Issue with running a Forward Proxy Container and DNS Server Container on the same host

Question

This is a home experiment with Docker, pi-hole (container) and wormhole proxy (container) running on the same host. My docker host's OS is RHEL 7.x.

My original intent is to learn more about pi-hole so I hosted the service as a container on a VM hosted within VMWare ESXI. On some of my Linux VMs, I was able to use pi-hole as my DNS server by editing the /etc/resolv.conf file to point to pi-hole. Everything works fine there.

So when I want to test it on my physical primary desktop (Windows 10), I thought that instead of changing the DNS server thru the Network Adapter Settings, I can host a Forward Proxy server (wormhole-proxy) container alongside with the pi-hole container on the same docker host. And then I can simply tell the Forward Proxy server to use pi-hole as the DNS server.

Issues arise when the Forward Proxy Server uses pi-hole as DNS server. I would see the following error message in the Forward Proxy Server log.

wormhole_1_e0b4b0824de0 | 2018-10-07 05:32:28,528 wormhole[5]: [691dd8][192.168.20.40]: CONNECT 502 incoming.telemetry.mozilla.org:443 (gaierror: -3 Try again)
wormhole_1_e0b4b0824de0 | 2018-10-07 05:32:28,692 wormhole[5]: [643358][192.168.20.40]: CONNECT 502 incoming.telemetry.mozilla.org:443 (gaierror: -3 Try again)
wormhole_1_e0b4b0824de0 | 2018-10-07 05:32:28,693 wormhole[5]: [654eb8][192.168.20.40]: CONNECT 502 incoming.telemetry.mozilla.org:443 (gaierror: -3 Try again)

When hosting both Forward Proxy Server container and pi-hole container on the same docker host, if I don't explicitly tell the Proxy Server to use pi-hole as DNS then it would work fine. If I host the Forward Proxy Server container on a different VM and then specify the proxy server to use pi-hole as DNS server then it would work fine as well. That leads me to believe there is some forms of conflicts but I am not sure what it would be because they are not sharing any ports.

To easily replicate my issue, here's the docker-compose.ymls that I used.

Below is the docker-compose.yml for wormhole-proxy (Forward Proxy) server. dns: is pointing at the docker host.

version: "3"
services:
  wormhole:
    image: bashell/wormhole:latest
    ports:
      - "8888:8800/tcp"
      - "8888:8800/udp"
    environment:
      TZ: "America/New_York"
    restart: always
    dns:
      - 192.168.10.120

Below is the docker-compose.yml for the pi-hole. You will need to change the host mounting point for the volume.

version: "3"
services:
  pihole:
    image: pihole/pihole:v4.0_amd64
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "80:80/tcp"
      - "443:443/tcp"
    environment:
      # enter your docker host IP here
      ServerIP: 192.168.10.120
      # IPv6 Address if your network supports it
      # ServerIPv6:
      # jwilder/proxy envs, see readme for more info
      PROXY_LOCATION: pihole
      VIRTUAL_HOST: pihole.local
      VIRTUAL_PORT: 80
      TZ: "America/New_York"
      DNS1: 208.67.222.222
      DNS2: 1.1.1.1
      WEBPASSWORD: stackexchange
    # Add your own custom hostnames you need for your domain
    # extra_hosts:
      #   Point any of the jwilder virtual_host addresses
      # to your docker host ip address
      # - 'pihole.yourdomain.local:192.168.1.55'
    volumes:
      - '/Development/Applications/pi-hole/volumes/pihole/:/etc/pihole/:z'
      # WARNING: if this log don't exist as a file on the host already
      # docker will try to create a directory in it's place making for lots of errors
      - '/Development/Applications/pi-hole/volumes/log/pihole.log:/var/log/pihole.log:z'
      - '/Development/Applications/pi-hole/volumes/dnsmasq.d:/etc/dnsmasq.d:z'
    restart: always

Answer 1

I would suggest to merge those two docker-compose.yml files into one:

version: "3"
services:
  wormhole:
    image: bashell/wormhole:latest
    link: pihole:dns.local
    ports:
      - "8888:8800/tcp"
      - "8888:8800/udp"
    environment:
      TZ: "America/New_York"
    restart: always
    dns:
      - dns.local
  pihole:
    image: pihole/pihole:v4.0_amd64
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "80:80/tcp"
      - "443:443/tcp"
    environment:
      # enter your docker host IP here
      ServerIP: 192.168.10.120
      # IPv6 Address if your network supports it
      # ServerIPv6:
      # jwilder/proxy envs, see readme for more info
      PROXY_LOCATION: pihole
      VIRTUAL_HOST: pihole.local
      VIRTUAL_PORT: 80
      TZ: "America/New_York"
      DNS1: 208.67.222.222
      DNS2: 1.1.1.1
      WEBPASSWORD: stackexchange
    # Add your own custom hostnames you need for your domain
    # extra_hosts:
      #   Point any of the jwilder virtual_host addresses
      # to your docker host ip address
      # - 'pihole.yourdomain.local:192.168.1.55'
    volumes:
      - '/Development/Applications/pi-hole/volumes/pihole/:/etc/pihole/:z'
      # WARNING: if this log don't exist as a file on the host already
      # docker will try to create a directory in it's place making for lots of errors
      - '/Development/Applications/pi-hole/volumes/log/pihole.log:/var/log/pihole.log:z'
      - '/Development/Applications/pi-hole/volumes/dnsmasq.d:/etc/dnsmasq.d:z'
    restart: always

Doing so adds both containers automatically into the same docker network and allows for linking of containers (see wormhole service above, where I assign dns.local as a hostname for the pihole container, but only in the scope of the wormhole container. Does that sentence make any sense?)

Answer 2

Instead of having the forward proxy server to point to the Docker host as DNS server, I ensured both the forward proxy server and DNS server resides on the same Docker network and have the forward proxy server to point to the DNS server IP address assigned by Docker.

The following is the docker-compose.yml for the forward proxy server

version: "3"
services:
  wormhole:
    image: bashell/wormhole:latest
    ports:
      - "8888:8800/tcp"
      - "8888:8800/udp"
    environment:
      TZ: "America/New_York"
    restart: always
    dns:
      - 172.20.0.99
    networks:
      - beyonddc
networks:
    beyonddc:
      external: true

The following is the docker-compose.yml for my DNS server

version: "3.5"
services:
  pihole:
    image: pihole/pihole:v4.0_amd64
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "80:80/tcp"
      - "443:443/tcp"
    networks:
       beyonddc:
         ipv4_address: 172.20.0.99
    environment:
      # enter your docker host IP here
      ServerIP: 192.168.10.120
      # IPv6 Address if your network supports it
      ServerIPv6: 2601:189:4200:eb2:250:56ff:febf:d245
      # jwilder/proxy envs, see readme for more info
      PROXY_LOCATION: pihole
      VIRTUAL_HOST: pihole.local
      VIRTUAL_PORT: 80
      TZ: "America/New_York"
      DNS1: 208.67.222.222
      DNS2: 1.1.1.1
      WEBPASSWORD: stackexchange
    # Add your own custom hostnames you need for your domain
    # extra_hosts:
      #   Point any of the jwilder virtual_host addresses
      # to your docker host ip address
      # - 'pihole.yourdomain.local:192.168.1.55'
    volumes:
      - '/Development/Applications/pi-hole/volumes/pihole/:/etc/pihole/:z'
      # WARNING: if this log don't exist as a file on the host already
      # docker will try to create a directory in it's place making for lots of errors
      - '/Development/Applications/pi-hole/volumes/log/pihole.log:/var/log/pihole.log:z'
      - '/Development/Applications/pi-hole/volumes/dnsmasq.d:/etc/dnsmasq.d:z'
    restart: always
networks:
  beyonddc:
    driver: bridge
    # Must specify the name for the network again otherwise by default
    # Docker will use the folder name as prefix of the network.
    # The name field is only available in version 3.5 and beyond
    name: beyonddc
    ipam:
      config:
        - subnet: 172.20.0.0/16