Docker DNS overriding reverse lookups breaks add-on DNS server

[bboreham]

Context: I work for http://weave.works.

A user of our product reported an issue with reverse DNS at weaveworks/weave#2157 - Docker DNS is giving an answer which break's the user's Kerberos.

Weave provides a DNS server that has a few different features to Docker's DNS - it resolves the hostname for instance, and it allows the user to put containers in different DNS subdomains. For forward lookups we can ensure that Docker DNS doesn't answer by choosing a domain that doesn't match a network name.

For reverse lookups of container addresses, however, Docker DNS will answer first, and give an answer that doesn't match the forward lookup.

I know the standard answer is that Docker will not provide an option to disable the built-in DNS. But we would like a way to provide add-on features without work-arounds and subterfuge.

[justincormack]

There are some issues to make the DNS subsystem pluggable, eg see moby/libnetwork#936 and I think elsewhere too.I think this would be an option.

Do you think there is any way to fix the reverse DNS issue here other than that?

[mavenugo]

Docker DNS will respond to forward & reverse lookup only if a matching record is seen in the db (populated by container names, alias, link). If there is no match, it will forward the request to the user specified DNS server. While performing the forward & reverse lookup, it will be consistent with the information in its db and hence it should ideally not break the reverse lookup.

@bboreham I see from weaveworks/weave#2157 : 10.2.1.1 mongodb.weave.local mongodb in /etc/hosts. Can you please clarify on how that is populated ? I think that is the root-cause of the issue. cc @sanimej

[bboreham]

@mavenugo the situation is that in the forward lookup the name does not match, so is passed to WeaveDNS, but in the reverse lookup the address does match, so is answered by Docker DNS. And WeaveDNS has different features to Docker DNS so the responses are not consistent with each other.

The /etc/hosts file is written by Docker. 10.2.1.1 is the IP address on the Weave network (supplied by the plugin) and mongodb.weave.local comes from the hostname line in the docker-compose file. Can you expand why you think this is the root cause?

[bboreham]

@justincormack this issue was the spur for me to think more about pluggable DNS and to write #19474 (comment), but it was quickly shot down.

The other way is to provide an option to disable Docker DNS.

[LK4D4]

@mavenugo @sanimej @aboch any progress on this?

[sanimej]

I think we can let embedded DNS server defer the PTR queries to the external server selectively. I am going to try out some changes and push a PR if it works satisfactorily.