Docker pull fails to lookup index.docker.io on 127.0.1.1:53 (cannot unmarshal DNS message)

Question

For some reason, I can't get Docker to communicate with Dockerhub; search and pull commands fail for some DNS related reason. For example:

$ docker pull redis
Pulling repository redis
Get https://index.docker.io/v1/repositories/library/redis/images: dial tcp: lookup index.docker.io on 127.0.1.1:53: cannot unmarshal DNS message

My internet connection is fine. I can ping 127.0.1.1. Is that a localhost address? Is there some kind of Dockerhub specific DNS service running there that might be broken on my machine? Nothing else seems to be wrong with my network.

I have tried configuring my network connection to use Google's DNS (8.8.8.8), but that made no difference.

update

Strangely, I cannot ping index.docker.io, but if I try to navigate there in a browser, I get redirected to hub.docker.com.

update

I can now confirm that this only happens on one LAN, at a hotel. I have no idea what they are doing, or why it only affects Docker, and not Git or Bittorrent or any other connected tool.

Answer 1

Question is a bit old, but since it remains unanswered and I happened to stumble into it, there it goes.

The local network for the hotel you were staying probably had its network addressing clashing with the virtual network created by Docker. I had the same kind of issued in a corporate network.

The easiest (yet not very well documented) fix is to force Docker to use an arbitrary network address for the virtual lan, using the '--bip' parameter. In Linux this is usually easy to achieve by editing the Docker configuration under /etc, yet on a Mac (just in case someone stumbles into this) it was particularly hard to find the file to change. Take a good read at https://github.com/docker/docker/issues/25064 if this is your case.

Basically, you'll need to find a network segment which is not in use on the network you are connected to. Docker will try to do that by default: it will use the first private CIDR that does not clash with any of your network interfaces. If you are on a private LAN segment that happens to route through another private segment, however, Docker can't see that and may end up creating a local network with a clashing CIDR, preventing packets to route out of it.

An example, for clarification:

Your IP address could be 192.168.10.2 with a netmask of /24. This network might have a default gateway on 192.168.10.1/24, but that gateway routes you through another router with address 172.17.1.1.

Docker will notice that 192.168.10.0/24 is in use and create a virtual network with addresses on 172.16.0.0/16 - so your containers will try to route all addresses under that CIDR locally, and will never get to the 172.17.1.1 external router. In such case, you want to change your --bip to something different, say 10.0.0.1/16. That will allow the packets to be properly routed out.