0

I have containers running via a service in ECS that start up every day. Today, they can't access resources because DNS is failing to resolve names (specifically, an AWS internal DNS entry).

The docker host can resolve the name without issue. DNS settings in /etc/resolve.conf are the same in both the host and the container itself. I've tried running the container in both bridged and host network mode and neither worked (especially weird for host, given they are supposed to share a network stack which I would think would include DNS services).

Normally, I would think something is wrong with the DNS server configuration or DNS entry configuration but I don't have control over either or those things in this case (since the entry in question belongs to AWS).

Any ideas on how to fix this?

Valevalorin
  • 390
  • 1
  • 3
  • 18
  • 1
    Can you provide the output of an `nslookup domain.example` for your internal domain, execute it inside a container? Seems to me it somehow does not use the AWS +2 resolver. – f7o Oct 26 '20 at 18:46
  • So I ran the command inside the container, and the first time I got `** server can't find nslookup: NXDOMAIN`. But, after exiting the container, checking the application logs, and re-entering the container I ran the command and got a list of IP addresses for the domain. So, it seems to be working/failing intermittently? – Valevalorin Oct 26 '20 at 19:13
  • 1
    I was more hoping to see if the container actually uses the +2 resolver: Server: 192.168.2.1 Address: 192.168.2.1#53 ** server can't find test.local: NXDOMAIN – f7o Oct 26 '20 at 19:16
  • O for that section I'm seeing this: ```Server: 172.30.0.2 Address: 172.30.0.2#53``` – Valevalorin Oct 26 '20 at 20:13
  • 1
    Thanks, just wanted to make sure it uses the +2 resolver. The private domain name you like to resolve is from route53, interface endpoint, ec2 private dns name? 172.30.0.0/24 is your vpc subnet, right? – f7o Oct 26 '20 at 20:17
  • It's for an Elasticsearch domain. 172.30.0.0/16 is the vpc subnet. – Valevalorin Oct 26 '20 at 20:24
  • 1
    Strange, ES domains with vpc endpoints are public domains resolved to private addresses anyway. If it works from the host, but not out of the container, i have not clue. Have you tried to run some simple container image, and resolve there? Spin up a new ECS node? Sorry, no more ideas, Just the standard troubleshooting stuff! – f7o Oct 26 '20 at 20:46
  • Spinning up a simple container is something I hadn't considered. I'll try that. Thanks. – Valevalorin Oct 26 '20 at 20:49

1 Answers1

1

Please see:

My docker container has no internet

Hard-coding a DNS entry to the docker daemon.json worked for me. Not the ideal, but got me going.

Eric Manley
  • 1,049
  • 10
  • 8