I have a bind9 DNS container running on 10.64.128.53, which is on the docker network "servers" on the subnet 10.64.128.0/24. this works fine and if I run:
nslookup google.com 10.64.128.53
I get the output:
Server: 10.64.128.53
Address: 10.64.128.53#53
Non-authoritative answer:
Name: google.com
Address: 216.58.193.142
When I run the same command in a docker container: docker run --rm -it --network servers --dns 10.64.128.53 alpine nslookup google.com 10.64.1 28.53
I get the output:
Server: 10.64.128.53
Address: 10.64.128.53:53
Non-authoritative answer:
Name: google.com
Address: 216.58.193.142
This is expected
Now if I run: docker run --rm -it --network servers --dns 10.64.128.53 alpine nslookup google.com
I get the output:
nslookup: write to '127.0.0.11': Connection refused
;; connection timed out; no servers could be reached
This doesn't make much sense to me because I specified my docker DNS server but I'm assuming that docker runs it through an internal proxy on 127.0.0.11. This would be great if I was using it but I don't need it. The best solution I can think of is overwriting /etc/resolv.conf with my DNS server but this seems like an awful solution. I saw this https://github.com/moby/moby/issues/19474#issuecomment-173093011 but can't get this working in nftables but I guess this is the only way because it seems the docker DNS server requires connections from 127.0.0.11:53
The host is Gentoo Linux, I know the networking works when iptables is installed. I see these errors in dockers's logs whenever I start a VM:
time="2022-01-25T03:08:56Z" level=warning msg="Failed to find iptables: exec: \"iptables\": executable file not found in $PATH"
time="2022-01-25T03:08:56Z" level=error msg="set up rule failed, [-t nat -I DOCKER_OUTPUT -d 127.0.0.11 -p udp --dport 53 -j DNAT --to-destination 127.0.0.11:50360]"
time="2022-01-25T03:08:56Z" level=error msg="set up rule failed, [-t nat -I DOCKER_POSTROUTING -s 127.0.0.11 -p udp --sport 50360 -j SNAT --to-source :53]"
time="2022-01-25T03:08:56Z" level=error msg="set up rule failed, [-t nat -I DOCKER_OUTPUT -d 127.0.0.11 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.11:46531]"
time="2022-01-25T03:08:56Z" level=error msg="set up rule failed, [-t nat -I DOCKER_POSTROUTING -s 127.0.0.11 -p tcp --sport 46531 -j SNAT --to-source :53]"
I also see this error every time I try to run the nslookup commands in the docker containers but I'm not sure how related it is:
time="2022-01-25T03:20:08.094540639Z" level=error msg="Handler for POST /v1.41/exec/d52b964c2e34acb78b67e5d2f02a8143e1efb3c45da0936fe128ed14fb6296ce/resize returned error: cannot resize a stopped container: unknown"
Just using iptables isn't really a solution here, I want it to be purely nftables and that doesn't seem unreasonable.
If I have iptables running, Docker DNS seems to work but there are no rules added to iptables. I don't understand this, why does it require iptables but make no rules?
