Hello Colin, all
> On Monday, 24 August 2015 8:34 PM, Colin Walters <walt...@verbum.org> wrote: > One problem with this is you're capturing *all* traffic to port 53, > but I can imagine valid use cases for skipping the local resolver. > We're already seen one with the hotspot detection. Yes, true. We realised that, but it's only a PoC for diverting container DNS traffic to the local resolver on the host. We could tweak the DNAT rule to divert specific DNS traffic, like say requests addressed to docker0(172.17.42.1) bridge interface, provided 'resolv.conf' inside Docker container holds '172.17.42.1' as the name server, instead of the Google public DNS servers. > Another more complex problem is that while your solution will work for the > docker defaults, it's quite common to use something other than the defaults > for clustered networking for e.g. Kubernetes. I see. I'm still experimenting with it, so not quite sure how different parts fit together and work together. About unbound(8) supporting Unix domain sockets, see -> https://github.com/docker/docker/issues/14627#issuecomment-122968821 The upstream 'docker/libnetwork' folks have proposed a similar solution of having a DNS proxy service on the host which will route DNS traffic between Docker containers and the host resolver. --- Regards -P J P http://feedmug.com _______________________________________________ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
