I am having issues with using multiple name servers inside podman containers. Public domains don’t seem to resolve, but container names do resolve.
I am running one wireguard container acting as a VPN tunnel to Mullvad. 10.64.0.1 is configured as dns inside this container. Two other containers are connected to the internet through the mullvad container tunnel. I replaced the default IP route to route the traffic through Mullvad. Both containers which I want to connect through Mullvad are in an network called “mullvad-back-network”. DNS in the “mullvad-back-network” is disabled, because I had issues with mullvad while it was enabled. This is why both networks are internal, but container1 and container2 can still connect to the outside world.
Now, I added another network called “connection-network” which should connect the two containers together, now with the dns option enabled. I want the two containers to be able to resolve each others container names so that when the ips of containers change, it doesn’t affect the connection between the two containers. But I obviously want the container to be able to resolve any other domain (for example google.com).
I previously had to deploy a custom /etc/resolv.conf to force only using 10.64.0.1 as dns server, which I removed after I tried to add the connection-network. These are the two networks I configured using ansible:
- name: Container1 - Create connection-network
containers.podman.podman_network:
name: connection-network
ipv6: false
subnet: 10.89.101.0/24
gateway: 10.89.101.1
internal: true
opt:
isolate: true
- name: Mullvad - Create mullvad-back-network
containers.podman.podman_network:
name: mullvad-back-network
ipv6: false
internal: true
subnet: 10.89.100.0/24
gateway: 10.89.100.1
disable_dns: true
opt:
isolate: true
This is the /etc/resolv.conf of container1, after I added 10.64.0.1 using the –dns option instead:
search dns.podman dns.podman
nameserver 10.89.101.1 # <- dns of "connection-network"
nameserver 10.64.0.1 # <- mullvad dns (for all other domains)
nameserver 10.89.5.1 # <- dns of another network (also internal)
Now when I want to ping for example google.com, it doesn’t work:
# ping google.com
ping: bad address 'google.com'
But resolving the container name of the other container works:
# ping container2
PING container2 (10.89.101.3): 56 data bytes
64 bytes from 10.89.101.3: seq=0 ttl=42 time=0.039 ms
...
If I try to resolve google.com using nslookup and 10.64.0.1 as DNS server, it also works:
# nslookup google.com 10.64.0.1
Server: 10.64.0.1
Address: 10.64.0.1:53
Non-authoritative answer:
Name: google.com
Address: 142.251.140.174
Non-authoritative answer:
Name: google.com
Address: 2a00:1450:4001:804::200e
Not using 10.64.0.1 as dns server in nslookup also fails though. Adding this to the /etc/resolv.conf helped:
options attempts:3 rotate single-request
But it only works like 50% of the time now, I guess because instead of asking only the first nameserver, it also asks others because it is rotating, but because I only allowed 3 attempts, it only sometimes works.
Is there a (minimal) way to reliably resolve domain names and container names using the nameservers?
