver 192.168.2.1

AFAIK, docker actually generates an internal DNS server for containers to use, while the host OS does the actual lookups. These dockers are using custom docker macvlan network

Link to comment

That is exactly the content of my docker container's /etc.resolv.conf too.

 

Is there a command to see the IP of the DNS that the container is using?  Surely I passed in the IP with the --dns option, that must be stored somewhere inside the container.  I want to verify that by default, Docker is picking up the DNS in unRAID's /etc/conf and not the appropriate DNS for the subnet of the VLAN.

Edited by mifronte
Link to comment

OK, I ran this command

docker run busybox nslookup smtp.mail.yahoo.com

and it confirms that my container running on a VLAN interface is configured with unRAID's DNS server.  This is fine if the container is running in Host mode, but if the container is running in a VLAN bridge mode (which is a different network from unRAID's primary interface) then the DNS server is unreachable.  By supplying the --dns option, the built-in Docker DNS will use the supplied DNS when the built-in DNS is unable to resolve a FQDN.  This means Docker always try the default DNS and then fallback to the DNS supplied with the --dns option.

 

Supposedly I can set the list of DNS for the Docker daemon to use in /etc/docker/daemon.json.  I will have to try and test this.

 

Update:

I tried adding a daemon.json file with the appropriate dns list, but the Docker service would not start.  Removing the file allowed the Docker service to start again.  Also running the command

docker run busybox nslookup smtp.mail.yahoo.com

creates a questionable docker container that looks like spam or something.

Edited by mifronte
Link to comment
MediaStore:~# docker run --rm --network containers busybox nslookup www.google.com
Server:    127.0.0.11
Address 1: 127.0.0.11

Name:      www.google.com
Address 1: 2404:6800:4005:809::2004 hkg07s24-in-x04.1e100.net
Address 2: 172.217.161.164 hkg07s29-in-f4.1e100.net

root@MediaStore:~# docker run --rm --network br1 busybox nslookup www.google.com
Server:    127.0.0.11
Address 1: 127.0.0.11

Name:      www.google.com
Address 1: 2404:6800:4005:80e::2004 hkg12s17-in-x04.1e100.net
Address 2: 216.58.220.196 del01s08-in-f196.1e100.net

root@MediaStore:~# docker run --rm busybox nslookup www.google.com
Server:    192.168.2.1
Address 1: 192.168.2.1 router.way-of-the-blade.com

Name:      www.google.com
Address 1: 2404:6800:4005:809::2004 hkg07s24-in-x04.1e100.net
Address 2: 172.217.161.164 hkg07s29-in-f4.1e100.net

root@MediaStore:~# docker run --rm --network host busybox nslookup www.google.com
Server:    192.168.2.1
Address 1: 192.168.2.1 router.way-of-the-blade.com

Name:      www.google.com
Address 1: 2404:6800:4005:809::2004 hkg07s24-in-x04.1e100.net
Address 2: 172.217.161.164 hkg07s29-in-f4.1e100.net

hmm. this what I get, so its not clear to me what you mean by not being able to use DNS.

 

Also using docker run without the --rm option will spawn containers that't you'll need to manually clean up.

Link to comment

https://docs.docker.com/engine/userguide/networking/configure-dns/

 

In the absence of the --dns=IP_ADDRESS..., --dns-search=DOMAIN..., or --dns-opt=OPTION... options, Docker uses the /etc/resolv.conf of the host machine (where the docker daemon runs). While doing so the daemon filters out all localhost IP address nameserver entries from the host’s original file.

 

The information in this section covers the embedded DNS server operation for containers in user-defined networks. DNS lookup for containers connected to user-defined networks works differently compared to the containers connected to default bridge network.

 

if there are no more nameserver entries left in the container’s /etc/resolv.conf file, the daemon adds public Google DNS nameservers (8.8.8.8 and 8.8.4.4) to the container’s DNS configuration. If IPv6 is enabled on the daemon, the public IPv6 Google DNS nameservers are also added (2001:4860:4860::8888 and 2001:4860:4860::8844).

 

The embedded DNS server provides service discovery (i.e. it allows you to resolve hostnames of other containers on the same network), and acts as a forwarder for external DNS servers you configured. So if there is nothing left, its forwared to google, but that should be reachable from your VLAN i presume. My host config has a internal and external backup address in it, that is reachable from my VLAN.

 

Wonder if this could be the case, in your setup @mifronte

Link to comment

@SiNtEnElThat is exactly my problem!  Docker is not setting the Google DNS because it does find a DNS in the host's /ect/resolv.conf.  Unfortunately the DNS that Docker finds is in the wrong network!  Besides, I would not want Docker to set Google to be my DNS and bypass my domain name blocking (DNSBL on my pfSense).

 

It looks like both you and @ken-ji may not have used the unRAID GUI to setup your VLAN network for Docker.

Edited by mifronte
Link to comment

I setup my VLAN network in 6.3 (before anybody knew about the custom docker networks) :D

In any case a quick testing on my network indicates, that unfortunately DNS queries will be issued using the IP address of the docker container.

so if your container is on a restricted VLAN, it won't be able to make the DNS queries.

Link to comment

I decided to create rules on my router to intercept all DNS queries and redirect to my router's DNS resolver.  This solves the problem that Docker is not using the correct DNS for its interface since the query will be intercepted and redirected.

 

Another side benefit is that the Google devices with hardcoded Google DNS are now being intercepted too and forced to go through my DNS resolver.

Edited by mifronte
Grammar
  • Like 1
Link to comment
  • 6 months later...
  • 3 years later...
On 8/29/2018 at 2:11 PM, surfshack66 said:

@mifronte can you specify the rules you created to intercept DNS queries and redirect to your routers DNS resolver? I believe this is still an issue not being able to define dns servers when creating vlan interfaces in unraid.

Really old I know but today, you can specify a DNS server per DHCP interface in pfsense. I did this and block all other outgoing requests via UDP to port 53, I have one floating rule to allow UDP port 53 requests to my adguard DNS server

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.