How to solve DNS resolution in Fedora 32 Docker containers

After little trouble with running Docker in Fedora 31 I found myself yet again in a similar situation. This time the DNS inside Docker containers could not resolve hostname.

This was the welcome of a first Docker build on Fedora 32:

Step 12/32 : RUN export MIX_ENV=k8s_develop &&     cd backend &&     MIX_ENV=k8s_develop mix deps.get &&     MIX_ENV=k8s_develop mix release k8s_develop &&     cd ..
 ---> Running in 12a32a3ac7cf
* Getting currency_conversion (
fatal: unable to access '': Could not resolve host:
** (Mix) Command "git --git-dir=.git fetch --force --quiet --progress" failed

Is GitHub down? Am I connected to the Internet? It does seem to work in my Firefox…

Using ping from your host system worked fine:

workstation$ ping
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=50 time=263 ms
64 bytes from ( icmp_seq=2 ttl=50 time=359 ms

…but no luck in Docker. Could not resolve host:

This is what happened to me this week after upgrading my Fedora 31 to Fedora 32.

In my particular case it seems to be an issue with the firewall (it’s always the firewall or SELinux isn’t is?). What worked for me was to add IP masquerading to the firewalld zone I am on. IP masquerading allows internal systems access the host’s network.

Find out the right interface with ip addr show:

$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
4: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f8:59:71:33:11:f2 brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic noprefixroute wlp4s0
       valid_lft 16928sec preferred_lft 16928sec
    inet6 fe80::68a7:8161:7367:e450/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

In my case I am on wlp4s0 interface.

Let’s find its zone:

$ sudo firewall-cmd --get-zone-of-interface=wlp4s0


Now we simply enable masquerading for this zone, reload firewalld configuration and restart Docker:

$ sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade --permanent
$ sudo firewall-cmd --reload
$ sudo systemctl restart docker

And that’s it. After this little change I was able to build my containers again.


I wrote a complete guide on web application deployment. Ruby with Puma, Python with Gunicorn, NGINX, PostgreSQL, Redis, networking, processes, systemd, backups, and all your usual suspects.

More →