Can't reach Magic DNS of other device from inside Docker container

Linux
1

Hello everyone! I have 3 elements connected to Tailscale. My computer (no docker running here just Ubuntu 20) and two docker-compose clusters, each inside an AWS EC2 instances. This clusters are running two containers: one running Tailscale and the other one running a Jupyter Notebook.

The docker compose inside the EC2 instances looks like this:

services:

  tailscale:

    hostname: ${TAILSCALE_NAME}                         # This will become the tailscale device name
    image: tailscale:latest
    volumes:
        - "./tailscale_var_lib:/var/lib"        # State data will be stored in this directory
        - "/dev/net/tun:/dev/net/tun"           # Required for tailscale to work
    restart: always
    cap_add:                                    # Required for tailscale to work
      - net_admin
      - sys_module 

  jupyters:

    image: my_jupyter:latest

    init: true
    network_mode: service:tailscale
    env_file:
      - ./.tfenv
    restart: always

Lets say I have these 3 elements with names my_computer, docker1 and docker2. And a nameserver “examplecom” (with a dot before com but as a new user I can’t post it if it is interpreted as a link :sweat_smile:)

From my computers terminal these work:
ping docker1.example.com.beta.tailscale.net
ping docker1
ping 100.XXX.XXX.XXX (docker1s Tailscale IP address)

However, from inside the dockers I can only reach the other docker or my computer through their IPs, but when I try to ping them with their Magic DNS or their device name, I get a Name or service not known message.

For example if I’m inside any of the dockers of the device docker1 these two work:
ping 100.XXX.XXX.XXX (docker2s Tailscale IP address)
ping 100.XXX.XXX.XXX (my_computes Tailscale IP address)

And these won’t work:
ping docker2.example.com.beta.tailscale.net
ping docker2
ping my_computer.example.com.beta.tailscale.net
ping my_computer

I can even connect to both Jupyters from my computers browser using the Magic DNS, but I can’t connect two python sockets between both Jupyters using the Magic DNS.

In this example it doesn’t really matter, I could use the IPs for connecting those sockets. But for other applications I really need them to connect through their Magic DNS.

Does anyone know why this is happening? Am I doing something wrong? Or this just can’t be done with Docker for now?

Thank you very much!

2

Hey @edumugi

did you every resolve this situation? I am experiencing the same issue when deploying docker on an Ubuntu host while it is working as expected on a MacOS host.

Thanks for any insights you could provide.

Lieven.

3

Which DNS server is being used from the host machine where the name lookup works, vs in the docker containers where it does not?

On a non-tailscale linux machine, /etc/resolv.conf reads:

nameserver 127.0.0.53 # use systemd-resolved.service

With tailscale and Magic DNS enabled, /etc/resolv.conf reads:

nameserver 100.100.100.100 # use tailscale DNS resolver.
4

Hey @LarryZa

thanks for your reply. The DNS is working fine on the host machine. After some further investigation it seems that the issue is not inside the docker container. It only occurs during the build process of the container. Once the container is up and running the DNS works as expected. That was not clear to me when I made the previous post.

On the docker host I can:

> ping testhost.tailnet-XXXX.ts.net
PING testhost.tailnet-XXXX.ts.net (100.XXX.YYY.ZZZ) 56(84) bytes of data.
64 bytes from testhost.tailnet-XXXX.ts.net (100.XXX.YYY.ZZZ): icmp_seq=1 ttl=64 time=3.57 ms

Once the container is running I can open a shell in the container and do the same.

/ # ping testhost.tailnet-XXXX.ts.net
PING testhost.tailnet-XXXX.ts.net (100.XXX.YYY.ZZZ): 56 data bytes
64 bytes from 100.XXX.YYY.ZZZ: seq=0 ttl=63 time=6.118 ms

However, when I try to perfom the same command during the container build process by adding the statement

RUN ping -c 1 100.XXX.YYY.ZZZ
RUN ping -c 1 testhost.tailnet-XXXX.ts.net

then the first command works fine, while the second command fails with

#0 0.271 ping: bad address 'testhost.tailnet-XXXX.ts.net'

So as far as I understand the docker container build process is not using the system DNS during the build process. I am no docker expert and with the information I can find online I am not able to get this working correctly.

I have worked around this issue using the IP addresses of the tailscale-exposed hosts I need to reach during the build process. I will not win a beauty contest with this solution but at least it works :slight_smile:

Best regards,
Lieven.