how does Docker Embedded DNS resolver work?

Question

I know Docker has a embedded Dns resolver.
when I run a container in myself bridge:

$ docker run -it --rm --privileged --network=mybridge xxx bash

roo         


        

Answer 1

Maybe you have already found that Docker (aka Moby) internally uses libnetwork to configure and enable the embedded DNS resolver. Libnetwork binds the resolver to the container's loopback interface, so that DNS queries at 127.0.0.11 can be routed (via iptables) to the "backend DNS resolver" in the Docker Engine. See the libnetwork type and the actual ResolveName() code. The Sandbox for each container allows to route DNS queries through the network namespaces.

Regarding your question how one process can expose ports on the host and inside a container: in this case binding a handler thread to an interface would be a more appropriate expression. The Docker engine creates a container and configures its network namespace, so it can also configure the container's network interfaces and packet routing via iptables. Binding the resolver to the container's internal interface is the reason why you haven't found any process on the host listening on port 53.