Docker containers can't resolve DNS on Ubuntu 14.04 Desktop Host

Woo, I found a post on github that solved my problem.

After Steve K. pointed out that it wasn't actually a DNS issue and was a connectivity issue, I was able to find a post on github that described how to fix this problem.

Apparently the docker0 network bridge was hung up. Installing bridge-utils and running the following got my Docker in working order:

apt-get install bridge-utils
pkill docker
iptables -t nat -F
ifconfig docker0 down
brctl delbr docker0
service docker restart

If it is a DNS resolver problem, here is the solution:

First thing to check is run cat /etc/resolv.conf in the docker container. If it has an invalid DNS server, such as nameserver 127.0.x.x, then the container will not be able to resolve the domain names into ip addresses, so ping google.com will fail.

Second thing to check is run cat /etc/resolv.conf on the host machine. Docker basically copies the host's /etc/resolv.conf to the container everytime a container is started. So if the host's /etc/resolv.conf is wrong, then so will the docker container.

If you have found that the host's /etc/resolv.conf is wrong, then you have 2 options:

  1. Hardcode the DNS server in daemon.json. This is easy, but not ideal if you expect the DNS server to change.

  2. Fix the hosts's /etc/resolv.conf. This is a little trickier, but it is generated dynamically, and you are not hardcoding the DNS server.


1. Hardcode DNS server in docker daemon.json

  • Edit /etc/docker/daemon.json

    {
        "dns": ["10.1.2.3", "8.8.8.8"]
    }
    
  • Restart the docker daemon for those changes to take effect:
    sudo systemctl restart docker

  • Now when you run/start a container, docker will populate /etc/resolv.conf with the values from daemon.json.


2. Fix the hosts's /etc/resolv.conf

A. Ubuntu 16.04 and earlier

  • For Ubuntu 16.04 and earlier, /etc/resolv.conf was dynamically generated by NetworkManager.

  • Comment out the line dns=dnsmasq (with a #) in /etc/NetworkManager/NetworkManager.conf

  • Restart the NetworkManager to regenerate /etc/resolv.conf :
    sudo systemctl restart network-manager

  • Verify on the host: cat /etc/resolv.conf

B. Ubuntu 18.04 and later

  • Ubuntu 18.04 changed to use systemd-resolved to generate /etc/resolv.conf. Now by default it uses a local DNS cache 127.0.0.53. That will not work inside a container, so Docker will default to Google's 8.8.8.8 DNS server, which may break for people behind a firewall.

  • /etc/resolv.conf is actually a symlink (ls -l /etc/resolv.conf) which points to /run/systemd/resolve/stub-resolv.conf (127.0.0.53) by default in Ubuntu 18.04.

  • Just change the symlink to point to /run/systemd/resolve/resolv.conf, which lists the real DNS servers:
    sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

  • Verify on the host: cat /etc/resolv.conf

Now you should have a valid /etc/resolv.conf on the host for docker to copy into the containers.


In an attempt to add additional value to an issue I also experienced; with an alternative answer:

My network was office related and Google DNS settings were blocked so that the container could ping IP addresses but not domain names.

My host's /etc/resolv.conf originally looked like;

#Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
search companyDomain.co.za

This is due to Network Manager doing some kind of masking of the DNS server details.

Unfortunately according to the docker manuals docker will filter out any localhost IP addresses when building the container's resolv.conf and replace them with Google's DNS IPs. Which in my case caused domain names to be off-limits.

I had to:

  • Reset my /etc/default/docker to default so containers use my host's resolv.conf content instead.
  • Edit /etc/NetworkManager/NetworManager.conf and comment out the line dns=dnsmasq. This is so NM can specify the actual DNS IP addresses instead of 127.0.0.1.
  • Restart NM with sudo service network-manager restart.
  • Restart docker service with sudo service docker restart.

Running a container would then allow it to do apt-get update/upgrade, for example.


Your error is here:

 Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8c01::19).
 connect (101: Network is unreachable) [IP: 2001:67c:1360:8c01::19 80]

This isn't an error with DNS, instead your system is trying to connect to IPv6 hosts and failing . Presumably because you don't have IPv6 access on your host. The actual lookup of the IPv6 address succeeds. (The ubuntu mirror/archive is available over both IPv6 and IPv4. You were just unlucky enough to hit an IPv6 one because your system believes it should work.)

You should either fix that, by installing miredo, or retry until your hit an IPv4 mirror.

Again the important thing to realize here is that DNS is not to blame, as you can see by your own ping tests.


Docker official doc gives instruments to configure a DNS server for use by Docker

  1. Open the /etc/default/docker file for editing:

    sudo nano /etc/default/docker
    
  2. Add a setting for Docker:

    DOCKER_OPTS="--dns 8.8.8.8"
    
  3. Replace 8.8.8.8 with a local DNS server such as 192.168.1.1. You can also specify multiple DNS servers. Separated them with spaces, for example:

    --dns 8.8.8.8 --dns 192.168.1.1
    

    Warning: If you're doing this on a laptop which connects to various networks, make sure to choose a public DNS server.

    PS: nm-tool can be used to check local host DNS server

  4. Save and close the file.

  5. Restart the Docker daemon.

    sudo service docker restart