[25.0 backport] libnet: Don't forward to upstream resolvers on internal nw by vvoland · Pull Request #47589 · moby/moby (original) (raw)

• backport: libnet: Don't forward to upstream resolvers on internal nw #47538

- What I did

Picked up Albin's change from #46609 - and added a regression test.

Commit cbc2a71 makes connect syscall fail fast when a container is only attached to an internal network. Thanks to that, if such a container tries to resolve an "external" domain, the embedded resolver returns an error immediately instead of waiting for a timeout.

This commit makes sure the embedded resolver doesn't even try to forward to upstream servers - this is important when the host's DNS server is running on a localhost address. In this case, the internal resolver's upstream DNS requests are made from the host's network namespace, so they work even when the network is declared as 'internal'. Communication with external DNS servers is unexpected for an internal network.

- How Albin did it

Add a way to enable/disable upstream forwarding to the embedded resolver. When an endpoint joins/leaves a sandbox, this forwarding policy is modified based on whether there's an endpoint providing external connectivity.

- How to verify it

New regression test.

- Description for the changelog

Do not forward requests to external DNS servers for a container that is only connected to an 'internal' network. Previously, requests were forwarded if the host's DNS server was running on a localhost address, like systemd's 127.0.0.53.

- A picture of a cute animal (not mandatory but encouraged)