UDP port 53 for dnsmasq fails (any port 1024 and lower)

[davidalger]

• [x] I have tried with the latest version of my channel (Stable or Edge)
• [ ] I have uploaded Diagnostics
• Diagnostics ID:

Expected behavior

Forwarding 127.0.0.1:53:53/udp should work in the latest stable release of Docker Desktop.

Actual behavior

Docker Desktop for Mac v2.1.0.0 was released and as is normal, users on the stable release of Docker for Mac were prompted to upgrade:

After upgrading, my (and other team members) dnsmasq container ceased to function. The issue appears to possibly be related to #3464, except for that task was originally opened as a result of TCP port 80. There are other users who reported similar issue there however with UDP port 53.

Information

• macOS Version: 10.14.6
• Docker Desktop version 2.1.0.0
• Issue is fully reproducible and can be seen by running the script on this gist: https://gist.github.com/davidalger/ff7be7e13f23ca59c96ada6004e3c25b

Steps to reproduce the behavior

1. Run the script on this gist: https://gist.github.com/davidalger/ff7be7e13f23ca59c96ada6004e3c25b

    curl -s https://gist.githubusercontent.com/davidalger/ff7be7e13f23ca59c96ada6004e3c25b/raw/529c296a20452b182cece5f7f5529530e95395da/dnsforwardtest.sh | bash

2. Note the connection timed out in the output for DNS lookups on UDP 53 and 1024, but not 1025 or 5000 and each of the lookups of TCP (regardless of port) succeed:

       davidalger:~$ curl -s https://gist.githubusercontent.com/davidalger/ff7be7e13f23ca59c96ada6004e3c25b/raw/529c296a20452b182cece5f7f5529530e95395da/dnsforwardtest.sh | bash
       ==> cd /var/folders/c8/l3c87j253jx43f5_whq5zsqc0000gn/T/dnstest.j1s2ZdZN
       ==> docker-compose up -d
       Creating network "dnstestj1s2zdzn_default" with the default driver
       Creating dnstestj1s2zdzn_dnsmasq_1 ... done
       ==> dig +noall +answer apple.com @127.0.0.1 -p 53
       ;; connection timed out; no servers could be reached
       ==> dig +noall +answer apple.com @127.0.0.1 -p 1024
       ;; connection timed out; no servers could be reached
       ==> dig +noall +answer apple.com @127.0.0.1 -p 1025
       apple.com.      74  IN  A   17.142.160.59
       apple.com.      74  IN  A   17.172.224.47
       apple.com.      74  IN  A   17.178.96.59
       ==> dig +noall +answer apple.com @127.0.0.1 -p 5000
       apple.com.      74  IN  A   17.178.96.59
       apple.com.      74  IN  A   17.172.224.47
       apple.com.      74  IN  A   17.142.160.59
       ==> dig +tcp +noall +answer apple.com @127.0.0.1 -p 53
       apple.com.      74  IN  A   17.142.160.59
       apple.com.      74  IN  A   17.178.96.59
       apple.com.      74  IN  A   17.172.224.47
       ==> dig +tcp +noall +answer apple.com @127.0.0.1 -p 1024
       apple.com.      74  IN  A   17.172.224.47
       apple.com.      74  IN  A   17.142.160.59
       apple.com.      74  IN  A   17.178.96.59
       ==> dig +tcp +noall +answer apple.com @127.0.0.1 -p 1025
       apple.com.      74  IN  A   17.178.96.59
       apple.com.      74  IN  A   17.172.224.47
       apple.com.      74  IN  A   17.142.160.59
       ==> dig +tcp +noall +answer apple.com @127.0.0.1 -p 5000
       apple.com.      74  IN  A   17.142.160.59
       apple.com.      74  IN  A   17.178.96.59
       apple.com.      74  IN  A   17.172.224.47
       ==> docker-compose down -v
       Stopping dnstestj1s2zdzn_dnsmasq_1 ... done
       Removing dnstestj1s2zdzn_dnsmasq_1 ... done
       Removing network dnstestj1s2zdzn_default

3. Running the same on the previous stable release of Docker for Mac (version 2.0.0.3) works as expected:

       davidalger:~$ curl -s https://gist.githubusercontent.com/davidalger/ff7be7e13f23ca59c96ada6004e3c25b/raw/529c296a20452b182cece5f7f5529530e95395da/dnsforwardtest.sh | bash
       ==> cd /var/folders/c8/l3c87j253jx43f5_whq5zsqc0000gn/T/dnstest.t8M3cNFL
       ==> docker-compose up -d
       Creating network "dnstestt8m3cnfl_default" with the default driver
       Pulling dnsmasq (jpillora/dnsmasq:)...
       latest: Pulling from jpillora/dnsmasq
       ba7f5deea89d: Pull complete
       bbeb009eb883: Pull complete
       609a25457ce0: Pull complete
       b0ad4c0d5e37: Pull complete
       d0477d12de9d: Pull complete
       Creating dnstestt8m3cnfl_dnsmasq_1 ... done
       ==> dig +noall +answer apple.com @127.0.0.1 -p 53
       apple.com.      3450    IN  A   17.172.224.47
       apple.com.      3450    IN  A   17.178.96.59
       apple.com.      3450    IN  A   17.142.160.59
       ==> dig +noall +answer apple.com @127.0.0.1 -p 1024
       apple.com.      3450    IN  A   17.142.160.59
       apple.com.      3450    IN  A   17.178.96.59
       apple.com.      3450    IN  A   17.172.224.47
       ==> dig +noall +answer apple.com @127.0.0.1 -p 1025
       apple.com.      3449    IN  A   17.172.224.47
       apple.com.      3449    IN  A   17.142.160.59
       apple.com.      3449    IN  A   17.178.96.59
       ==> dig +noall +answer apple.com @127.0.0.1 -p 5000
       apple.com.      3449    IN  A   17.178.96.59
       apple.com.      3449    IN  A   17.172.224.47
       apple.com.      3449    IN  A   17.142.160.59
       ==> dig +tcp +noall +answer apple.com @127.0.0.1 -p 53
       apple.com.      3449    IN  A   17.142.160.59
       apple.com.      3449    IN  A   17.178.96.59
       apple.com.      3449    IN  A   17.172.224.47
       ==> dig +tcp +noall +answer apple.com @127.0.0.1 -p 1024
       apple.com.      3449    IN  A   17.172.224.47
       apple.com.      3449    IN  A   17.142.160.59
       apple.com.      3449    IN  A   17.178.96.59
       ==> dig +tcp +noall +answer apple.com @127.0.0.1 -p 1025
       apple.com.      3449    IN  A   17.178.96.59
       apple.com.      3449    IN  A   17.172.224.47
       apple.com.      3449    IN  A   17.142.160.59
       ==> dig +tcp +noall +answer apple.com @127.0.0.1 -p 5000
       apple.com.      3449    IN  A   17.142.160.59
       apple.com.      3449    IN  A   17.178.96.59
       apple.com.      3449    IN  A   17.172.224.47
       ==> docker-compose down -v
       Stopping dnstestt8m3cnfl_dnsmasq_1 ... done
       Removing dnstestt8m3cnfl_dnsmasq_1 ... done
       Removing network dnstestt8m3cnfl_default

This issue makes the latest "stable" release of Docker Desktop completely unusable for myself and my colleagues, who rely on the dnsmasq container with a port forward for UDP 53 for *.test domains. Would be happy to provide more information if needed, but this appears to be a cut-n-dry case of a somewhat major regression in the stable release line.

[ericparton]

I'm having the same issue using a similar setup with the codekitchen/dinghy-http-proxy container which also binds to port 53 to resolve local test domains for developers. The following command works on the previous version of docker for mac, but not the latest one:

nslookup app.test 127.0.0.1

[JonathanGuo]

Same issue happens to us as well with andyshinn/dnsmasq. Previous docker version works fine until upgraded to the latest one.

Docker desktop community (for mac): 2.1.0.0 (36874) ENgine: 19.03.1 Compose: 1.24.1

[hagleyj]

I too am having this issue with a bind container and port 53 UDP. It does with with port 53 TCP though

[christhomas]

I also have this problem and now I have to downgrade docker in order for it to work again. It would be nice if we were given a more technical explanation of what is happening here rather than a patch is made or something like this. I would like to know why this is happening and what the resolution was. On a technical level.

Oops: I should have also added that yes, I confirm that hagleyj is right, 2.0.0.3 is functioning, but 2.1.0.0 is broken

[hagleyj]

I can confirm that downgrading to 2.0.0.3 stable allows UDP below 1024 to work again

[stephen-turner]

Any idea, @djs55?

[back-2-95]

Also see https://github.com/amazeeio/pygmy/pull/42

[djs55]

@davidalger thanks very much for the clear reproduction script. It does reproduce for me -- I'll try to figure out why. It's suspicious that it works for "unprivileged" ports but not for "privileged" ones. The code path for "privileged" ports is different so perhaps the problem is there.

[christhomas]

Just to give you some extra input. This has been an on-and-off problem with versions of docker for more than a year now. One version will be ok, the next will not be, a couple of versions after and it's back to normal again. Then it'll break suddenly. I was upgrading every edge version and having similar issues.

[stephdavid]

Hello, I have been suffering with this problem. I'm a little confused. Has it been fixed? If so, how do I go about sorting it on my system. This is stopping me from working on my local WordPress sites.

[guillaumerose]

We are preparing the release. It will be out tomorrow morning (UTC). You can give a try to https://download.docker.com/mac/stable/37199/Docker.dmg - it's the promoted build, not published yet.

[davidalger]

Nice turnaround time @guillaumerose and @djs55. You guys rock!

Just installed the promoted build and I can confirm that build 37199 (v2.1.0.1) as linked above resolves the issue both in the provided test case as well as with our tooling on Warden where I initially discovered the issue.

Looking forward to seeing the release drop tomorrow! 🎉

[guillaumerose]

Release is out! Edge will be updated today or Monday.

[christhomas]

Yes, this is working, thanks for the quick fix!

[docker-robott]

Closed issues are locked after 30 days of inactivity. This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle locked