On Tue, Jul 14, 2015, at 09:57 AM, P J P wrote: > Hello, > > > -> https://lists.fedoraproject.org/pipermail/cloud/2015-January/004867.html > > > As per the previous discussion above, I was able to use iptables(8) DNAT rule to divert DNS traffic from Docker containers to a DNSSEC resolver on the host at 127.0.0.1:53. Thanks for posting this! It's quite useful to have any progress in this area. One problem with this is you're capturing *all* traffic to port 53, but I can imagine valid use cases for skipping the local resolver. We're already seen one with the hotspot detection. Another more complex problem is that while your solution will work for the docker defaults, it's quite common to use something other than the defaults for clustered networking for e.g. Kubernetes. At a practical level, this means all tools that interact with Docker networking configuration like flannel and openshift-sdn will have to understand how to configure this. I'd still personally like to see unbound support a Unix domain socket or kdbus. It'd require NSS configuration in the container, but it avoids all sorts of hacks around container networking for local communication. _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
