diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx index a5ea1cbf5a3bfba..c2892540cb983e5 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations.mdx @@ -100,7 +100,58 @@ or create a Docker network with a working MTU value: docker network create -o "com.docker.network.driver.mtu=1420" my-docker-network ``` -The MTU value should be set to the MTU of your host's default interface minus 80 bytes for the WARP protocol overhead. Most MTUs are 1500, so 1420 should work for most users. +The MTU value should be set to the MTU of your host's default interface minus 80 bytes for the WARP protocol overhead. Most MTUs are 1500, so 1420 should work for most users. + +## Access WARP DNS from Docker + +WARP runs a local DNS proxy on `127.0.2.2` and `127.0.2.3`. You may need access to these addresses from within Docker containers to resolve internal-only or fallback domains. The default Docker [bridge network](https://docs.docker.com/engine/network/drivers/bridge/) copies the DNS settings from the host, but filters out loopback DNS addresses like `127.0.2.2` and `127.0.2.3`, so containers cannot use them. + +To enable WARP DNS resolution with containers: + +- Use a [custom Docker network](https://docs.docker.com/engine/network/#user-defined-networks) (recommended): Allows the Docker container to still use the bridge network driver that maintains network isolation from the host. If you are creating your own bridge network, you should also [adjust the MTU accordingly](/cloudflare-one/connections/connect-devices/warp/troubleshooting/known-limitations/#docker-on-linux-with-bridged-networking). +- Use [host networking](https://docs.docker.com/engine/network/drivers/host/) (not recommended): Removes the security benefits of network isolation and may lead to port conflicts. + +The following example uses a special host (`connectivity-check.warp-svc`) that is only resolvable by the local DNS proxy to show the supported Docker networking modes. + +``` +# This host is not resolvable by default +❯ docker run --rm alpine nslookup connectivity-check.warp-svc. +Server: 8.8.8.8 +Address: 8.8.8.8:53 + +** server can't find connectivity-check.warp-svc.: NXDOMAIN +** server can't find connectivity-check.warp-svc.: NXDOMAIN + +# Create a bridge network called demo +❯ docker network create demo +e1e1943a6995a7e8c115a1c60357fe64f87a3ae90074ce6e4c3f0d2bba3fa892 + +# The host is resolvable by running a container under this custom network +❯ docker run --rm --net demo alpine nslookup connectivity-check.warp-svc. +Server: 127.0.0.11 +Address: 127.0.0.11:53Non-authoritative answer: +Name: connectivity-check.warp-svc +Address: ::ffff:127.0.2.2 +Name: connectivity-check.warp-svc +Address: ::ffff:127.0.2.3Non-authoritative answer: +Name: connectivity-check.warp-svc +Address: 127.0.2.2 +Name: connectivity-check.warp-svc +Address: 127.0.2.3 + +# The host is also resolvable by running a container using a host network +❯ docker run --rm --net host alpine nslookup connectivity-check.warp-svc. +Server: 127.0.0.11 +Address: 127.0.0.11:53Non-authoritative answer: +Name: connectivity-check.warp-svc +Address: ::ffff:127.0.2.2 +Name: connectivity-check.warp-svc +Address: ::ffff:127.0.2.3Non-authoritative answer: +Name: connectivity-check.warp-svc +Address: 127.0.2.2 +Name: connectivity-check.warp-svc +Address: 127.0.2.3 +``` ## Windows 10 in Microsoft 365 Cloud PC is not supported