After updating my firewall, Umbrel can no longer establish an Internet connection.
The Docker logs show repeated resolver errors such as:
[resolver] failed to query DNS server: 192.168.111.1:53, error=“read udp 10.21.0.3:42200->192.168.111.1:53: i/o timeout”
It seems that Docker containers send DNS requests from an internal bridge address (10.21.x.x), which the firewall does not route or NAT by default.
My local LAN is 192.168.111.0/24, and the firewall provides DNS through Unbound on 192.168.111.1.
My questions:
1 Why does Docker (and therefore Umbrel) use its own internal bridge address (10.21.0.0/16) for DNS queries instead of the host’s LAN address (192.168.111.x)?
2 Is there a way to configure Umbrel or Docker to use the host’s DNS configuration (e.g. /etc/resolv.conf) or directly query 192.168.111.1?
3 What is the recommended long-term solution to prevent Docker from randomly creating new internal subnets and DNS bridges after updates (e.g. a fixed bridge address or DNS setting in daemon.json)?
Background: Starting with the new firewall update, the NAT behavior has changed. The firewall no longer performs automatic outbound NAT for unknown private networks such as 10.21.0.0/16. As a result, DNS requests from Docker containers time out because the packets are dropped or not translated.
The goal would be for Docker containers—and thus Umbrel—to consistently use the same DNS server as the host system, independent of internal bridge subnets.
Would you like me to make it slightly more concise and “GitHub issue–style,” e.g. with bullet formatting and a short “Steps to reproduce” section? That can help if you plan to post it publicly on Umbrel’s GitHub.
My solution for now:
sudo mkdir -p /etc/docker
echo ‘{ “dns”: [“192.168.111.1”] }’ | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
What kind of install / update you did to the firewall?
Because it has a firewall and if you set up another firewall you would have to allow outgoing, deny incoming, then allow incoming to the ports that are used in the docker container.
Umbrel uses the Debian iptables and netfilter controls for the built in firewall inside the Linux Kernel so you don’t have to use any other firewall because its redundant.
To look at the firewall you use the sudo nft list ruleset if you want to see netfilter and the nat and interface forward policies and sudo iptables -L and `sudo ip6tables -L for the allow and drop software policies. Even though its recommended to do this either pure iptables and ip6tables or pure netfilter with the kernel Firewall because its easy to mess it up and cause conflicts adding rules in one place when they are different in the other control set.
because whatever you did messed up the forward policies
Thank you for the answers!
- I use OPNsense in my home network. Umbrel Home is part of the network and therefore doesn’t require its own firewall, because this would, on the one hand, lead to redundancy and inefficiency, and on the other hand, make troubleshooting difficult.
If a firewall is actually active, I would like to be able to turn it on or off.
- To ensure that requests from clients on the network are answered by my DNS server (AdguardHome) and to block external DNS servers as much as possible, a rule ensures that requests are only answered from the known network addresses of the interface. In fact, before the aforementioned update, it seemed possible that addresses from RFC 1918 were answered because they were not external. A hardening measure was implemented that subsequently prevents this. Therefore, an internal address of the Docker Bridge, even if it is RFC 1918, is no longer answered.
The goal would be for Docker containers—and thus Umbrel—to consistently use the same DNS server as the host system, independent of internal bridge subnets.
Docker runs a dns on the bridge that performs its own resolving so it isolates the docker programs from the network interface settings on the machine and all interfaces on the LAN. This is with all docker setups including Umbrel. The downside to this form of app hosting is the ip address scope of the docker bridge can not be in a scope of anything on the LAN side. The only thing I find out of place with the umbrel install is the address scopes 172.17.0.0/16 and 172.18.0.0/16 are normally used for Docker when it uses an app bridge.
Yes you can set up docker without a bridge, but then you lose network isolation. Because ports on the Ethernet interface is use.
But then it wouldn’t be no different than running a virtualization container for every app which all traffic from program to program is routed through the physical network and there is no program to program name resolution.
With a docker bridge, it has to self resolve, which your dns server in homeguard should be forwarding to the opnsense unbound. If not you need to allow it in homeguard.
If you want to run docker your way you can, just not with Umbrel and some others that are set up the same way.
But I’m curious what its blocking since it only suppose to block bad requests. Because there are docker programs that do send trackers and ad requests. Bitcoin knots is one of them and setting up docker without a bridge doesn’t get rid of this because its inside the app.
A firewall rule defines that DNS requests on the interface can only be made by clients in this network (192.168.111.0/24).
As far as I understand the log
(Oct 11 18:37:02 umbrel dockerd[587]: time=“2025-10-11T18:37:02.232534628Z” level=error msg=“[resolver] failed to query DNS server: 192.168.111.1:53, query: ;api.bitfinex.com.local.\tIN\t A” error=“read udp 10.21.21.27:45201->192.168.111.1:53: i/o timeout”),
a request was made from a Docker Bridge from the address range 10.21.0.0/16 to 192.168.111.1:53. Since this request came from an address range outside the network, it was blocked.
Looks like someone forced cloudflare because I guess they had issues with programs like tailscale
my gateway server forces machines with google and cloudflair dns to use my dns, But since i’m there, I’m going to change it to the default embedded dns because you don’t want docker apps to know your network.
It should be using the embedded dns so apps nat to the automatic network configuration. However I changed it to my dns since they have something not correct
sudo -i
printf '[global-dns-domain-*]\nservers=127.0.0.11\n' > /etc/NetworkManager/conf.d/10-cloudflaredns.conf
If I wasn’t using public pool, I would just get rid of umbrel but I may do it anyways because their public pool doesn’t work as well as my other setup on linux w/o docker.