DNS endpoint resolution in container namespace

Ondřej Grover ondrej.grover at gmail.com
Thu Nov 24 10:03:14 UTC 2022


Hi,

I tried to follow the example here
https://www.wireguard.com/netns/#ordinary-containerization
but I found out that the DNS endpoint resolution through

ip netns exec container wg setconf wg0 /etc/wireguard/wg0.conf

won't work, because it is run in the new container namespace not yet
capable of DNS resolution.
Looking at the source code here
https://git.zx2c4.com/wireguard-tools/tree/src/config.c#n242
confirmed my suspicion that the DNS resolution is done by the wg tool
in the container namespace rather than in the original namespace.

In an ideal world the DNS resolution should IMHO happen in the
original namespace capable of DNS resolution where the world-facing
UDP socket using that endpoint IP is anyway.
Often one could use just a hard-coded IP (that's indeed what I
resorted to in the end, or  perform DNS resolution at container
provisioning time as suggested by mrngm in IRC) for the wg0.conf in
the container, but with DynDNS and similar setups this may not be
possible.

But since that might require significant changes (e.g. requesting DNS
resolution in the original namespace through the kernel?), perhaps at
least in the short term I would  recommend that this caveat is
mentioned on the webpage and/or perhaps in the example the `wg
setconf` step would be run in the original namespace (unless there is
some repercussion to that I did not consider).

Best wishes and thanks for all your work making wireguard what it is today,
Ondrej G.


More information about the WireGuard mailing list