The hostname of the origin is unresolvable (DNS) or blocked by policy

[guozili2]

I have deployed it according to Docker installation instructions

then: CentOS 7 docker exec -it weserv /bin/bash #into the docker

then: vi /etc/nginx/imagesweserv.conf

modify resolver 8.8.8.8; to: resolver 8.8.8.8 valid=5 ipv6=off; or resolver 127.0.0.11;

:wq

then: nginx -s reload

in any case， it's failed and return the result as following: {"status":"error","code":404,"message":"The hostname of the origin is unresolvable (DNS) or blocked by policy."}

and my test url, it's using cloudflare cdn to connect my centos server: https://img.zuixinhanman.com/?w=470&h=250&fit=cover&url=https://www.google.com/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png

[kleisauke]

Hi @guozili2,

What's the output of running:

# Check the DNS settings (ought to be inherited from the host when Docker's default bridge network is used)
$ cat /etc/resolv.conf | grep nameserver
# Install bind-utils for nslookup
$ dnf install -y bind-utils
# Try to resolve using the default DNS server(s) (specified in /etc/resolv.conf)
$ nslookup google.com
# ... and with Google's open DNS server
$ nslookup google.com 8.8.8.8
# ... and with Docker's embedded DNS server (when using a user-defined bridge)
$ nslookup google.com 127.0.0.11

within the container?

[kleisauke]

@guozili2 Are you able to answer the above question?

[fellipeamedeiros]

hello @kleisauke how are you?

im running on AWS and facing the same problems, what the output of your commands should be? so i can compare with my machine.

[kleisauke]

@fellipeamedeiros It depends on the current environment and OCI-compliant container runtime. For example, with Podman, I see:

$ podman run --rm -it --dns 1.1.1.1 --entrypoint bash ghcr.io/weserv/images:5.x
$ cat /etc/resolv.conf | grep nameserver
nameserver 1.1.1.1
$ dnf install -y bind-utils
$ nslookup google.com
Server:     1.1.1.1
Address:    1.1.1.1#53

Non-authoritative answer:
Name:   google.com
Address: 142.251.39.110
Name:   google.com
Address: 2a00:1450:400e:810::200e
$ nslookup google.com 8.8.8.8
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   google.com
Address: 142.250.179.142
Name:   google.com
Address: 2a00:1450:400e:80d::200e
$ exit

So resolving google.com works both with CloudFlare's and Google's open DNS server. Docker's embedded DNS server should only be used if you use host networking (the --network host CLI argument).

By default we use Google's open DNS server, but this can be changed in /etc/nginx/imagesweserv.conf inside the pre-built Docker image. https://github.com/weserv/images/blob/6dcca50caea32dfbb71336980a7826b483b80229/ngx_conf/imagesweserv.conf#L55

See https://github.com/weserv/images/issues/206#issuecomment-567015037 if looking up IPv6 addresses is not desired. However, this is not always recommended, since there are a numerous hosts that only support IPv6 and/or provide broken IPv4 fallbacks.

[fellipeamedeiros]

@kleisauke i have the result below

nslookup google.com Server: 172.31.0.2 Address: 172.31.0.2#53

Non-authoritative answer: Name: google.com Address: 142.251.163.102 Name: google.com Address: 142.251.163.113 Name: google.com Address: 142.251.163.138 Name: google.com Address: 142.251.163.139 Name: google.com Address: 142.251.163.100 Name: google.com Address: 142.251.163.101 Name: google.com Address: 2607:f8b0:4004:c17::65 Name: google.com Address: 2607:f8b0:4004:c17::8a Name: google.com Address: 2607:f8b0:4004:c17::8b Name: google.com Address: 2607:f8b0:4004:c17::64

[fellipeamedeiros]

@kleisauke and we need any specif ports? today i only have port 80/433 on outbound rules

[kleisauke]

@fellipeamedeiros Does nslookup google.com 8.8.8.8 work? Please open a new issue if it does not. You may also want to add a outbound rule for UDP port 53 to transmit DNS queries.

[fellipeamedeiros]

@kleisauke opening the port 53 works, thanks for your help

[kleisauke]

I hope this information helped. Please feel free to re-open if questions remain.