ada
January 14, 2026, 11:32am
1
Hi. I’ve noticed that DNS resolution doesn’t work anymore for containers NOT in host network mode, after enabling RESIN_HOST_FIREWALL_MODE.
However iptables shows that there is a rule which I think should allow this, see below, the one with `-i balena0`.
root@602633c:~# iptables -S
...
-A BALENA-FIREWALL -p icmp -j ACCEPT
-A BALENA-FIREWALL -i balena0 -p udp -m udp --dport 53 -j ACCEPT
-A BALENA-FIREWALL -j REJECT --reject-with icmp-port-unreachable
-A DOCKER -d 172.17.0.2/32 ! -i br-7209559527ba -o br-7209559527ba -p tcp -m
...
Any ideas?
Hello,
Can you please share some logs?
I tried to reproduce but couldn’t.
Before applying
-A BALENA-FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BALENA-FIREWALL -m addrtype --src-type LOCAL -j ACCEPT
-A BALENA-FIREWALL -i resin-vpn -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i tun0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i docker0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i lo -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i supervisor0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -p tcp -m tcp --dport 48484 -j REJECT --reject-with icmp-port-unreachable
-A BALENA-FIREWALL -p tcp -m tcp --dport 22222 -j ACCEPT
-A BALENA-FIREWALL -p tcp -m tcp --dport 2375 -j ACCEPT
-A BALENA-FIREWALL -m addrtype --dst-type MULTICAST -j ACCEPT
-A BALENA-FIREWALL -p icmp -j ACCEPT
-A BALENA-FIREWALL -i balena0 -p udp -m udp --dport 53 -j ACCEPT
-A BALENA-FIREWALL -i br+ -p udp -m udp --dport 53 -j ACCEPT
-A BALENA-FIREWALL -j RETURN
-A BALENA-FIREWALL -j REJECT --reject-with icmp-port-unreachable
-A DOCKER -d 172.17.0.2/32 ! -i br-01e83d449296 -o br-01e83d449296 -p tcp -m tcp --dport 8000 -j ACCEPT
with firewall enabled:
-A BALENA-FIREWALL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A BALENA-FIREWALL -m addrtype --src-type LOCAL -j ACCEPT
-A BALENA-FIREWALL -i resin-vpn -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i tun0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i docker0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i lo -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -i supervisor0 -p tcp -m tcp --dport 48484 -j ACCEPT
-A BALENA-FIREWALL -p tcp -m tcp --dport 48484 -j REJECT --reject-with icmp-port-unreachable
-A BALENA-FIREWALL -p tcp -m tcp --dport 22222 -j ACCEPT
-A BALENA-FIREWALL -p tcp -m tcp --dport 2375 -j ACCEPT
-A BALENA-FIREWALL -m addrtype --dst-type MULTICAST -j ACCEPT
-A BALENA-FIREWALL -p icmp -j ACCEPT
-A BALENA-FIREWALL -i balena0 -p udp -m udp --dport 53 -j ACCEPT
-A BALENA-FIREWALL -i br+ -p udp -m udp --dport 53 -j ACCEPT
-A BALENA-FIREWALL -j REJECT --reject-with icmp-port-unreachable
-A DOCKER -d 172.17.0.2/32 ! -i br-01e83d449296 -o br-01e83d449296 -p tcp -m tcp --dport 8000 -j ACCEPT
I SSH’d into a container that’s in bridge mode (not host mode) and still have DNS resolving.
nslookup google.com
Server: 127.0.0.11
Address: 127.0.0.11#53
Non-authoritative answer:
Name: google.com
Address: 172.217.170.174
Name: google.com
Address: 2a00:1450:401a:800::200e
nslookup google.com 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: google.com
Address: 172.217.170.174
Name: google.com
Address: 2a00:1450:401a:800::200e
ada
January 14, 2026, 5:00pm
3
I see a new rule that we don’t get:
-A BALENA-FIREWALL -i br+ -p udp -m udp --dport 53 -j ACCEPT
Maybe something that changed in the supervisor? Our production is on 16.3.15
ada
January 15, 2026, 8:31pm
4
@rahul-thakoor thanks for taking a look. We found upgrading the supervisor solved it. The missing rule your export shows is added and then it works. (Pro tip: Always restart the device after changing the firewall setting, the iptables update is not “clean” if you have other services also modifying it)