I have a DNS server running on a CentOS 7 machine at 10.8.0.1
. On this machine, I have some docker images running on a subnet of 10.8.1.0/24
, without masquerading. I'd like the docker images to be able to resolve addresses from URLs defined in my local DNS server, but for some reason, no tutorials on Google helped me.
I tried editing the host machine's /etc/resolv.conf
, which now looks like this:
# Generated by NetworkManager
search home centos
nameserver 10.8.0.1
nameserver 2001:730:3eb2::10
nameserver 2001:730:3eb2::11
I also tried editing /etc/docker/daemon.json
, which looks like this:
{
"dns": ["10.8.0.1", "1.1.1.1"]
}
The docker container can resolve any URLs from global DNS servers, but I can't for the life of me figure out why it can't resolve the URLs on in my local DNS server.
The host machine can resolve the DNS requests, as well as clients connecting to the machine via VPN, where the dhcp-option DNS 10.8.0.1
is pushed to the clients connecting.
The containers can ping
the address 10.8.0.1
.
One of the containers has the following /etc/resolv.conf
file:
search home centos
nameserver 127.0.0.11
options ndots:0
My named.conf
file looks as follows:
acl trusted {
2001:0db8:ee00:abcd::/64;
127.0.0.1;
10.8.0.0/8;
};
options {
listen-on port 53 { 127.0.0.1; 10.8.0.1; };
listen-on-v6 port 53 { ::1; 2001:db8:ee00:abcd::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { trusted; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
... #Zones are coming after this
any
for both IPv4, and IPv6, with little luckjira.ropi.io
, to the respective IP address. The DNS server works outside of the docker containers. If I try tocurl jira.ropi.io
on the docker host, it will resolve the address, just like the VPN Clients connected to the network