DNS resolution within raspberymatic docker container fails

[cubed-it]

Describe the issue you are experiencing

Hello everyone,

I have set up a raspberry latest distro with docker + raspberymatic and have problems with DNS resolution within the container.

I have created the container exactly according to the following blueprint: https://github.com/jens-maus/RaspberryMatic/wiki/Installation-Docker-OCI#using-docker-compose

services:
  homematic:
    image: ghcr.io/jens-maus/raspberrymatic:latest
    container_name: homematic
    hostname: homematic
    read_only: true
    privileged: true
    restart: unless-stopped
    stop_grace_period: 30s
    volumes:
      - /home/<user>/docker/homematic:/usr/local:rw
      - /lib/modules:/lib/modules:ro
      - /run/udev/control:/run/udev/control
    networks:
      homematic:
        ipv4_address: 192.168.145.9  
        
networks:
  homematic:
    name: homematic
    driver: macvlan
    driver_opts:
      parent: br0
    ipam:
      config:
        - subnet: 192.168.145.0/24
          gateway: 192.168.145.1

The issue is now, that no DNS resolution is possible from within the container. journalctl gives me the following messages cyclically:

May 11 13:32:42 rpi-le dockerd[674]: time="2024-05-11T13:32:42.524563592+02:00" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:192.168.145.9:37355" dns-server="udp:192.168.145.1:53" error="read udp 192.168.145.9:37355->192.168.145.1:53: i/o timeout" question=";google.com.fritz.box.\tIN\t A" spanID=5a987ed8189bc5af traceID=4df1d4d99890b675013fa3b27e2218d9

A CUxD script issuing a query fails and I have a alert inside raspberymatic web interface: WatchDog: no-internet | ausgelöst | No internet connection detected

Through an nslookup wdr.de from inside the container:

/ # nslookup wdr.de
Server:         127.0.0.11
Address:        127.0.0.11:53

;; connection timed out; no servers could be reached

and journalctl:

May 11 13:37:19 rpi-le dockerd[674]: time="2024-05-11T13:37:19.571985054+02:00" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:192.168.145.9:43799" dns-server="udp:192.168.145.1:53" error="read udp 192.168.145.9:43799->192.168.145.1:53: i/o timeout" question=";wdr.de.\tIN\t A" spanID=9d703cbb25db02d6 traceID=653abed0a8d117b93f0e74009d1e4ea9

However, if I completely reset the iptables within the container:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t security -F
iptables -t security -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

The nslookup wdr.de is now working from inside the container:

/ # nslookup wdr.de
Server:         127.0.0.11
Address:        127.0.0.11:53

Non-authoritative answer:

Non-authoritative answer:
Name:   wdr.de
Address: 149.219.209.51

Also my CUxD script is now working.

I have reached the end of my knowledge, what am I doing wrong or how can I solve the iptables problem properly and persistent? Thanks!

Ps: I have now also played around a bit with the firewall settings within the web interface. Adding port 53 does not help, only the option ports open is so far successful. I would like to see a proper solution, but in principle that would be fine with me. Is ports open a security risk in a private LAN?

Pss: Resolution is working after adding try_exec_cmd "/usr/sbin/iptables -A INPUT -p udp --source-port 53 -j ACCEPT" to libfirewall.tcl and mapping it inside the container. That solution is however not very good, since I have to replace the complete file....
Adding the port via web interface results in:

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain state NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

But what seems to be required is just this one rule:

ACCEPT     udp  --  anywhere             anywhere             udp spt:domain

Describe the behavior you expected

DNS requests should resolve

Steps to reproduce the issue

1. Run rapsberrymatic as described https://github.com/jens-maus/RaspberryMatic/wiki/Installation-Docker-OCI#using-docker-compose
2. exec into the container
3. nslookup anything

What is the version this bug report is based on?

3.75.7.20240420

Which base platform are you running?

rpi2 (RaspberryPi2, ARM/armhf)

Which HomeMatic/homematicIP radio module are you using?

n/a

Anything in the logs that might be useful for us?

May 11 13:32:07 homematic syslog.info syslogd started: BusyBox v1.36.1
May 11 13:32:10 homematic user.info firewall: configuration set
May 11 13:32:44 homematic daemon.err xinetd[1044]: Unable to read included directory: /etc/config/xinetd.d [file=/etc/xinetd.conf] [line=14]
May 11 13:32:44 homematic daemon.crit xinetd[1044]: 1044 {init_services} no services. Exiting...
May 11 13:32:45 homematic daemon.info cuxd[1091]: CUx-Daemon(2.11) on CCU(3.75.7.20240420) start PID:1091
May 11 13:32:45 homematic daemon.info cuxd[1091]: write_pid /var/run/cuxd.pid [1091]
May 11 13:32:45 homematic daemon.info cuxd[1091]: load paramsets(/usr/local/addons/cuxd/cuxd.ps) size:15 update(-62s):Sat May 11 13:31:43 2024
May 11 13:32:45 homematic daemon.info cuxd[1091]: 0 device-paramset(s) loaded ok!
May 11 13:32:45 homematic daemon.info cuxd[1091]: write_proxy /var/cache/cuxd_proxy.ini (1091 /usr/local/addons/cuxd/ 2.11 3.75.7.20240420 0)
May 11 13:32:45 homematic daemon.info cuxd[1091]: add interface 'CUxD'
May 11 13:32:45 homematic user.info cuxd: started cux-daemon
May 11 13:32:45 homematic daemon.info cuxd[1091]: write interface(1) 'VirtualDevices' to /usr/local/etc/config/InterfacesList.xml
May 11 13:32:45 homematic daemon.info cuxd[1091]: write interface(2) 'CUxD' to /usr/local/etc/config/InterfacesList.xml
May 11 13:33:01 homematic daemon.warn cuxd[1091]: process_rpc_request(127.0.0.1) - illegal XMLRPC(listDevices) request
May 11 13:33:08 homematic daemon.warn cuxd[1091]: process_rpc_request(127.0.0.1) - illegal XMLRPC(init) request
May 11 13:33:12 homematic daemon.info : starting pid 1277, tty '': '/bin/mv /tmp/boot.log /var/log/boot.log'
May 11 13:33:12 homematic daemon.info : starting pid 1278, tty '/dev/null': '/usr/bin/monit -Ic /etc/monitrc'
May 11 13:33:12 homematic user.info monit[1278]: Starting Monit 5.33.0 daemon with http interface at /var/run/monit.sock
May 11 13:33:12 homematic user.info monit[1278]: 'homematic' Monit 5.33.0 started
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: Error 1 at row 11 col 36 near ^(";", 1); } }  Write(upl);^M  [SyntaxError():iseESP.cpp:1149]
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: (";", 1); } }  Write(upl); [ParseProgram():iseESP.cpp:386]
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: Error 1 at row 11 col 36 near ^(";", 1); } }  Write(upl);^M  [SyntaxError():iseESP.cpp:1149]
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: (";", 1); } }  Write(upl); [ParseProgram():iseESP.cpp:386]
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: Error 1 at row 11 col 36 near ^(";", 1); } }  Write(upl);^M  [SyntaxError():iseESP.cpp:1149]
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: (";", 1); } }  Write(upl); [ParseProgram():iseESP.cpp:386]
May 11 13:33:27 homematic user.err monit[1278]: 'sshdEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'hs485dEnabled' status failed (2) -- grep: /var/etc/hs485d.conf: No such file or directory
May 11 13:33:27 homematic user.err monit[1278]: 'multimacdEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'hmlangwEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'rfdEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.warn monit[1278]: 'hasUSB' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'hb_rf_eth-CheckEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'coProcessorCheck' status failed (1) -- no output
May 11 13:33:27 homematic user.warn monit[1278]: 'rpi4usb3Check' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'tailscaleEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: Lookup for '/media/usb1' filesystem failed  -- not found in /proc/self/mounts
May 11 13:33:27 homematic user.err monit[1278]: Filesystem '/media/usb1' not mounted
May 11 13:33:27 homematic user.err monit[1278]: 'usb1' unable to read filesystem '/media/usb1' state
May 11 13:33:27 homematic user.info monit[1278]: 'usb1' trying to restart
May 11 13:33:28 homematic daemon.info cuxd[1091]: INIT 'xmlrpc_bin://127.0.0.1:31999' '1040'
May 11 13:33:28 homematic daemon.info cuxd[1091]: RPC-server from HM-CCU (1040) registered!
May 11 13:33:29 homematic daemon.info cuxd[1091]: connection to 127.0.0.1:8183 successfull!
May 11 13:33:43 homematic user.warn monit[1278]: 'hasUSB' status failed (1) -- no output
May 11 13:33:43 homematic user.warn monit[1278]: 'rpi4usb3Check' status failed (1) -- no output
May 11 13:33:43 homematic user.err monit[1278]: Filesystem '/media/usb1' not mounted
May 11 13:33:43 homematic user.err monit[1278]: 'usb1' unable to read filesystem '/media/usb1' state
May 11 13:33:43 homematic user.info monit[1278]: 'usb1' trying to restart
May 11 13:33:43 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:33:59 homematic user.warn monit[1278]: 'hasUSB' status failed (1) -- no output
May 11 13:33:59 homematic user.err monit[1278]: 'rpi4usb3Check' status failed (1) -- no output
May 11 13:33:59 homematic user.err monit[1278]: Filesystem '/media/usb1' not mounted
May 11 13:33:59 homematic user.err monit[1278]: 'usb1' unable to read filesystem '/media/usb1' state
May 11 13:33:59 homematic user.info monit[1278]: 'usb1' trying to restart
May 11 13:33:59 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:34:15 homematic user.warn monit[1278]: 'hasUSB' status failed (1) -- no output
May 11 13:34:15 homematic user.err monit[1278]: Filesystem '/media/usb1' not mounted
May 11 13:34:15 homematic user.err monit[1278]: 'usb1' unable to read filesystem '/media/usb1' state
May 11 13:34:15 homematic user.info monit[1278]: 'usb1' trying to restart
May 11 13:34:15 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:34:31 homematic user.err monit[1278]: 'hasUSB' status failed (1) -- no output
May 11 13:34:31 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:34:47 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:35:03 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:35:19 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:35:34 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:35:50 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:36:06 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:36:22 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:36:38 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:36:54 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:37:09 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:37:25 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:37:41 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:37:57 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:38:13 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:38:29 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:38:44 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:39:00 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:39:16 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:39:32 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:39:48 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:39:48 homematic user.info monit[1278]: 'internetCheck' exec: '/bin/triggerAlarm.tcl No internet connection detected WatchDog: no-internet true'
May 11 13:40:04 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:40:20 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:40:35 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:40:51 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:41:07 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:41:23 homematic user.info monit[1278]: 'internetCheck' status succeeded (0) -- no output

Additional information

For completeness, here is my network configuration:

nmcli con mod 'Wired connection 1' con-name eth0
nmcli con add ifname br0 type bridge con-name br0
nmcli con add type bridge-slave ifname eth0 master br0
nmcli con mod br0 bridge.stp no

nmcli con mod br0 ipv4.addresses 192.168.145.5/24
nmcli con mod br0 ipv4.gateway 192.168.145.1
nmcli con mod br0 ipv4.dns '192.168.145.1'
nmcli con mod br0 ipv4.dns-search 'fritz.box'
nmcli con mod br0 ipv4.method manual

nmcli con down eth0 && nmcli con up br0
systemctl restart NetworkManager.service

nmcli device show

GENERAL.DEVICE:                         br0
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         92:C9:C1:05:3E:F7
GENERAL.MTU:                            1400
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     br0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/5
IP4.ADDRESS[1]:                         192.168.145.5/24
IP4.GATEWAY:                            192.168.145.1
IP4.ROUTE[1]:                           dst = 0.0.0.0/0, nh = 192.168.145.1, mt = 425
IP4.ROUTE[2]:                           dst = 192.168.145.0/24, nh = 0.0.0.0, mt = 425
IP4.DNS[1]:                             192.168.145.1
IP4.SEARCHES[1]:                        fritz.box
IP6.ADDRESS[1]:                         fe80::d186:af11:7f56:3c04/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024

GENERAL.DEVICE:                         br-5dc32aee5a36
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         02:42:08:5C:1F:AD
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     br-5dc32aee5a36
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/2
IP4.ADDRESS[1]:                         172.18.0.1/16
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 172.18.0.0/16, nh = 0.0.0.0, mt = 0
IP6.ADDRESS[1]:                         fe80::42:8ff:fe5c:1fad/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256

GENERAL.DEVICE:                         br-95ef8c538bf6
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         02:42:3F:4C:40:6B
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     br-95ef8c538bf6
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/3
IP4.ADDRESS[1]:                         172.21.0.1/16
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 172.21.0.0/16, nh = 0.0.0.0, mt = 0
IP6.ADDRESS[1]:                         fe80::42:3fff:fe4c:406b/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256

GENERAL.DEVICE:                         lo
GENERAL.TYPE:                           loopback
GENERAL.HWADDR:                         00:00:00:00:00:00
GENERAL.MTU:                            65536
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     lo
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/1
IP4.ADDRESS[1]:                         127.0.0.1/8
IP4.GATEWAY:                            --
IP6.ADDRESS[1]:                         ::1/128
IP6.GATEWAY:                            --

GENERAL.DEVICE:                         br-d81aeccab029
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         02:42:6F:BB:F1:9E
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     br-d81aeccab029
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/4
IP4.ADDRESS[1]:                         172.23.0.1/16
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 172.23.0.0/16, nh = 0.0.0.0, mt = 0
IP6.GATEWAY:                            --

GENERAL.DEVICE:                         docker0
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         02:42:51:70:C1:12
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     docker0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/6
IP4.ADDRESS[1]:                         172.17.0.1/16
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 172.17.0.0/16, nh = 0.0.0.0, mt = 0
IP6.GATEWAY:                            --

GENERAL.DEVICE:                         tap0
GENERAL.TYPE:                           tun
GENERAL.HWADDR:                         92:C9:C1:05:3E:F7
GENERAL.MTU:                            1400
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     tap0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/8
IP4.GATEWAY:                            --
IP6.ADDRESS[1]:                         fe80::90c9:c1ff:fe05:3ef7/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256

GENERAL.DEVICE:                         eth0
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         B8:27:EB:7A:8F:E7
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     bridge-slave-eth0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/7
WIRED-PROPERTIES.CARRIER:               on
IP4.GATEWAY:                            --
IP6.GATEWAY:                            --

GENERAL.DEVICE:                         veth957ff27
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         52:2A:88:32:62:B8
GENERAL.MTU:                            1500
GENERAL.STATE:                          10 (unmanaged)
GENERAL.CONNECTION:                     --
GENERAL.CON-PATH:                       --
WIRED-PROPERTIES.CARRIER:               on
IP4.GATEWAY:                            --
IP6.ADDRESS[1]:                         fe80::502a:88ff:fe32:62b8/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256

GENERAL.DEVICE:                         vethe607849
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         1A:6E:D0:2D:AC:8C
GENERAL.MTU:                            1500
GENERAL.STATE:                          10 (unmanaged)
GENERAL.CONNECTION:                     --
GENERAL.CON-PATH:                       --
WIRED-PROPERTIES.CARRIER:               on
IP4.GATEWAY:                            --
IP6.ADDRESS[1]:                         fe80::186e:d0ff:fe2d:ac8c/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256

[jens-maus]

First of all, sorry for the late reply. I just tested this once again and I do not see any such DNS resolving issue here with my default docker compose test environment. In fact, I can perfectly fire up the raspberrymatic docker container and the container is perfectly able to run nslookup wdr.de. See:

/ # nslookup wdr.de
Server:         127.0.0.11
Address:        127.0.0.11:53

Non-authoritative answer:

Non-authoritative answer:
Name:   wdr.de
Address: 149.219.209.51

In addition, the default /etc/resolv.conf looks like:

# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.11
search fritz.box
options ndots:0

# Based on host file: '/etc/resolv.conf' (internal resolver)
# ExtServers: [192.168.5.1 host(127.0.0.53)]
# Overrides: []
# Option ndots from: internal

And all this works with the default iptables setup within the container:

/ # iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  490 86255 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0
  112 25995 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9293 state NEW
    3   192 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 state NEW
    0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 state NEW
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:43439
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:43439
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:23272
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:23272
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:43438
   64 43022 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1900
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 state NEW
    4   128 REJECT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4118 packets, 5249K bytes)
 pkts bytes target     prot opt in     out     source               destination

So to me this looks like you might have a local misconfiguration in the docker host system which seem to prevent that the container is able to communicate with your local DNS system. Therefore I will move this ticket to the discussion part in case someone else might come up with a similar issue and you might to discuss things accordingl.y

[cubed-it]

Hello, no problem at all because of the late feedback, it works for me and so I am satisfied ;)

The problem is probably related to the fact that I am running a pihole server for DNS resolution on the same system.

If you are interested in the details, here is the pihole configuration:

.env

FTLCONF_LOCAL_IPV4=192.168.145.5
TZ=Europe/Berlin
WEBPASSWORD=MySecretPassword
REV_SERVER=true
REV_SERVER_DOMAIN=fritz.box
REV_SERVER_TARGET=192.168.145.1
REV_SERVER_CIDR=192.168.145.0/24
HOSTNAME=pihole
DOMAIN_NAME=pihole.local
PIHOLE_WEBPORT=80
WEBTHEME=default-dark

docker-compose.yml

services:
  pihole:
    container_name: pihole
    image: cbcrowe/pihole-unbound:latest
    hostname: ${HOSTNAME}
    domainname: ${DOMAIN_NAME}
    ports:
      # - 443:443/tcp
      - ${FTLCONF_LOCAL_IPV4}:53:53/tcp
      - ${FTLCONF_LOCAL_IPV4}:53:53/udp
      - ${FTLCONF_LOCAL_IPV4}:${PIHOLE_WEBPORT:-80}:80/tcp #Allows use of different port to access pihole web interface when other docker containers use port 80
      # - 5335:5335/tcp # Uncomment to enable unbound access on local server
      # - 22/tcp # Uncomment to enable SSH
    environment:
      - FTLCONF_LOCAL_IPV4=${FTLCONF_LOCAL_IPV4}
      # - FTLCONF_REPLY_WHEN_BUSY=DROP
      - TZ=${TZ:-UTC}
      - WEBPASSWORD=${WEBPASSWORD}
      - WEBTHEME=${WEBTHEME:-default-light}
      - REV_SERVER=${REV_SERVER:-false}
      - REV_SERVER_TARGET=${REV_SERVER_TARGET}
      - REV_SERVER_DOMAIN=${REV_SERVER_DOMAIN}
      - REV_SERVER_CIDR=${REV_SERVER_CIDR}
      - PIHOLE_DNS_=127.0.0.1#5335
      - DNSSEC="true"
      - DNSMASQ_LISTENING=single
    volumes:
      - /home/skytale/docker/pihole:/etc/pihole:rw
      - etc_pihole_dnsmasq-unbound:/etc/dnsmasq.d:rw
    restart: unless-stopped
    # dns: # https://github.com/pi-hole/docker-pi-hole/issues/342
      # - 127.0.0.1
      # - 8.8.8.8
      
volumes:
  etc_pihole_dnsmasq-unbound: