Unbound 13.2 inside docker question

Phil Pennock unbound-users+phil at spodhuis.org
Tue Jan 25 23:38:10 UTC 2022


On 2022-01-24 at 22:54 -0700, Marek Abram via Unbound-users wrote:
> I have a unbound 13.2 running in my docker container on Synology NAS and its is working. However I have one question.
> My plan is to use it as primary DNS on my LAN. When I access NAS where docker is installed and perform nslookup I get a proper response from unbound DNS IP. Same if I am on a different computer, setup DNS to point to NAS IP (192.168.50.200) and its responding properly to dig command.
> 
> One issue I have, is when I am inside the container and perform dig command like dig cnn.com @192.168.50.200. This is the same IP I used at my network device as DNS server. I get this error message. Unbound is configured an interface 0.0.0.0 at 53
> 
> ;; reply from unexpected source: 172.17.0.1#53, expected 192.168.50.200#53

The Docker container manager is using separate IP address ranges for
"inside" and "outside" and setting up firewall NAT rules to make things
appear the same.  But from inside the container, when you query against
the external address, the NAT rule isn't rewriting the source address
and so Unbound is replying directly.  Unbound doesn't know anything
about the external address.

Your choices are:
 1. Accept this quirk affecting you when you're inside the same
    container as unbound
 2. Run that container in host networking mode

You should consider what's happening with source port randomization for
the queries from Unbound to the outside world: this is an important
security measure for DNS and if the NAT/NAPT setup isn't rewriting the
ports to be equally random, you're introducing a security problem by
embedding the DNS resolver inside a separate network stack.

So if possible, you should be running the DNS resolver in host
networking mode.

-Phil


More information about the Unbound-users mailing list