No DNS in internal networks when dns_port is not set to 53

[fxthomas]

Observed behavior

When setting dns_bind_port in /etc/containers/containers.conf to anything other than 53, containers in internal networks have no container-to-container name resolution (e.g. you can't ping database from a web container).

Inside containers /etc/resolv.conf is configured properly to the IP of the aardvark-dns resolver, but cannot specify a non-default port: DNS requests try to go to port 53 and fail. The non-default port is however perfectly reachable (using e.g. dig or nslookup).

Expected behavior

The behavior should be the same as with the default DNS port.

In non-internal networks, the following iptables rules are added to remap the non-default DNS port as 53 (YMMV), but these are missing in internal networks:

iptables -I INPUT 1 -s 10.89.0.0/24 -d 10.89.0.0/24 -p udp --dport 
20053 -j ACCEPT
iptables -t nat -I PREROUTING 1 -m addrtype --dst-type LOCAL -p udp 
-d 10.89.0.0/24 --dport 53 -j DNAT --to-destination 10.89.0.1:20053
iptables -t nat -I OUTPUT 1 -m addrtype --dst-type LOCAL -p udp -d 
10.89.0.0/24 --dport 53 -j DNAT --to-destination 10.89.0.1:20053

---

Versions on the host:

• OS: Archlinux (Linux 6.10.3-arch1-2 at the moment)
• podman: 5.1.2
• aardvark-dns: 1.11.0
• Extra software: ufw firewall with default deny for incoming and forwarded packets

Note: See discussion on the mailing list for more details.

[dev-zero]

I ran into the same issue with netavark 1.12.1-3 on Debian.