DNS queries to `127.0.0.1:53` fail

[tenkoma]

Description

Starting from Docker Desktop 4.48.0, DNS queries sent from the host to 127.0.0.1:53 time out and fail to receive any response, even when a container is correctly exposing port 53 (udp/tcp) (e.g., via EXPOSE 53).
The same configuration works as expected on 4.47.0, where queries to 127.0.0.1 return valid responses from the containerized DNS server.

Reproduce

1. Use the following compose.yml (CoreDNS + Nginx) configuration:

# compose.yml
services:
  web:
    image: nginx:alpine
    container_name: web
    restart: unless-stopped
    ports:
      - "8080:80"            # host:container -> http://localhost:8080 or http://www.example.test:8080
    networks:
      lan:
        ipv4_address: 172.28.0.10
    dns:
      - 172.28.0.53          # Use custom DNS for name resolution within the container
    configs:
      - source: web_index_html
        target: /usr/share/nginx/html/index.html
        mode: 0444

  dns:
    image: coredns/coredns:1.13.1
    container_name: dns
    restart: unless-stopped
    command: ["-conf", "/etc/coredns/Corefile"]
    ports:
      - "127.0.0.1:53:53/udp"
      - "127.0.0.1:53:53/tcp"
    networks:
      lan:
        ipv4_address: 172.28.0.53
    configs:
      - source: coredns_corefile
        target: /etc/coredns/Corefile
        mode: 0444
      - source: coredns_zone_example
        target: /etc/coredns/zones/db.example.test
        mode: 0444

networks:
  lan:
    driver: bridge
    ipam:
      config:
        - subnet: 172.28.0.0/16
          gateway: 172.28.0.1

configs:
  web_index_html:
    content: |
      <h1>It works 🎉</h1>
      <p>This is example.test behind Nginx.</p>

  coredns_corefile:
    content: |
      example.test:53 {
          file /etc/coredns/zones/db.example.test
          log
          errors
          reload
      }
      . {
          forward . 8.8.8.8 1.1.1.1
          cache 30
          log
          errors
          reload
      }

  coredns_zone_example:
    content: |
      $$ORIGIN example.test.
      $$TTL 3600
      @   IN SOA ns1.example.test. admin.example.test. (
              2025101501 ; serial
              3600       ; refresh
              900        ; retry
              604800     ; expire
              86400      ; minimum
      )
          IN NS  ns1.example.test.
      ns1 IN A   172.28.0.53
      @   IN A   127.0.0.1
      www IN A   127.0.0.1

2. Add a macOS resolver file to direct example.test to localhost DNS:

sudo mkdir -p /etc/resolver && echo "nameserver 127.0.0.1\n" | sudo tee /etc/resolver/example.test

3. Run containers

docker compose up -d

4. Test DNS and HTTP access from the host.

% dig @127.0.0.1 example.test A +short

; <<>> DiG 9.10.6 <<>> @127.0.0.1 example.test A +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

% curl http://example.test:8080/
curl: (6) Could not resolve host: example.test

The dig command timed out, and the HTTP request also failed.

Note

When switching between Docker Desktop versions for testing, I cleared the DNS cache with the following command:

sudo killall -HUP mDNSResponder

Expected behavior

Result of Docker Desktop 4.47.0

% dig @127.0.0.1 example.test A +short
127.0.0.1

% curl http://example.test:8080/
<h1>It works 🎉</h1>
<p>This is example.test behind Nginx.</p>

The DNS query correctly resolves example.test → 172.28.0.10, and HTTP access works.

docker version

Client:
 Version:           28.5.1
 API version:       1.51
 Go version:        go1.24.8
 Git commit:        e180ab8
 Built:             Wed Oct  8 12:16:17 2025
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.48.0 (207573)
 Engine:
  Version:          28.5.1
  API version:      1.51 (minimum version 1.24)
  Go version:       go1.24.8
  Git commit:       f8215cc
  Built:            Wed Oct  8 12:18:25 2025
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.27
  GitCommit:        05044ec0a9a75232cad458027ca83437aae3f4da
 runc:
  Version:          1.2.5
  GitCommit:        v1.2.5-0-g59923ef
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    28.5.1
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  ai: Docker AI Agent - Ask Gordon (Docker Inc.)
    Version:  v1.9.11
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-ai
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.29.1-desktop.1
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-buildx
  cloud: Docker Cloud (Docker Inc.)
    Version:  v0.4.39
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-cloud
  compose: Docker Compose (Docker Inc.)
    Version:  v2.40.0-desktop.1
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.44
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Docker Inc.)
    Version:  v0.2.0
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-desktop
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.31
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-extension
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.4.0
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-init
  mcp: Docker MCP Plugin (Docker Inc.)
    Version:  v0.23.0
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-mcp
  model: Docker Model Runner (Docker Inc.)
    Version:  v0.1.42
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-model
  offload: Docker Offload (Docker Inc.)
    Version:  v0.4.39
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-offload
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.18.3
    Path:     /Users/kojitanaka/.docker/cli-plugins/docker-scout

Server:
 Containers: 3
  Running: 2
  Paused: 0
  Stopped: 1
 Images: 24
 Server Version: 28.5.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Discovered Devices:
  cdi: docker.com/gpu=webgpu
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
 runc version: v1.2.5-0-g59923ef
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.10.14-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 8
 Total Memory: 15.6GiB
 Name: docker-desktop
 ID: d19f7c9b-871e-4f1e-b3fc-06ba286c33c3
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/kojitanaka/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false

Diagnostics ID

411D4371-0810-41B9-8FFD-E9B080079E97/20251015075713

Additional Info

No response

[tenkoma]

In my development environment, I actually use a custom image that installs dnsmasq inside a CentOS container and runs it as a service—where I'm also experiencing the same issues.
However, I couldn't find an official dnsmasq image, and preparing a reproducible environment would have required significant additional code, so I opted to reproduce the issue using CoreDNS instead.

[djs55]

Thanks for the report. We found a bug in the UDP forwarding codepath, could you try the fix in the developer build here: docker/for-win#14957 (comment)

[tenkoma]

@djs55 Thank you.

I installed Docker Desktop as suggested in docker/for-win#14957 (comment) and tried it out.
When using the compose.yml file from this Issue, I received the error strconv.Atoi: parsing "nonroot": invalid syntax and the DNS service failed to start. 🤔

% docker compose up -d
[+] Running 3/3
 ✔ Network docker-desktop-dns-cant-resolve_lan  Created                                 0.0s
 ✔ Container dns                                Created                                 0.1s
 ✔ Container web                                Started                                 0.2s
strconv.Atoi: parsing "nonroot": invalid syntax

However, in my Docker Compose environment using dnsmasq, I could successfully run it correctly, just as with version 4.47.0. Therefore, the DNS issue appears to be resolved 👌

[bsousaa]

This issue should be fixed with Desktop 4.49.0. I'm closing the issue for now.

[tenkoma]

Thanks.

I've confirmed that IP address resolution works even when using the coredns container with Docker Desktop 4.49.0. 🙆‍♂️