Cannot bind to port 53/udp on version 4.35.0

[rg9400]

Description

Starting from Docker version 4.35.0, I cannot bind port 53/udp into a container even though nothing is listening on it, breaking adguard/pihole. Downgrading to 4.34.3 instantly fixes the issue. Reproduced on a completely fresh install. I get the below error

Error response from daemon: Ports are not available: exposing port UDP 0.0.0.0:53 -> 0.0.0.0:0: listen udp4 0.0.0.0:53: bind: Only one usage of each socket address (protocol/network address/port) is normally permitted.

Reproduce

1. Use the below compose

   services:
   adguard:
   image: adguard/adguardhome
   container_name: adguard
   user: 1000:1001
   ports:
     - 53:53/udp
   restart: unless-stopped

2. Run docker-compose up -d
3. Note the error
4. Downgrade to 4.34.3, try with everything else all equal, notice it works fine

Expected behavior

Docker should let me bind to this port because it's required for any container required to act as DNS. If I remove the /udp part, the container gets created but DNS queries do not seem to be properly filtering through that container like when udp was allowed on the earlier version

docker version

Client:
 Version:           27.3.1
 API version:       1.47
 Go version:        go1.22.7
 Git commit:        ce12230
 Built:             Fri Sep 20 11:39:44 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Desktop  ()
 Engine:
  Version:          27.3.1
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.7
  Git commit:       41ca978
  Built:            Fri Sep 20 11:41:11 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.21
  GitCommit:        472731909fa34bd7bc9c087e4c27943f9835f111
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    27.3.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.17.1-desktop.1
    Path:     /usr/local/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.7-desktop.1
    Path:     /usr/local/lib/docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.37
    Path:     /usr/local/lib/docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Alpha) (Docker Inc.)
    Version:  v0.0.15
    Path:     /usr/local/lib/docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /usr/local/lib/docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.27
    Path:     /usr/local/lib/docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /usr/local/lib/docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.3.0
    Path:     /usr/local/lib/docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /usr/local/lib/docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.14.0
    Path:     /usr/local/lib/docker/cli-plugins/docker-scout

Server:
 Containers: 1
  Running: 0
  Paused: 0
  Stopped: 1
 Images: 1
 Server Version: 27.3.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 nvidia runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 472731909fa34bd7bc9c087e4c27943f9835f111
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
 Kernel Version: 5.15.153.1-microsoft-standard-WSL2
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 1.926GiB
 Name: docker-desktop
 ID: bb138157-a972-48ca-9631-cc80cbbe0906
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///var/run/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
WARNING: daemon is not using the default seccomp profile

Diagnostics ID

33E30AF5-4884-4E19-A2A6-CE186A66A788/20241026212349

Additional Info

No response

[baumheld]

Having the same problem

PiHole worked for months. No docker compose or pihole config changes were done. Only a Docker Desktop Upgrade to 4.35.0 (172550)

[akerouanton]

Hi @rg9400, thanks for reporting. This should be fixed in the next release.

[baumheld]

Just tested 4.35.1 Not fixed in this patch version. Maybe in the next minor version 4.36.0? https://docs.docker.com/desktop/release-notes/#4351

[akerouanton]

@baumheld Sorry for the confusion, I wasn't expecting a patch release to be made. 4.35.1 fixes a single, critical issue. The fix for 53/udp will be released in 4.36, which is due some time soon.

[Thelgow]

Absolute newbie here following a tutorial and also was getting this error. Even though I just downloaded Docker Desktop fresh, it was 4.35.1 I believe. In app it said no updates available, but I saw 4.36 listed in release notes. I hit check for updates. It offered 4.36 and now I entered that command and not getting a port53 error.