Dnsmasq and local docker container

Posted March 25, 2019 19.9k views

Hi everyone,

I have my first droplet up and running and now have to deploy multiple docker container.


The docker container have their own DNS Server (which is needed for the applications being deployed and can’t be changed).
Per default systemd-resolved occupies UDP 53 as it listens on


My idea is to disable systemd-resolved and replace it with dnsmasq.
dnsmasq should provide local DNS resolution for the host but also distribute incoming DNS requests to the various docker container. I have various local docker networks at and
I can start my containers like -p

This would allow me to have dnsmasq on the public interface of the droplet and forward incoming requests to the local docker IPs, based on subdomains.

Would that be possible or am I totally wrong here?

Any suggestions, remarks are highly appreciated.


DigitalOcean is the main spot where I maintain my domains.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers


Excellent question, thanks for posting it here. I welcome anyone else weighing in on this, but I wanted to answer it to the best of my ability as well.

From where I sit, what you’re talking about sounds sane. It isn’t a setup I’ve tried, but it sounds sane. This is what I think you’re looking at:

To disable systemd binding to port 53, in /etc/systemd/resolved.conf:


Then in the dnsmasq config, something like this:


That way you’re redirecting DNS queries to the right docker container based on the zone being queried. I’m pretty sure this will work. Share with us and let us know if it did?


  • Hi Jarland,

    thank you for your reply. It might get a lil bit complex ;)

    What I did now is that I disabled resolved

    sudo systemctl stop systemd-resolved && sudo systemctl disable systemd-resolved

    and modified the local resolv.conf, where I added the upstream DNS server


    Then I modified the dnsmasq.conf


    I created a dedicated Docker network

    docker network create --driver=bridge --subnet= webserver-net

    And started the server

    docker run -it --rm --network="webserver-net" --ip= --entrypoint /bin/sh Nginx

    The local lookup on the droplet seems to work:

    dig @165.227.1xx.xx +short<domain>.rocks

    However it fails on every other server.
    But the strange thing is, I dont even receive the NS record for this subdomain. Even though I have set it up in DigitalOcean (see screenshot on Twitter Tweet)

    dig @ NS my.<domain>.rocks
    ; <<>> DiG 9.10.6 <<>> @ NS my.<domain>.rocks
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18361
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    ; EDNS: version: 0, flags:; udp: 1452
    ;my.<domain>.rocks.     IN  NS
    ;; Query time: 2095 msec
    ;; SERVER:
    ;; WHEN: Tue Mar 26 20:49:52 CET 2019
    ;; MSG SIZE  rcvd: 46

    What am I missing here? Any idea?

    Your help is highly appreciated! This is the foundation for my university lecture and it would be incredible if this gets up and running.

    BTW, two quick questions in relation to Docker (maybe you have an idea, as I am totally stuck right now)
    Do you know how I can enable communication between Docker container in different networks?
    Or, how can I define an existing network in a docker-compose.yaml and assign a fixed IP? This would solve the communication problem across networks.
    I know how to use an existing network, but I fail to assign a fixed IP.

I just ran into another issue in regards to systemd-resolved (who came actually up with this complex setup, the whole internet is full of trouble in regards to this).

Even though I configured /etc/systemd/resolved.conf to contain this:


The /etc/resolv.conf gets always overwritten with as DNS server.

options edns0

Why is that? When I change it to everything name resolution works again.