Hello!
I'm going to post this in a docker specific forum as I believe it's more a docker issue/config than anything else but thought it might be a more common question here (but can't see any matching answers).
Setup
- Separate container instances of pi-hole running on 2 different hosts.
- keepalived has been configured as a floating IP across them (issue is repeatable excluding this but included for completeness).
- The hosts running pi-hole also run a number of other container based services.
- No common "pi-hole network" has been setup or associated with the other containers on the host. While this is a common google answer and would fix the problem, putting them all in the same network group starts to defeat the point of the containers.
Scenario
- Containers running on the same host as the primary pi-hole instance fail resolution requests. Looking at the pihole log I can see the requests and responses (including retries) but the responses don't get back to the originating container.
- Pointing the request at a container on an alternative host works.
When the environment is run with DHCP handing out multiple DNS IPs (and not using keepalived), things "appear" to work but that's down to clients retrying on the alternative host after failures. Not great from a resilience perspective as they only have access to a 50% of the DNS server pool. (In fact I hadn't noticed this behaviour until putting keepalived in the loop giving the clients the impression of a single DNS server).
What I think is happening is that DNS requests are being routed out of docker to the virtual IP and then forwarded back in through Docker to pi-hole. The problem coming when pi-hole tries to send the response as Docker realises it's between the 2 networks and blocks it rather than letting the response loop back at host level.
So, is there a simple way to deal with this that doesn't involve either joining all the containers on the same network or bumping Pi-Hole up to host networking?