Docker cannot resolve DNS on private network
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
When a Docker container cannot resolve DNS names on a private network, the problem is usually not "Docker DNS is broken" in the abstract. It is usually one of three concrete issues: the container is using the wrong DNS server, the DNS server is unreachable from the container network, or the private name only resolves from a specific VPN or host interface. The fix starts by separating name resolution from plain IP connectivity.
Check Whether It Is DNS or Routing
Before changing Docker settings, test whether the container can reach the target network at all.
If IP connectivity fails, this is a routing or firewall problem, not a DNS problem. If IP connectivity works but hostname resolution fails, then DNS configuration is the right place to focus.
Understand Docker's DNS Behavior
Containers do not magically inherit every host networking detail. Depending on how Docker is configured, a container may use:
- the host resolver configuration
- Docker's embedded DNS on user-defined networks
- explicit
--dnsentries - daemon-level DNS settings
A common first inspection step is:
If the nameserver shown there cannot answer queries for your private domain, resolution will fail even though the host machine itself resolves the name.
Set the DNS Server Explicitly
If the private network has an internal DNS server, point the container to it directly.
In Compose:
This is often the cleanest fix when the host can resolve names only because a VPN client injected special resolvers that Docker did not propagate correctly.
Be Careful with VPN and Split DNS
Private-network DNS issues often appear only when a VPN is connected. The host may be using split DNS rules that send certain domains to corporate resolvers, but the container only sees a simplified resolv.conf.
That creates a pattern like this:
- host resolves
internal.example.local - container cannot resolve the same name
- public names still work
In that case, explicitly setting the internal DNS server usually works better than assuming Docker will mirror the host's resolver behavior perfectly.
User-Defined Networks and Container-to-Container DNS
Docker also provides embedded DNS for service discovery on user-defined bridge networks. That only solves container name resolution inside Docker, not resolution of arbitrary private corporate domains.
Example:
This lets one container resolve another by container name. It does not automatically make internal.example.local resolve unless the upstream nameserver knows that record.
Daemon-Wide DNS Configuration
If many containers need the same private DNS behavior, configure the Docker daemon instead of repeating --dns everywhere.
Example daemon config:
On Linux, this is typically stored in /etc/docker/daemon.json. After changing it, restart Docker.
Use daemon-wide settings only if the DNS requirement is broadly correct for the host. Otherwise, per-container or per-project settings are safer.
Troubleshooting Sequence
A reliable order is:
- test IP reachability from inside the container
- inspect
/etc/resolv.conf - query the intended DNS server directly with
nslookup - try explicit
--dns - inspect VPN, firewall, or host routing behavior if private resolvers are unreachable
Randomly changing network drivers before doing those checks usually wastes time.
Common Pitfalls
- Assuming a successful host lookup means containers inherit identical DNS behavior.
- Treating a routing problem as a DNS problem.
- Forgetting that Docker's embedded DNS only helps with Docker-managed names.
- Using public DNS servers for private domains that only exist internally.
- Ignoring VPN split-DNS behavior when resolution works on the host but not in the container.
Summary
- Separate DNS failure from plain network reachability first.
- Inspect the container's
resolv.confinstead of assuming it matches the host. - Use
--dnsor Composednswhen private resolvers must be explicit. - Docker service discovery and private-network corporate DNS are different concerns.
- VPN and split-DNS setups are a very common cause of container-only resolution failures.

