containers: In local dev, we should be able to set dns-servers to have predictable /etc/resolv.conf across platforms

[gabivlj]

The default in production is 1.1.1.1/8.8.8.8, so match that file.

This also fixes an issue where the container tries to reach the Docker DNS resolver which might break egress interception for some users.

We should avoid the pattern in local dev of docker reaching its internal DNS gateway, as it can also expose reachability to other containers in the local dev host. Users should leverage intercepting via Workers to reach other containers in the machine to have the same behaviour in both production and local dev.

[ask-bonk]

Good. The application container uses container: network mode (it shares the sidecar's network namespace at line 1681), so DNS settings on the sidecar container's network namespace will naturally apply to the application container too. This is correct design.

The PR is straightforward and well-implemented:

1. Adds a constexpr array of DNS servers matching production defaults (1.1.1.1, 8.8.8.8)
2. Sets them on the sidecar container's HostConfig.Dns field
3. Adds a proper round-trip test for the capnp JSON encoding/decoding

The code follows KJ conventions (uses kj::size(), kj::indices(), kj::StringPtr with _kj literals). The Dns field already exists in the capnp schema. No backward compatibility concerns since this only affects local dev container creation. No security issues — it actually improves security by avoiding Docker's internal DNS resolver.

LGTM

github run