DNS resolution failing when OVERRIDE_DNS_1 points to local LAN

[Qhilm]

when OVERRIDE_DNS_1 was pointing to cloudflare DNS, it was working fine. I changed it to my local DNS server (my home router) and now DNS resolution of github.com fails.

Does someone have an idea, is that expected that the docker container is unable to route to the local LAN subnet? I'm not a docker expert, I know they have their own network (I run my containers on DSM 7) but if it's able to route DNS queries to 1.1.1.1 I would expect it's able to reach the local DNS server as well, right?

[pkishino]

what dns setup have you got on the docker network

[Qhilm]

I don't think I have any DNS setup for my docker network. I can see it's a 172.18.0.0/16 network, there's two other containers on the same network which work just fine.

Is there a difference in using the local DNS (home router) and a public DNS out there?

[pkishino]

Open a console inside the container and see if you can pin correctly..

…

On Wed, 30 Aug 2023 at 16:49, Qhilm ***@***.***> wrote: I don't think I have any DNS setup for my docker network. I can see it's a 172.18.0.0/16 network, there's two other containers on the same network which work just fine. Is there a difference in using the local DNS (home router) and a public DNS out there? — Reply to this email directly, view it on GitHub <#2688 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7OFYT3RCQTSCOANYY35ALXX3WA3ANCNFSM6AAAAAA4DNHTSY> . You are receiving this because you commented.Message ID: <haugene/docker-transmission-openvpn/repo-discussions/2688/comments/6861075 @github.com>

[Qhilm]

so the problem is, the container crashed immediately because it cannot resolve any DNS, hence I cannot use the console.

[Qhilm]

ah, I think I figured it out. I had enabled the firewall on the synology machine and it seems it's breaking DNS. If I disable the firewall, it works again.

I need to figure out why. I have allows the TCP port for the transmssion web interface through the firewall, but it seems it's not enough. Any other port the firewall should allow inbound?

[edgd1er]

two ideas.

• DNS needs TCP and UDP: https://www.infoblox.com/dns-security-resource-center/dns-security-faq/is-dns-tcp-or-udp-port-53/
• When VPN is established, your local DNS cannot be contacted anymore. Packets are forced through vpn, which is what we expect, private addresses (local DNS) are not routable. Unless you define a public ip for it. you may try to fiddle with routes if really you want to use a local dns.

[Qhilm]

To establish the VPN tunnel, a DNS lookup is required before the tunnel is established. I suspect the github config files etc. are also downloaded before the tunnel is established, this also requires DNS outside the VPN tunnel. But this is not a problem for me anyway, and I'm fine using a public DNS once the tunnel is established.

I must admit though, I do not understand how DNS resolution is happening before the tunnel is established, it seems to be bypassing my local DNS server (can't find a single "github.com" lookup from the right IP), which should not be possible. If you know how DNS resolution is done before tunnel setup, I would be interested.

Now to the actual problem: when I turn on the synology firewall, DNS resolution (before tunnel is established) is failing.

Why? Firewall is only blocking inbound connection (from the point of view of the synology box), DNS is an outbound connection, this is what confuses me. Also the fact other containers have zero issue on the same docker network (portainer, ouroboros...)

Unless somehow the docker network is seen as external by the firewall... But then I'm left trying to understand which port I need to open here.

[Qhilm]

ok, resolved, the docker container network is indeed considered as "outside" by the firewall, I have to allow connections from 172.18.0.0/16, that fixed the issue.