DNS Not Resolving under Network [CentOS8]

[arpadgabor]

Edit: There's a workaround in the comments below.

Ok so I have a fresh install of CentOS8, Docker, Docker compose. I'm trying to run Traefik. Created my network with docker create network proxy, attached it to my docker-compose file, ran my scripts, and it works. Kinda.

If I run a container with --net=host everything works fine. However, any other network I create does not resolve DNS

---

• This is a bug report
• This is a feature request
• I searched existing issues before opening this one (yeah it's like 4AM already)

Expected behavior

$ docker exec -it traefik ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=55 time=3.983 ms
64 bytes from 1.1.1.1: seq=1 ttl=55 time=4.077 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 3.983/4.030/4.077 ms

Actual behavior

I repeat: If I run a container with --net=host everything works fine. However, any other network I create does not resolve DNS

$ docker exec -it traefik ping google.com
ping: bad address 'google.com

Steps to reproduce the behavior

I'm running a CentOS 8 VPS on Hetzner Cloud with the latest version of Docker (as of yesterday). The issue just "happened".

$ docker-compose -v
docker-compose version 1.25.4, build 8d51620a

Output of docker version:

$ docker -v
Docker version 19.03.8, build afacb8b

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 5
  Running: 1
  Paused: 0
  Stopped: 4
 Images: 1
 Server Version: 18.09.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
 runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.18.0-80.11.2.el8_0.x86_64
 Operating System: CentOS Linux 8 (Core)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.755GiB
 Name: centos-4gb-nuremberg
 ID: DUXL:2E6W:WKB3:CWRG:7BUY:4VIN:YMXX:FRTH:L7YK:L5LY:X3D4:Y52L
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

Additional environment details (AWS, VirtualBox, physical, etc.)

Hetzner Cloud

[ask-and-go-to-the-blue]

me too!

Output of uname -a :
Linux asusual.dev 4.18.0-147.5.1.el8_1.x86_64 #1 SMP Wed Feb 5 02:00:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Output of iptables -L :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Output of docker version :

Client: Docker Engine - Community
 Version:           19.03.8
 API version:       1.40
 Go version:        go1.12.17
 Git commit:        afacb8b
 Built:             Wed Mar 11 01:27:04 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.8
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.17
  Git commit:       afacb8b
  Built:            Wed Mar 11 01:25:42 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker run busybox nslookup google.com :

nslookup: write to '1.1.1.1': No route to host
;; connection timed out; no servers could be reached

nslookup: write to '8.8.8.8': No route to host

Output of docker run busybox ping 8.8.8.8 :

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=52 time=29.850 ms
64 bytes from 8.8.8.8: seq=1 ttl=52 time=30.712 ms

[WARrior-Alex]

Hi. Probably the reason is https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.0_release_notes/rhel-8_0_0_release#networking

I have the same issue at Fedora 32:
https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables#Scope

[zx1986]

me too! same problem on CentOS 8, all my docker-compose containers are with a dead Internet.

[lfiraza]

fast workaround
sudo nano /etc/firewalld/firewalld.conf
in config file please change
FirewallBackend=nftables
on
FirewallBackend=iptables
save this changes and reload firewalld
sudo systemctl restart firewalld.service

it should help you work with docker but I advise rollback when docker will fix this

[ask-and-go-to-the-blue]

@lfiraza
Wow. Good!
Thank you Very very very very * 1000 much.

[cassiamani]

@lfiraza thanks dude, it's worked for me.

[arpadgabor]

@lfiraza added a link to your comment in the OP, in case anymore people see this. I switched back to centos 7 in the meantime.

[l3lackMegas]

@lfiraza That's work! Thank you very much. <3

[edkepex]

@lfiraza thanks friend, this save my day. I spent almost 24 hrs on this. Finally I came here and this works

[otidh]

@lfiraza Thanks very much! It works!!

[matheenl]

@lfiraza Thank you very much. It works for me as well. I was having issues with running Terraform from a docker container running on centos 8 host. Tried different steps including adding custom DNS, adding docker interface to trusted on firewall... but only the solution provided by you worked. Now I can run Terraform commands from my docker container....

[Angeluz-07]

@lfiraza thank you. I couldn't build a ubuntu18 docker image because I was getting temporary failure in name resolution error , but your solution worked.

[carlosemidio]

@lfiraza Thanks very much. You saved my day!

[jeffvc]

Yo, seriously, thank you, I think I tried everything else till I stumbled on this. You should like ... work for NASA or SpaceX :)

[junewerner]

@lfiraza THANK YOU. Took forever to find this.

[wswind]

lfiraza's workaround works fine.
And there are two more ways:

(1) just use masquerade will make this work (recommand)

firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --reload

from robos's comment in <https://linuxconfig.org/how-to-install-docker-in-rhel-8 >

(2)set docker0 to trusted (this will open all the ports published by docker)

firewall-cmd --zone=trusted --add-interface=docker0 --permanent
firewall-cmd --reload

from: https://forums.centos.org/viewtopic.php?f=54&t=74270

[jeffvc]

lfiraza's workaround works fine.
And there are two more ways:

(1) just use masquerade will make this work

firewall-cmd --zone=public  --add-masquerade --permanent
firewall-cmd --reload

from comment in <https://linuxconfig.org/how-to-install-docker-in-rhel-8 >

(2)set docker0 to trusted

firewall-cmd --zone=trusted --add-interface=docker0 --permanent
firewall-cmd --reload

from: https://forums.centos.org/viewtopic.php?f=54&t=74270

Confirmed that firewall-cmd --zone=public --add-masquerade --permanent works on CentOS 8. Thanks for this fix, I wanted to mess around with nftables since that apparently is the standard going forward. Thanks for the two additional fixes!

[lfiraza]

@wswind @jeffvc
As I rememebr it dosen't work for docker network creating by docker-compose

[wswind]

@wswind @jeffvc
As I rememebr it dosen't work for docker network creating by docker-compose

@lfiraza Thanks for this information.

I checked the two fixes with busybox container .
--add-interface=docker0 can't work with docker-compose
masquerade works fine with both "docker" and "docker-compose"

Here is how I test this:

this command could be useful with docker test, both ways work fine

docker run busybox nslookup <somesite.com>

I tested docker-compose with a simple docker-compose.yml:

version: "3"
services:
  test:
    image: busybox

Steps:

1.clean the tow fixes

firewall-cmd --zone=public --remove-masquerade --permanent
firewall-cmd --zone=trusted --remove-interface docker0 --permanent
firewall-cmd --reload

2.apply one of the fixes

firewall-cmd --zone=public --add-masquerade --permanent
#or
firewall-cmd --zone=trusted --add-interface=docker0 --permanent
firewall-cmd --reload

3.use docker-compose to run busybox nslookup

docker-compose run test nslookup <somesite.com>

My environment:

docker-compose version 1.26.2
docker version 19.03.12
CentOS 8.2.2004 (Core)

[Kwaiyu]

在 保存更改并重新加载firewalld时更改
sudo nano /etc/firewalld/firewalld.conf
配置文件的快速解决方法
FirewallBackend=nftables

FirewallBackend=iptables

sudo systemctl restart firewalld.service

它应该可以帮助您使用docker，但我建议在docker提供解决方案时回滚此设置。

fast workaround
sudo nano /etc/firewalld/firewalld.conf
in config file change
FirewallBackend=nftables
on
FirewallBackend=iptables
save change and reload firewalld
sudo systemctl restart firewalld.service

it should help you work with docker but I advise rollback this setting when docker provides solution.

Thank you very much for solving this issue, Centos8 has caused me a lot of trouble, I don't know why use nftables instead of iptables? why use dnf instead of yum?

[EG-easy]

uhyooooooooooooooooo!
THANK YOU!

[cesirx]

Same problem here.

After some research I found that DNS requests from the docker to my DNS server where arriving with the internal docker ip (172.16.0.2) as source address (instead of using the ip address of the docker host network interface).

In my case, SNAT was failing only for DNS traffic (could ping 8.8.8.8 from inside the container).

Proposed solutions did work for me too.

Many thanks!

[gstanden]

@lfiraza a lifesaver, THANK YOU!! FYI this also works to fix broken LXC container DNS name resolution and networking inside LXC containers on Linux 8 distros for LXC as well when containers are using iptables rules with physical interfaces. Symptoms of my LXC containers on Oracle Linux 8 before the FirewallBackend=iptables fix were ping of external internet addresses from inside LXC container was working but DNS resolution from inside container was not working.

As noted above by other commenters, there are ways to make this work without disabling nftables. I have tried them with LXC containers and they do work too.

moby/libnetwork#2496

[codegraoully]

fast workaround
sudo nano /etc/firewalld/firewalld.conf
in config file change
FirewallBackend=nftables
on
FirewallBackend=iptables
save change and reload firewalld
sudo systemctl restart firewalld.service

it should help you work with docker but I advise rollback this setting when docker provides solution.

Same issue, same resolving !

Thanks a lot!

[JakkuSakura]

What to do on MacOS?