Troubleshooting DNS Issues in Docker: Unable to Get Image Due to Lookup Failure
Use this when Docker fails to pull images because name resolution breaks inside the container runtime.
Quick Read
- Symptom: Use this when Docker fails to pull images because name resolution breaks inside the container runtime.
- Check first: Verify Docker daemon configuration for DNS settings.
- Risk: Changes system state
Symptoms
Docker cannot resolve DNS queries, resulting in failure to pull images.
Environment
Docker running on a Linux host, configured to use Google DNS (8.8.8.8).
Most Likely Causes
Misconfiguration in Docker's DNS settings or network issues preventing DNS resolution.
What to Check First
- Verify Docker daemon configuration for DNS settings.
- Check network connectivity to the DNS server.
- Confirm that the Docker service is running.
Insight Cluster
Parent question: How do we isolate container failures by naming the broken branch first: image, runtime, service-networking, or ingress?
- Planning Container Runtime, Registry, and Service-Networking Failures Systematically (parent Insight)
- Comparing Container Validation Paths for Runtime, Registry, Network, and Ingress (supporting Insight)
- Container Evidence-First Comparison Between Good and Broken Service Paths (supporting Insight)
- Troubleshooting Docker Container Communication Issues: Ping vs HTTP Requests (tactical leaf)
- Troubleshooting Docker Container Exit Code 0 and Dependency Failures (tactical leaf)
- Troubleshooting Git Clone Authentication Failures Inside Docker (tactical leaf)
- Troubleshooting 'Error Reading File Content' in Helm Template on Kubernetes (tactical leaf)
- Troubleshooting Kubernetes Webhook Timeout: No Endpoints Available for AWS LB Controller and External Secrets during ArgoCD Sync (tactical leaf)
- Troubleshooting NuGet Source Addition in Dockerfile for .NET Applications (tactical leaf)
- This parent cluster is meant to stop container leaves from being treated as disconnected Docker or Kubernetes incidents.
- The supporting pages frame branch selection and good-vs-broken comparison before the reader drops into exact runtime, registry, network, or ingress failures.
Fix Steps
- Check Docker daemon status.
Ensure that the Docker service is running properly.
Safe to run: read-only
systemctl status docker
- Inspect Docker's DNS configuration.
Check if Docker is configured to use the correct DNS servers.
Safe to run: read-only
cat /etc/docker/daemon.json
- Test DNS resolution from the host.
Verify that the host can resolve DNS queries.
Safe to run: read-only
nslookup docker
- Restart Docker service if DNS settings were modified.
Apply changes to Docker's configuration by restarting the service.
Changes system state: review before running
systemctl restart docker
- Check firewall settings.
Ensure that firewall rules are not blocking DNS traffic.
Example pattern only. Adjust for your environment before running.
iptables -L
- Test pulling an image after making changes.
Attempt to pull a Docker image to confirm resolution is working.
Safe to run: read-only
docker pull hello-world
Validation
- Confirm successful image pull.
- Check Docker logs for any remaining DNS issues.
Logs to Check
- /var/log/syslog
- /var/log/docker.log
Rollback and Escalation
- Revert any changes made to /etc/docker/daemon.json if the issue persists.
Escalate When
- If DNS issues continue after following all steps.
- If Docker service fails to restart or behaves unexpectedly.
Edge Cases
- Check if using a VPN or proxy that might interfere with DNS resolution.
- Verify if the host's /etc/resolv.conf is correctly configured.
Notes from the Field
- Ensure that the Docker version is compatible with the host OS.
- Document any changes made to the Docker configuration for future reference.