Docker containers can't access internet (127.0.0.11:53 server misbehaving)

Troubleshooting
1

Creating a bug report/issue

I have searched the existing open and closed issues

Required Information

  • DietPi version 9.8.0
  • Distro version bookworm
  • Kernel version Linux DietPi 6.1.0-27-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.115-1 (2024-11-01) x86_64 GNU/Linux
  • Architecture amd64
  • SBC model NativePC

Additional Information (if applicable)

  • Software title docker compose

Hi,

I have an issue with my docker stacks. I host a nginx reverse-proxy on a docker container. I changed the IP address of the host and the stack complains about not reaching internet.

The DNS server of the host is adguard-home manager. Every computer has internet, but somehow this particular docker stack cannot access internet and every containers (4 actually: nginx, authelia, maxmind-geoip, and crowdsec) throw me “error occurred during dial: dial udp: lookup site.tld on 127.0.0.11:53: server misbehaving”

I guess it’s something on the host or on the docker configuration, but I cannot find what or where to search…
Can you please help me?

Thanks!

2

Is AGH running as container as well?

Can you check which DNS server has been registered for your NPM container?

docker exec <container-name-or-id> cat /etc/resolv.conf
3

Hello Joulinar,
First of all, thanks for your reply :smile:

Agh isn’t on a container no. It’s on the host.

docker exec  cat /etc/resolv.conf nginx

gives:

# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.11
options ndots:0

# Based on host file: '/etc/resolv.conf' (internal resolver)
# ExtServers: [192.168.0.11]
# Overrides: []
# Option ndots from: internal

192.168.0.11 is the host local address.

4

I tried the same command on other containers, it gives:


root@DietPi:~# docker exec 2e840d196ad6 cat /etc/resolv.conf
nameserver 127.0.0.1
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.


# Based on host file: '/etc/resolv.conf' (legacy)
# Overrides: []

So I guess modifying 127.0.0.11 to 127.0.0.1 will solve the issue?
But I don’t get why one container gets .1 and the other gets .11. And I don’t know how to modify this…

Ah, and /etc/resolv.conf on the host reads:

nameserver 192.168.0.11
5

A setting I do not recommend. The best practice is to use a global public DNS provider like Cloudlfare or Quad9 on the host system that hosts the local AGH/Pihole. Why? What happens if your local DNS server stops working? Your host will lose the ability to resolve its own DNS queries :wink:

not sure if this will change anything. Containers normally use the internal Docker DNS server (127.0.0.11) to process DNS queries. If the internal Docker DNS server cannot resolve the request itself, it forwards it to the DNS servers that are configured in the Docker daemon. These DNS servers are usually taken from the host’s /etc/resolv.conf.

But in your case internal Docker DNS server (127.0.0.11) doesn’t seems to be working fine. I gues you already tried to restart Docker/whole system?

6

I will edit this then.

Actualy, yes, I even tried to reinstall docker + docker-compose with dietpi-software reinstall. Then uninstalled completely docker, rebooted the host, reinstalled docker, then I recreated stacks from the yaml files. No luck.

Nothing seems to work. So I guess the issue is on the host, but I really don’t know what to check.

7

theoretically you could try to work around be setting a DNS server within /etc/docker/daemon.json or specifying DNS server dring container start docker run --dns 8.8.8.8 --dns 8.8.4.4 <image-name>

Maybe in addition, check if AGH is LISTEN to all interfaces, allowing Docker to connect.

8

I’ll give it a try, but I’d rather not, because it used to work. So I must have unintentionally touched something and I’d like to know what :melting_face:
I did change something to docker conf to allow uptime kuma on a distant sbc to connect to docker, but nothing related to DNS?!

Just checked, it is… I don’t understand.
My adguard-home conf is as following:

http:
  pprof:
    port: 6060
    enabled: false
  address: 0.0.0.0:8083
  session_ttl: 720h
users:
  - name: Pierre
    password: redacted
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: fr
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
  anonymize_client_ip: false
  ratelimit: 20
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - tcp://ns0.fdn.fr
    - tcp://ns1.fdn.fr
    - https://ns0.fdn.fr/dns-query
    - https://ns1.fdn.fr/dns-query
    - tls://unfiltered.adguard-dns.com
    - tls://getdnsapi.net
    - tls://unicast.censurfridns.dk
    - tls://dns.cmrg.net
  upstream_dns_file: ""
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 80.67.169.12
    - 2001:910:800::12
    - 80.67.169.40
    - 2001:910:800::40
    - 2620:fe::10
    - 2620:fe::fe:10
  fallback_dns: []
  upstream_mode: load_balance
  fastest_timeout: 1s
  allowed_clients:
    - 192.168.0.0/24
    - 10.8.0.0/24
    - 10.50.1.2/32
    - 127.0.0.1
    - 127.0.0.11
    - latitude
    - pixel
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - 172.19.0.5/16
    - 192.168.0.11/32
    - 192.168.0.1/32
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: true
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet:
    custom_ip: ""
    enabled: true
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 192.168.0.1
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: true
  hostsfile_enabled: true
tls:
  enabled: true
  server_name: redacted
  force_https: true
  port_https: 0
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: true
  certificate_chain: ""
  private_key: ""
  certificate_path: /mnt/dietpi_userdata/adguardhome/certs/fullchain.pem
  private_key_path: /mnt/dietpi_userdata/adguardhome/certs/key.pem
  strict_sni_check: false
querylog:
  dir_path: ""
  ignored: []
  interval: 168h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  dir_path: ""
  ignored: []
  interval: 720h
  enabled: true
filters:
  - enabled: true
    url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
    name: AdGuard DNS filter
    id: 1
whitelist_filters: []
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: Local
    ids: []
  protection_disabled_until: null
  safe_search:
    enabled: true
    bing: true
    duckduckgo: false
    ecosia: true
    google: false
    pixabay: true
    yandex: true
    youtube: false
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  safe_fs_patterns:
    - /mnt/dietpi_userdata/adguardhome/data/userfilters/*
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 72
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: true
  protection_enabled: true

To me this conf should work with docker… ?

Anyway, I’ll poke around and update this topic. I’ll try to deactivate uptime-kuma additionnal conf.
Thanks!

9

Guess what?
That was adguard-home all the time.

 allowed_clients:
    - 192.168.0.0/24 < LAN
    - 10.8.0.0/24 < VPN clients
    - 127.0.0.1 < Localhost
    - 127.0.0.11 < Localhost I guess?
    - latitude < laptop
    - pixel < android phone
    - 10.50.1.2/32 < used to be docker network!!!!!!!

Docker changed (I certaintly did without noticing) its ip range. Now it’s 172.x.x.x. I changed the 10.50.1.X cidr range to 172.x cidr range, and everything works now.

I’m a dumbass.
Thanks Joulinar for the hints. It really helps to exchange ideas and put your problems in writing. I’m glad this community exists :smile:

Have a good night!

10

If I’m not mistaken it should be 172.x.x.x for a while already. And not changed recently.

Any reason for restricting access to AGH this way?

11

You are right. But I was using portainer previously. (I switched to dockge). And i may have modified the default range.

Yes! My instance is open to the world so I can use adguard home on my phone through DNS over https. So I’m restricting to my clients (pixel and latitude). But when you specify authorized clients the list has to be exhaustive, because that’s a white list.

12

Why not using the vpn you have installed? Personally I’m using Wireguard split tunnel on my mobile device to just forward DNS request back home. Regular traffic is going via mobile network. This way i don’t need to open my DNS server to the world.

13

Because on some clients VPN is impossible (at the office for instance) whereas DNS over https is unnoticed.
But you are right, VPN is probably more secure.

14

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.