Fix docker-dns-resolution-failed: Docker container fails to resolve hostnames due to DNS issues

By Maya Rodriguez
Docker intermediate Linux macOS Windows

The docker-dns-resolution-failed error indicates that a Docker container is unable to resolve domain names to IP addresses, effectively preventing it from accessing external network resources like APIs, package repositories, or other services on the internet. This issue manifests as connectivity failures within the container, even if the host machine has full network access. Understanding and resolving this error is crucial for deploying functional containerized applications that rely on external communication.

1. Symptoms: Clear description of indicators and shell output.

When a Docker container experiences DNS resolution failures, the most immediate and common symptoms involve commands or applications within the container failing to connect to external services by hostname. Instead of successful connections, you will observe errors related to name resolution.

Typical indicators include:

  • Ping failures: Attempting to ping an external domain (e.g., google.com) from inside the container will result in an error message indicating that the host cannot be found or resolved.
  • HTTP/HTTPS request failures: Applications making web requests (e.g., curl, wget, or application-specific HTTP clients) will report errors such as “Could not resolve host,” “Name or service not known,” or “Temporary failure in name resolution.”
  • Package manager errors: Commands like apt update, yum install, or npm install will fail when trying to fetch packages from remote repositories, as they cannot resolve the repository hostnames.
  • Application logs: Your application’s logs will often contain explicit error messages from its networking components, detailing the inability to resolve specific hostnames required for its operation.

Example shell output from within a problematic container:

# Attempting to ping an external domain
/ # ping google.com
ping: bad address 'google.com'

# Or, depending on the container's base image and DNS resolver
/ # ping google.com
ping: google.com: Temporary failure in name resolution

# Attempting to fetch a web page
/ # curl https://www.example.com
curl: (6) Could not resolve host: www.example.com

# Attempting to update package lists (Debian/Ubuntu based)
/ # apt update
Err:1 http://deb.debian.org/debian bullseye InRelease
  Temporary failure in name resolution
Err:2 http://deb.debian.org/debian-security bullseye-security InRelease
  Temporary failure in name resolution
Reading package lists... Done
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye/InRelease  Temporary failure in name resolution
W: Failed to fetch http://deb.debian.org/debian-security/dists/bullseye-security/InRelease  Temporary failure in name resolution
W: Some index files failed to download. They have been ignored, or old ones used instead.

These symptoms collectively point to a fundamental issue with how the container is configured to perform DNS lookups, preventing it from translating human-readable hostnames into network-routable IP addresses.

2. Root Cause: Technical explanation of the underlying cause.

The docker-dns-resolution-failed error primarily stems from the Docker container’s inability to correctly query a DNS server to resolve hostnames. Docker containers, by default, inherit DNS settings from the Docker daemon, which in turn often attempts to inherit from the host system’s /etc/resolv.conf or uses its own internal DNS resolver. When this chain of inheritance or the configured DNS servers are faulty, resolution fails.

Several technical factors can contribute to this problem:

  • Invalid Host DNS Configuration: Docker often copies the host’s /etc/resolv.conf into the container. If the host’s resolv.conf contains unreachable, incorrect, or non-existent DNS server entries, the container will inherit these faulty settings. This is particularly common on hosts using systemd-resolved or NetworkManager which might manage /etc/resolv.conf dynamically, sometimes pointing to a local resolver that isn’t accessible from within the Docker bridge network.
  • Docker Daemon DNS Misconfiguration: The Docker daemon itself can be explicitly configured with DNS servers via its daemon.json file. If these configured servers are incorrect, unreachable, or if the daemon.json file has syntax errors preventing its proper parsing, containers launched by this daemon will suffer from DNS issues.
  • Network-Specific DNS Issues: If you are using custom Docker bridge networks, overlay networks, or other advanced networking setups, the DNS configuration for these specific networks might be misconfigured or lack proper routing to external DNS servers.
  • VPN Interference: When the host machine is connected to a Virtual Private Network (VPN), the VPN client often modifies the host’s DNS settings to use internal VPN DNS servers. These VPN-provided DNS servers might not be accessible from the Docker bridge network, or they might only resolve internal corporate domains, failing for public internet domains.
  • Firewall Restrictions: Host-level firewalls (e.g., ufw, firewalld, iptables) or corporate network firewalls might be blocking outgoing UDP/TCP traffic on port 53 (the standard DNS port) from the Docker bridge network interface, preventing containers from reaching any DNS server.
  • Docker’s Internal DNS Resolver: Docker has an internal DNS resolver that handles container-to-container name resolution. While this usually works well for services within the same Docker network, issues can arise if it’s misconfigured or if it fails to correctly forward external DNS queries to the configured upstream servers.

Understanding which of these underlying causes is at play is key to applying the correct fix.

3. Step-by-Step Fix: Accurate fix instructions. You MUST use “Before:” and “After:” labels for code comparison blocks.

Resolving DNS resolution failures in Docker containers typically involves ensuring that the container has access to valid and reachable DNS servers. Here are several methods, ordered from most common to more specific scenarios.

Option 1: Specify DNS Servers for a Single Container

This is a quick way to test a fix or apply it to a specific container without altering the Docker daemon’s global configuration.

# Before: Running a container without explicit DNS settings
docker run --rm alpine ping google.com

# After: Running a container with Google's public DNS servers
docker run --rm --dns 8.8.8.8 --dns 8.8.4.4 alpine ping google.com

If this resolves the issue, you can incorporate the --dns flag into your docker run commands or docker-compose.yml service definitions.

Option 2: Configure Docker Daemon’s Global DNS Settings

This method applies DNS settings to all containers launched by the Docker daemon, unless overridden by --dns in docker run. This is often the most robust solution for persistent issues.

  1. Locate daemon.json:

    • Linux: /etc/docker/daemon.json
    • macOS/Windows (Docker Desktop): Access Docker Desktop settings -> Docker Engine. You’ll find a JSON editor there.

  2. Edit daemon.json: Add or modify the "dns" array with your preferred DNS servers. Google’s public DNS (8.8.8.8, 8.8.4.4) or Cloudflare’s (1.1.1.1, 1.0.0.1) are good choices.

    Before:

    {}

    Or an existing daemon.json without a dns entry:

    {
  "log-level": "info",
  "max-concurrent-downloads": 3
}

    After:

    {
  "dns": ["8.8.8.8", "8.8.4.4"]
}

    If you have other settings, merge them:

    {
  "log-level": "info",
  "max-concurrent-downloads": 3,
  "dns": ["8.8.8.8", "8.8.4.4"]
}

  3. Restart Docker Daemon: For changes to daemon.json to take effect, you must restart the Docker daemon.

    # On Linux systems using systemd
sudo systemctl restart docker

# On macOS/Windows, restart Docker Desktop from the tray icon.

Option 3: Check and Correct Host’s /etc/resolv.conf (Linux Specific)

Docker often copies the host’s /etc/resolv.conf. If it’s misconfigured, containers will inherit the problem.

  1. Inspect Host’s resolv.conf:

    cat /etc/resolv.conf

    Look for nameserver entries. If they point to 127.0.0.53 (systemd-resolved) or other local addresses, Docker might struggle to reach them.

  2. Temporary Fix (if resolv.conf is managed by systemd-resolved): You can temporarily disable systemd-resolved from managing resolv.conf and create a static one.

    sudo systemctl stop systemd-resolved
sudo rm /etc/resolv.conf
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
echo "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf
sudo systemctl start systemd-resolved # Restart if needed, but ensure resolv.conf isn't overwritten

    A more robust solution for systemd-resolved is to configure it to use specific upstream DNS servers or to ensure Docker is configured to use external DNS directly (Option 2).

Option 4: Use host Network Mode (Bypass Docker DNS)

This is a less secure but effective workaround, making the container share the host’s network stack, including its DNS resolution. Only use if other options fail and you understand the security implications.

# Before: Default bridge network
docker run --rm alpine ping google.com

# After: Host network mode
docker run --rm --network host alpine ping google.com

Option 5: Check VPN and Firewall

If you are using a VPN, temporarily disconnect it and re-test. If the issue resolves, configure your VPN client to allow Docker’s network traffic or use explicit DNS servers in daemon.json that are reachable both with and without the VPN. Review your host’s firewall rules to ensure UDP/TCP port 53 traffic is not blocked for the Docker bridge interface.

4. Verification: How to confirm the fix works.

After applying any of the fixes, it’s crucial to verify that DNS resolution is now working correctly within your Docker containers.

  1. Launch a new test container: It’s important to launch a new container, as changes to daemon.json or host network settings do not affect already running containers.

    docker run --rm alpine ping google.com -c 3
    • Expected Output (Success): 
      PING google.com (142.250.186.142): 56 data bytes
64 bytes from 142.250.186.142: seq=0 ttl=117 time=12.345 ms
64 bytes from 142.250.186.142: seq=1 ttl=117 time=12.678 ms
64 bytes from 142.250.186.142: seq=2 ttl=117 time=12.123 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 12.123/12.382/12.678 ms

  2. Test with curl or wget:

    docker run --rm alpine curl -s https://www.example.com > /dev/null && echo "Success" || echo "Failure"
    • Expected Output (Success): Success

  3. Verify within your application container: If your application container was experiencing issues, restart it (or the service within it) and check its logs for any DNS-related errors. Attempt to trigger the functionality that previously failed due to DNS resolution.

    docker restart <your_container_name_or_id>
docker logs <your_container_name_or_id>

    Look for successful external connections or the absence of “Could not resolve host” errors. If the application now functions as expected, the DNS resolution issue has been successfully addressed.

5. Common Pitfalls: Key mistakes to avoid.

When troubleshooting docker-dns-resolution-failed, several common mistakes can prolong the diagnostic process or lead to incomplete fixes. Being aware of these pitfalls can save significant time.

  • Forgetting to Restart Docker Daemon: Changes made to /etc/docker/daemon.json are not applied dynamically. The Docker daemon must be restarted for these new configurations to take effect. A common error is editing the file and then immediately testing without a restart, leading to the conclusion that the fix didn’t work.
  • Using Unreachable or Invalid DNS Servers: Simply adding 8.8.8.8 or 1.1.1.1 is not always a guaranteed fix. Ensure that the DNS servers you specify are actually reachable from your host machine and, by extension, from the Docker bridge network. You can test this by pinging the DNS server IP from your host. If your network has specific internal DNS servers, those might be more appropriate.
  • Not Understanding Container Lifecycles: DNS settings applied via daemon.json or --dns are typically applied when a container is created or started. If you modify daemon.json, existing running containers will not automatically pick up the new DNS settings. You must stop and remove the old container, then launch a new one, or restart the existing one if the changes are applied via docker update (though --dns cannot be updated).
  • Ignoring Host-Level Network Issues: Docker’s networking relies heavily on the host’s network configuration. If the host itself has DNS problems, firewall rules blocking port 53, or VPN interference, these issues will often propagate to Docker containers. Always verify host network connectivity and DNS resolution first.
  • Incorrect daemon.json Syntax: The daemon.json file must be valid JSON. A missing comma, bracket, or quote can prevent Docker from parsing the file, causing it to revert to default settings or fail to start. Always validate your JSON before restarting the daemon.
  • Confusing docker run --dns with daemon.json: The --dns flag on docker run overrides any DNS settings configured in daemon.json for that specific container. If you’ve set global DNS in daemon.json but are still using --dns with an incorrect server in your docker run command, the global setting will be ignored.
  • Overlooking Custom Network DNS: If you’re using user-defined bridge networks or overlay networks, their DNS configuration might be distinct. While daemon.json provides a default, specific network configurations can override or complicate this. Ensure that custom networks are also configured correctly if they are in use.

Understanding errors that are similar or frequently co-occur with docker-dns-resolution-failed can help in broader troubleshooting and prevent future issues.

  • docker-network-host-unreachable: This error is a more general networking problem where a container cannot reach any host on the network, not just due to DNS. While DNS resolution failure is a specific type of host unreachability (you can’t reach a host if you can’t find its IP), host-unreachable can also stem from routing issues, incorrect IP addresses, or complete network interface failures within the container or on the host. If DNS is resolved but ping or curl still fail, you might be dealing with a broader host-unreachable issue.
  • docker-container-startup-failure: Sometimes, DNS resolution issues can manifest as a container failing to start entirely. If an application within the container performs critical DNS lookups during its initialization phase (e.g., connecting to a database by hostname, fetching configuration from a remote service), a DNS failure can prevent the application from starting, leading to the container exiting with an error code. The root cause might be DNS, but the symptom is a startup failure.
  • docker-image-pull-failed: While less directly related, docker-image-pull-failed can occasionally be a symptom of underlying DNS problems. If the Docker daemon itself cannot resolve the hostname of the Docker registry (e.g., registry-1.docker.io for Docker Hub), it will fail to pull images. This indicates a DNS issue at the daemon level, which would also affect containers launched by that daemon.
Docker DNS Networking Container Resolution Host