Dnsmasq and local docker container

March 25, 2019 2.3k views
DNS Docker
hachimansec
By:
hachimansec

Hi everyone,

I have my first droplet up and running and now have to deploy multiple docker container.

Situation:

The docker container have their own DNS Server (which is needed for the applications being deployed and can’t be changed).
Per default systemd-resolved occupies UDP 53 as it listens on 127.0.0.53.

Solution(?):

My idea is to disable systemd-resolved and replace it with dnsmasq.
dnsmasq should provide local DNS resolution for the host but also distribute incoming DNS requests to the various docker container. I have various local docker networks at 172.17.0.1/16 and 172.18.0.1/16.
I can start my containers like -p 172.17.0.1:53:53/udp.

This would allow me to have dnsmasq on the public interface of the droplet and forward incoming requests to the local docker IPs, based on subdomains.

Would that be possible or am I totally wrong here?

Any suggestions, remarks are highly appreciated.

Cheers,
Tom

PS:
DigitalOcean is the main spot where I maintain my domains.

Log In to Comment
2 Answers
jarland MOD March 26, 2019

Greetings!

Excellent question, thanks for posting it here. I welcome anyone else weighing in on this, but I wanted to answer it to the best of my ability as well.

From where I sit, what you’re talking about sounds sane. It isn’t a setup I’ve tried, but it sounds sane. This is what I think you’re looking at:

To disable systemd binding to port 53, in /etc/systemd/resolved.conf:

DNSStubListener=no

Then in the dnsmasq config, something like this:

server=/domainone.tld/172.17.0.1
server=/domaintwo.tld/172.17.0.2

That way you’re redirecting DNS queries to the right docker container based on the zone being queried. I’m pretty sure this will work. Share with us and let us know if it did?

Jarland

Reply
  • hachimansec March 26, 2019

    Hi Jarland,

    thank you for your reply. It might get a lil bit complex ;)

    What I did now is that I disabled resolved

    sudo systemctl stop systemd-resolved && sudo systemctl disable systemd-resolved

    and modified the local resolv.conf, where I added the upstream DNS server

    nameserver 1.1.1.1

    Then I modified the dnsmasq.conf

    server=/my.<domain>.rocks/172.19.0.30

    I created a dedicated Docker network

    docker network create --driver=bridge --subnet=172.19.0.0/24 webserver-net

    And started the server

    docker run -it --rm --network="webserver-net" --ip=172.19.0.30 --entrypoint /bin/sh Nginx

    The local lookup on the droplet seems to work:

    dig @165.227.1xx.xx +short outlook.ms.my.<domain>.rocks
165.227.1xx.xx

    However it fails on every other server.
    But the strange thing is, I dont even receive the NS record for this subdomain. Even though I have set it up in DigitalOcean (see screenshot on Twitter Tweet)

    dig @1.1.1.1 NS my.<domain>.rocks

; <<>> DiG 9.10.6 <<>> @1.1.1.1 NS my.<domain>.rocks
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18361
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;my.<domain>.rocks.     IN  NS

;; Query time: 2095 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Mar 26 20:49:52 CET 2019
;; MSG SIZE  rcvd: 46

    What am I missing here? Any idea?

    Your help is highly appreciated! This is the foundation for my university lecture and it would be incredible if this gets up and running.

    BTW, two quick questions in relation to Docker (maybe you have an idea, as I am totally stuck right now)
    Do you know how I can enable communication between Docker container in different networks?
    Or, how can I define an existing network in a docker-compose.yaml and assign a fixed IP? This would solve the communication problem across networks.
    I know how to use an existing network, but I fail to assign a fixed IP.

hachimansec March 27, 2019

I just ran into another issue in regards to systemd-resolved (who came actually up with this complex setup, the whole internet is full of trouble in regards to this).

Even though I configured /etc/systemd/resolved.conf to contain this:

  [Resolve]
  DNS=127.0.0.1
  FallbackDNS=127.0.0.1
  DNSStubListener=no

The /etc/resolv.conf gets always overwritten with 127.0.0.53 as DNS server.

nameserver 127.0.0.53
options edns0

Why is that? When I change it to 127.0.0.1 everything name resolution works again.

Reply
Have another answer? Share your knowledge.

Related