4km3 / docker-dnsmasq Goto Github PK

Hi,

I've been trying to get this image to work on my laptop (Ubuntu 16.04.1 LTS) but I get the following error:

ERROR: for dnsmasq  Cannot start service dnsmasq: driver failed programming external connectivity on endpoint development_dnsmasq_1 (d6b0d37db7ab3d9c4caf681dbfb6514d424e8562e7f75cc1de079500a51a04d0): Error starting userland proxy: listen tcp 0.0.0.0:53: bind: address already in use
ERROR: Encountered errors while bringing up the project.

The output for netstat -tulpn| grep 53 says that I have a proces listening on TCP and running on UDP, both for port 53:

tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      3607/dnsmasq    
udp        0      0 127.0.1.1:53            0.0.0.0:*                           3607/dnsmasq    

Which is dnsmasq-base, a default package on ubuntu system.

I was wondering how others got to work around this without deinstalling the dnsmasq-base package from their ubuntu system ? I did some websearching and found I could use some proxy and/or should remove the package, but I don't want to. So hopefully someone here could help me out ?

Many thanks in advance.

Sometimes when the device is restarted the dnsmasq container will be stuck in a reboot loop with the logs showing the following error:

dnsmasq: failed to create listening socket for port 53: Address in use

Reason - it's conflicting with systemd-resolved on port 53

see: https://unix.stackexchange.com/questions/304050/how-to-avoid-conflicts-between-dnsmasq-and-systemd-resolved

Host device: Ubuntu 18.04

uname -a
Linux umbrela-bridge 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 17:59:52 UTC 2018

Hello,

I'm using Docker 18.09.0. Tried the 2.75, 2.78 and latest dnsmasq docker images.

I start the service with:

docker run --restart=always --name=dnsmasq -d -p 53:53/tcp -p 53:53/udp --cap-add=NET_ADMIN andyshinn/dnsmasq:2.75 --server=1.1.1.1

On the host machine, if I hit repeatedly

nslookup google.com

Some queries get stuck for some seconds. In browser this is seen as pages unable to load until I hit refresh. It renders the dns server unusable.

Using dnsmasq binary directly on host does not have this problem.

Hi, would it be possible to also push to quay.io to avoid download limits?

There is a critical vulnerability in dnsmasq. Can you update your image to 2.78 to fix it? Thanks!!

`version: '3.3'

services:
dnsmasq:
image: jpillora/dnsmasq
container_name: dnsmasq
ports:
- 53:53
cap_add: ['all']`

and local using telnet 127.0.0.1 return
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host

it is strange

I have a dockerized dnsmasq runing on the localhost (ip is 192.168.10.53), i can resolve names correctly with that dnsmasq.

╭─ ➜  /root/dns-test (elk@55)
╰─ docker ps | grep dnsmasq
ee90b8e56363        andyshinn/dnsmasq:2.76                                   "dnsmasq -k --log-..."   About an hour ago   Up 11 minutes       0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp             jjt-dnsmasq

╭─ ➜  /root/dns-test (elk@55)
╰─ host mysql localhost
Using domain server:
Name: localhost
Address: ::1#53
Aliases:

mysql has address 192.168.10.75

I have a docker-compose.yml on the some host (ip is 192.168.10.53) like below:

version: "3"

services:
  ms-registry:
    image: ms-registry:1.0-SNAPSHOT
    restart: always
    ports:
      - 8761:8080
    dns: 192.168.10.53

After run docker-compose up, i enter the ms-registry container, but i can't resolve names correctly. But, if the containerized dnsmasq is running on the other host (eg. 192.168.10.55), i can resolve the name correctly.

So, what's the problem?

Trying to run:

docker run -p 53:53/tcp -p 53:53/udp --cap-add=NET_ADMIN andyshinn/dnsmasq:2.75 -S /foo.local.com/192.168.1.1

I get the error:

docker: Error response from daemon: driver failed programming external connectivity on endpoint sleepy_hoover (ddfd2efbe2007cb98633c41bb75d28185ea62a125cf79f31069cfbf030063c3b): Error starting userland proxy: listen tcp 0.0.0.0:53: bind: address already in use.
ERRO[0000] error waiting for container: context canceled

An idea of what I am doing wrong?

Hi;
The dockerized dnsmasq is old (2.72) so it doesn' support the 'hostsdir' config parameter. I need to have a shared directory (and not a file cause one file is locked but dir is not) like config-dir but re-readable on SIGHUP and that is 'hostsdir' or 'dhcp-hostsdir' which are both added after 2.72

Please update the dnsmasq binary to support this feature. I need it to use dnsmasq following docker-gen

I have a service name 'service', it is discoverable in dnsmasq

/ # ping service
PING service (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.129 ms
^C
--- service ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.129/0.129/0.129 ms

However when I specify the hostname alias with

dnsmasq --cname=service.example.com,service

neither in /etc/dnsmasq.conf

cname=cname=service.example.com,service

And the result

ping service.example.com
ping: bad address 'service.example.com'

The root user in the docker image has no password.
This may make it possible - if the service (running as nobody) is compromized - that an attacker could become root.

It should be sufficient to pull the latest alpine image an rebuild the image.

See also:
https://www.bleepingcomputer.com/news/security/bug-in-alpine-linux-docker-image-leaves-root-account-unlocked/
https://gist.github.com/jgamblin/6015a2020c1de3bc3aab19b361573b7f

Relates #23

Thankyou for the work on this project. I am starting to use it as my DNS at home to lookup 3 different subdomains, each via their own VPN gateway. So far the results are pretty promising. I have configured my router to use this docker ip as the DNS.

The only problem is I see an error "Maximum number of concurrent DNS queries reached (max: 150)".

I have two questions.

1. Can we change the logging verbosity to see the requests somehow?
2. Can we alter the configuration to fix this error?

Here is how I start the container:

user@h18licenseserver:~$ sudo docker run -p 53:53/tcp -p 53:53/udp --cap-add=NET_ADMIN andyshinn/dnsmasq:2.81 -S /grey.openfirehawk.com/10.1.1.4 -S /blue.openfirehawk.com/10.2.1.4 -S /green.openfirehawk.com/10.3.1.4 --log-facility=- | while read outlog; do echo "$(date): $outlog"; done 2>&1 | tee ~/dnsmasq.log &
[1] 4086
user@h18licenseserver:~$ dnsmasq[1]: started, version 2.81 cachesize 150
dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile
dnsmasq[1]: using nameserver 10.3.1.4#53 for domain green.openfirehawk.com 
dnsmasq[1]: using nameserver 10.2.1.4#53 for domain blue.openfirehawk.com 
dnsmasq[1]: using nameserver 10.1.1.4#53 for domain grey.openfirehawk.com 
dnsmasq[1]: reading /etc/resolv.conf
dnsmasq[1]: using nameserver 10.3.1.4#53 for domain green.openfirehawk.com 
dnsmasq[1]: using nameserver 10.2.1.4#53 for domain blue.openfirehawk.com 
dnsmasq[1]: using nameserver 10.1.1.4#53 for domain grey.openfirehawk.com 
dnsmasq[1]: using nameserver 192.168.92.125#53
dnsmasq[1]: using nameserver 192.168.92.1#53
dnsmasq[1]: read /etc/hosts - 7 addresses
dnsmasq[1]: Maximum number of concurrent DNS queries reached (max: 150)

I was running the following to leverage this container to provide dns for consul with a passthrough to the google DNS server:

    docker run -d \
            -p 53:53/tcp -p 53:53/udp \
            --cap-add=NET_ADMIN \
            --name=dnsmasq \
            andyshinn/dnsmasq:2.75 \
                    --log-facility=- -q -R \
                    --dns-loop-detect \
                    --server="/consul/172.20.20.1#8600" \
                    --server="8.8.8.8"

This worked in docker for mac in version 2.0.0.0, but since the v2.1.0.0 update the following example commands timeout:

dig @172.20.20.1 -p 53 google.com ANY
dig @172.20.20.1 -p 53 my-service.service.consul ANY

(I also tried with the 2.78 and latest tags)

andyshinn/dnsmasq:latest doesn't provide dnssec validation supported by dnsmasq.

$ docker run --rm andyshinn/dnsmasq:latest dnsmasq -v
Dnsmasq version 2.81  Copyright (c) 2000-2020 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile

Please consider switching to dnsmasq-dnssec package or can you provide another dnssec flavored image? TIA!
Btw: dnsmasq 2.82 is available too.

The last image on dockerhub is 9 month old. Several new released versions are published in the meantime. To be able to use this image directly, instead of building locally an automated build and update job for the dockerhub images would be beneficial.

best,
Christian

The situation is:
I need to create a "Intranet" (internal) domains and then use Rancher with Traefik to accomplish a perfect "intranet" service that I already know how to handle. And all computers, smartphones or something have access to it.

I'm newbie creating intranets with personal internal domains (and exclusively with docker). I only deal with external DNS servers.

My question is, I can do it pointing my devices and PC to the DNS IP from this image running in this context i explained? I just need to set one domain and the rest the Traefik reverse proxy deals easely.

If not, could you point a tutorial or article with this theme context?

I have this Set:

My Machine is a Windows 10 FX 8350 so on.

Inside that machine has a virtual machine in VirtualBox. Connected via "Docker Quickstart terminal" (Docker Tools). Running Rancher and Traefik. Note, it's not a "Hyper-v" situation.

===== end =======

Just to update about my environment:

dnsmasq: failed to create listening socket for port 53: Address in use
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:03
          inet addr:172.17.0.3  Bcast:0.0.0.0  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:648 (648.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/ #

Is there a workaround for --cap-add=NET_ADMIN, because aws ecs agent doesn't support --cap-add?

It would be helpful when dnsmasq is configured by default to log to stdout/stderr
so one can attach docker log to it to see the logs.
Currently I get no logs at all when I attach to it with docker logs.

i'm new in dnsmasq, i run

docker run -d -p 53:53/tcp -p 53:53/udp --cap-add=NET_ADMIN 4km3/dnsmasq:2.85-r2

but i don't know what to do next, can you help ,thanks.

Please respond if you would like to adopt this repository. I would transfer to you and help facilitate the handoff of the Docker Hub account. Would prefer if you have prior Docker and Docker image management experience.

Hi,
may it be possible to make this image support multiple architectures(e.g. armv7) using a manifest list?
https://developer.ibm.com/linuxonpower/2017/07/27/create-multi-architecture-docker-image/

Thanks.

Best regards,
Jochen

When I start docker-compose up -d the DNS works well and I can resolve names from other servers but when I start the compose in swarm mode with docker stack deploy -c docker-compose.yml dns the DNS won't work.

In both cases the docker-compose.yml looks like this:

version: '3.8'
services:
dns:
restart: always
image: andyshinn/dnsmasq:2.81
volumes:
- ./dnsmasq.conf:/etc/dnsmasq.conf
ports:
- "53:53/tcp"
- "53:53/udp"
deploy:
mode: replicated
replicas: 1
placement:
constraints:
- node.id==o87t6ftvgb76t6iu7z

Any plans to use inotifywait to monitor the changes on files like dnsmasq.conf and althosts and send HUP signal ?

Similar to: this other image: https://github.com/aciobanu/docker-dnsmasq/blob/master/entrypoint.sh ?

First of all, thanks for this great image! It's changed the way I build my images. They've all gone on an Alpine Linux diet.

I can't get the container to work as a DHCP server though. It works fine as a DNS server on port 53 on the host machine, however there is nothing listening on port 67/udp, which is where I'm expecting DHCP to be. The host machine has a static IP of 192.168.2.2.

I start the container like this:

docker run -d --name dns -p 192.168.2.2:67:67/udp -p 192.168.2.2:53:53/udp sitapati/dns

With the container running, I use dhcping 192.168.2.2, but get "no answer". telnet 192.168.2.2 67 returns "Connection refused".

There is no firewall on this machine, which is running Ubuntu 16.04.

My dnsmasq.conf file in the container looks like this:

interface=eth0
user=root
domain-needed
bogus-priv
no-resolv
local=/mydomain.io/
no-poll
server=8.8.8.8
server=8.8.4.4
no-hosts
addn-hosts=/etc/dnsmasq_static_hosts.conf
expand-hosts
domain=mydomain.io
dhcp-range=192.168.2.10,192.168.2.250,255.255.255.0,192.168.2.255,5m
# Have windows machine release on shutdown
dhcp-option=vendor:MSFT,2,1i
# No default route
dhcp-option=3

Things I've thought of/tried:

• Is it because eth0 in the container has an address on a completely different subnet? (docker inspect tells me it's 172.17.0.2 on the bridged interface)
• does it need to use --net host? I tried that, and it still didn't work.