How does the Docker DNS work?

Today, I have an issue related to the DNS inside my docker container. I ask myself a very “obvious” question: how does the docker DNS work. The first Google result is:

Docker is coded in a smart way. When you run new container on the docker host without any DNS related option in command, it simply copies host’s /etc/resolv.conf into the container.

The explanation is very clear. Sound likes I understand how docker DNS works. If you confuse what is the purpose of /etc/resolv.confThere is the documentation here.

I try to verify again by creating a docker container and then check the matching of the file resolv.confbetween the created container with the host. Here are the commands:

# run sample nginx image
docker run --name nginx -d nginx
# get the resolv.conf content
docker exec -it nginx cat /etc/resolv.conf the private IP and furthermore, it doesn’t match with macOS /etc/resolv.conf file.

nameserver (I am using Google DNS)

That is not what I expected. Luckily, I found this issue on the GitHub:

Docker for Mac does some “magic” (using vpnkit) to transparently route the network traffic from the containers (running inside a Linux VM, as well as the docker daemon) to your macOS networking stack. VPNKit is automatically updated when you update /etc/resolv.confbut it doesn't update the VM (and containers) network configuration.

I guess the above theory will be correct on Linux machines? I try an experiment by creating a Linux instance using Digital Ocean service. Then I run the following commands:

docker run  --name nginx -d nginx
docker exec -it nginx cat /etc/resolv.conf

After that, I compare with Digital Ocean instance /etc/resolv.conf file.

cat /etc/resolv.conf

Strange :( It is still not equal. is a private IP but and public IPs. Who is the owner of those public IPs?


Understood. This is the Digital Ocean’s DNS servers. So my container uses those IPs for resolving domain names. In that case, what is the private IP Looking at the comment in the file /etc/resolv.conf

# This is a dynamic resolv.conf file for connecting local clients to the internal DNS stub resolver of systemd-resolved. This file lists all configured search domains.

# Run “systemd-resolve — status” to see details about the uplink DNS server currently in use.

So I try as the comment says:

systemd-resolve --status

Problem solved. Docker containers take DNS IPs from the host machine, which is managed by systemd-resolve . Those IPs themselves are the cloud provider’s DNS.

Just the last question, why do we need systemd-resolvein the first place, but not use DNS IP directly. Here is the answer from the Ubuntu man page:

systemd-resolved is a system service that provides network name resolution to local applications. It implements a caching and validating DNS/DNSSEC stub resolver, as well as an LLMNR resolver and responder.

I try the last command to see how much does this service can cache the data:

systemd-resolve --statistics

That is the end of our journey. Hope you see this blog post useful: )

Always true 98%. Don’t care 3% others

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store