-
Notifications
You must be signed in to change notification settings - Fork 880
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Need options to disable embedded DNS #1085
Comments
1.11.0-dev with experiment: #docker --version
Docker version 1.11.0-dev, build 901c67a-unsupported, experimental |
@sanimej yea, [root@kube-node1 ~]# docker exec e9bed187828f netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.11:45723 0.0.0.0:* LISTEN -
tcp 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.11:42323 0.0.0.0:* - and iptables rules: [root@kube-node1 ~]# docker exec --privileged e9bed187828f iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 210 bytes)
pkts bytes target prot opt in out source destination
24 1732 DNAT udp -- * * 0.0.0.0/0 127.0.0.11 udp dpt:53 to:127.0.0.11:42323
0 0 DNAT tcp -- * * 0.0.0.0/0 127.0.0.11 tcp dpt:53 to:127.0.0.11:45723
Chain POSTROUTING (policy ACCEPT 27 packets, 1942 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT udp -- * * 127.0.0.11 0.0.0.0/0 udp spt:42323 to::53
0 0 SNAT tcp -- * * 127.0.0.11 0.0.0.0/0 tcp spt:45723 to::53 I wish container is clean. |
I'm in favour of this. I'm running DNS authoritatives and resolvers inside containers, and I'm sure many others do. This prevents me doing that instead of resorting to port redirections. 53 shouldn't be treated any differently from 22, 80 or 443, or at least there should be an option to disable this. |
Builtin DNS server falls under load. Disable it or make it reliable. |
Embedded DNS loose part of upstream responses giving DNS timeouts for client apps inside container. This happens only for containers in custom network, when Docker uses I start During this strange periods I can see outgoing udp packets with DNS requests with tcpdump inside the container, responses from upstream with tcpdump on upstream, but no udp packets with DNS responses inside container! If I replace |
FWIW, I'm running into issues with embedded DNS on a host that uses nftables instead of iptables (iptables are disabled because that conflicts with nftables' dnat). It just doesn't work, plain and simple, for obvious reasons. While being able to disable eDNS won't solve service discovery problem, I could work around that. |
Any news ? I have the same problem with nftable too. |
I want to use my own DNS servers, no inside-docker name doohickey wanted. Just old simple standardized DNS that isn't being messed with. For now my containers have to run a startup script of |
We use own patch to do that
|
I second this. My beef is that I want full control of the nat table for the container. The assumptions I have to make to allow docker to set the necessary nat rules seems unnecessary. |
My use case for this is using the Even though I've set While a switch to disable eDNS would be best, I'd at least like to see eDNS disabled if NATting is impossible. Disabling eDNS when |
I had the same issue with nftables. Traefik would fail with
Obviously there's no such thing as 127.0.0.11 on my system - I use static IPs with static src/dstnat rules.
where /opt/data/resolv.conf has the correct DNS servers (8.8.8.8) :-) |
Same problem here (openvswitch network driver, nftables with iptables disabled in modprobe config, own resolver/discovery service). The patch above helps, but I still don't understand why not make it optional the same way as DisableGatewayService works. |
Add me to the list of people who really need to be able to disable the embedded DNS server. In my case, it's because it doesn't handle PTR queries correctly. |
In my case, ssh to remote docker container is so slow , we still need sshd inside this docker because of the legacy application depends heavily on ssh command. You could only use /etc/host and disabled domain name resolving via dns in /etc/nsswitch.conf , change it from
|
Found this and for me that is still an issue. |
This is also affecting me... |
I want to use default bridge and macvlan network in k8s. However, when container connect to macvlan network, DNS of default bridge network will be changed by macvlan network:
Start container with default bridge network:
Connect container to macvlan network:
/etc/resolv.conf will be changed:
This will make every DNS query to
127.0.0.11
at first, and connection timeout, then to10.254.0.10
. Make DNS query to be slowly.@mrjana @mavenugo @thockin @brendandburns
Refer to #19474
The text was updated successfully, but these errors were encountered: