1

I'm setting up a Docker container without internet access and it's slow.

The container seems to try make DNS lookups which are bound to fail and only time out slowly.

sudo docker network create --internal test-internal
time sudo docker run --rm --net test-internal -ti alpine ping -c 1 127.0.0.1
# ...
real    0m0.947s

time sudo docker run --rm --net test-internal -ti alpine ping -c 1 google.com
ping: bad address 'google.com'
#...
real    0m5.955s

It takes almost exactly 5 seconds longer to run ping with a hostname. As it happens, DNS resolution timeouts are commonly configured to 5 seconds.

I tried to set the DNS server to an unroutable IP address:

time sudo docker run --rm --net test-internal --dns 240.0.0.1 -ti alpine ping -c 1 google.com

My theory was that the DNS requests would quickly fail to go anywhere, but this didn't happen. The run still takes just as long.

The background here is that I'm running some integration tests to verify robustness when the internet is down. I want external DNS lookups to fail fast, but internal lookups (other Docker containers in the same network) should still work.

Is there a way to tell the Docker embedded DNS to never try external resolution, or to at least fail instantly rather than after 5 seconds?

Alternatively, does anyone know of a dummy DNS server software I could run that returns NXDOMAIN for every request?

Alexander Ljungberg
  • 471
  • 4
  • 13
  • Update: I configured a DNS server to return `SERVFAIL` immediately for all requests, but alpine still retried for 5 seconds. Returning `NXDOMAIN` works on the other hand. It's not the most convenient solution to have to run a custom DNS server so I'd still be grateful for other ideas and solutions. – Alexander Ljungberg Nov 27 '19 at 10:56

1 Answers1

1

To answer your alternative question, sounds simply enough.

make a zone for . and add only the NS record

https://hub.docker.com/r/jacobdevans/nxdomain

options {
        directory "/var/bind";
        listen-on { any; };
        listen-on-v6 { any; };
        allow-query {
             any;
        };

        allow-transfer {
                none;
        };
        pid-file "/var/run/named/named.pid";
        allow-recursion { none; };
        recursion no;
};

zone "." IN {
        type master;
        file "/etc/bind/nxdomain.db";
};

and nxdomain.db

$ORIGIN .
@ 86400 SOA nxdomain. ( nxdomain 0 86400 600 604800 86400 )
@ NS nxdomain.
nxdomain IN A 127.0.0.1
Jacob Evans
  • 7,886
  • 3
  • 29
  • 57