IPVLAN L3 is not forwarding non Docker DNS requests outside of the container anymore

[josoko]

Sorry, I don't know whether I am on the right location here.

The source of my request is this discussion:
https://forums.docker.com/t/ipvlan-l3-mode-driver-confusion/140569/6

But I am not able to bring an IPVLAN L3 config to a status where it will forward DNS requests to an Docker external DNS server.

I did a Docker Zabbix setup, which should be able to resolve Network related FQDN's which are not part of Docker environment for monitoring purposes. Every other Public IP address is reachable from the Docker containers (8.8.8.8, an network internal systems which are not part of the Docker environment).

Here docker version:

`docker info
Client: Docker Engine - Community
Version: 26.0.0
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.13.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.25.0
Path: /usr/libexec/docker/cli-plugins/docker-compose

Server:
Containers: 8
Running: 4
Paused: 0
Stopped: 4
Images: 8
Server Version: 26.0.0
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.1.0-18-amd64
Operating System: Debian GNU/Linux 12 (bookworm)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 31.24GiB
Name: geko
ID: 31466756-f345-41ef-8e38-4c1e517fd994
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false`

To test the network behaviour i deployed a busybox into the existing Docker Zabbix network:

docker run -itd --rm --name busybox2 \ --network 60_zbx_net_backend \ --ip 172.16.101.30 \ --dns 212.25.1.1 \ busybox da594a28bb7662decf9e3bbc51acfde3153253116a50593f371aec4601a2a084

Here the docker network inspect:

docker network inspect 60_zbx_net_backend
[
{
"Name": "60_zbx_net_backend",
"Id": "aef0aeb73b06c5c0a3125c420288b937580a25d1fed7d21fae96f6b883617aa4",
"Created": "2024-03-30T00:18:26.205715177+01:00",
"Scope": "local",
"Driver": "ipvlan",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.16.101.16/28"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"025b19d33527aca787065de649f6cd0b9b9dc3eb08505ad2c39d3a523e85764e": {
"Name": "60-zabbix-web-nginx-pgsql-1",
"EndpointID": "9963cd234c39156675ff5880f82c834d0706311c32ec0ad570b719243d5ca16c",
"MacAddress": "",
"IPv4Address": "172.16.101.18/28",
"IPv6Address": ""
},
"63f894fae9efb4f7d62204824716df66a8162797b62506dd53ad6dab676039c4": {
"Name": "60-zabbix-server-1",
"EndpointID": "0b48d688304826978b7193d9c27cad7eb5752994dc79edc0f76a45b4d39b4101",
"MacAddress": "",
"IPv4Address": "172.16.101.19/28",
"IPv6Address": ""
},
"bdd102c370cc414e507176c7205ac4e1b3b4864b300ec5ac9ce17533b54074cc": {
"Name": "60-postgres-server-1",
"EndpointID": "b7f62cf53ec0b77f09153c80cf93b0a84e29d85657751abdf10edd471189b5d6",
"MacAddress": "",
"IPv4Address": "172.16.101.21/28",
"IPv6Address": ""
},
"da594a28bb7662decf9e3bbc51acfde3153253116a50593f371aec4601a2a084": {
"Name": "busybox2",
"EndpointID": "db23feaeae4d70683384d54767d5b1eedf0730a72d1a121afce522ecfc2addd1",
"MacAddress": "",
"IPv4Address": "172.16.101.30/28",
"IPv6Address": ""
},
"e1a99d4846a4f6199382a4ae1b80d09b30bace78ae8d48afed7762b28176a32c": {
"Name": "60-zabbix-agent-1",
"EndpointID": "397fca45e45bbd96a83010ce599f5833a90874c3702145dbd9fcce7c99172e3b",
"MacAddress": "",
"IPv4Address": "172.16.101.20/28",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.enable_ipv6": "false",
"ipvlan_mode": "l3",
"parent": "eno1"
},
"Labels": {
"com.docker.compose.network": "zbx_net_backend",
"com.docker.compose.project": "60",
"com.docker.compose.version": "2.25.0"
}
}
]

Here a default /etc/resolve.conf output of the busybox:

docker exec -it busybox2 sh
'# cat /etc/resolv.conf'
'# Generated by Docker Engine.'
'# This file can be edited; Docker Engine will not make further changes once it'
'# has been modified.'

nameserver 127.0.0.11
search lan.mydomain.com (changed)
options ndots:0

'# Based on host file: '/etc/resolv.conf' (internal resolver)'
'# ExtServers: [212.25.1.1]'
'# Overrides: [nameservers]'
'# Option ndots from: internal'

How can I enforce the Docker containers/host to forward external DNS requests outside of the Docker environment? That was working in earlier Docker versions. If this has been restricted I am asking, why? In a IPVLAN L3 environment the user is responsible to protect its network by using firewalls etc. This function is essential in L3 network.

[npbern]

I'm the guy who wrote the post you linked to.

I've tried every modification to my configuration lab to get around this and cannot figure it out. If the answer going forward is "IPVLAN L3 mode containers need to have custome resolver.conf files for external DNS resolution" okay, that's fine, but that should really be in the documentation somewhere. I've re-read so much stuff and I'm still not confident in how I'm interpreting things so I need some idiot-proof documentation to spell it out for me.

Or it's a bug, in which case, cool, I'll downgrade until it's fixed.

[akerouanton]

@josoko Thanks for reporting! We changed the way our embedded DNS server is configured in v26, so it's most probably due to that. I created the following issue to further investigate: #47662.

[akerouanton]

The fix has been backported to v26 and should be released soon. I'll close this discussion.

[josoko]

@akerouanton Many thx!

[josoko]

Cool! It works again. Docker 26.0.1. Thank you moby team!