Swarm Internal DNS is Inaccessible on Windows Server 1803

Issue

On Windows Server 1803 or equivalent Windows 10 builds (Version 10.0.17134.x) the Windows Firewall will block requests from a Swarm Task to resolve Swarm Service names.

Please find an example output when attempting to reach a Web App Swarm service from within a Swarm Task.

$ docker service ls
ID                  NAME                MODE                REPLICAS            IMAGE                       PORTS
mh3t296k0feq        demo_cli            replicated          1/1                 microsoft/nanoserver:1803
40qj05x1sg9i        demo_web            replicated          2/2                 webapp:latest

# From the node on which the Task is running
$ docker ps --filter name=demo_cli
CONTAINER ID        IMAGE                       COMMAND               CREATED             STATUS              PORTS               NAMES
eded674bfdcc        microsoft/nanoserver:1803   "ping -t localhost"   2 hours ago         Up 2 hours                              demo_cli.1.5g7fqsjm6w6awpyy03bass2mv

# From the node on which the Task is running
$ docker exec -it eded674bfdcc curl demo_web
curl: (6) Could not resolve host: demo_web

Note this bug does not affect Windows Server 2016 LTSC (Version 10.0.14393.x), Windows Server 1709 (Version 10.0.16299.x), Windows Server 2019 (10.0.17763.x) or equivalent Windows 10 builds.

Resolution

To resolve this issue, a user must manually open up the DNS ports on the hosts Windows Firewall. This can be done through the New-NetFirewallRule Powershell Cmdlet.

PS C:\> New-NetFirewallRule -DisplayName "Swarm DNS" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 53

Name                  : {27ab302d-5a4c-4ce8-98c8-2c67ccb3643f}
DisplayName           : Swarm DNS
Description           :
DisplayGroup          :
Group                 :
Enabled               : True
Profile               : Any
Platform              : {}
Direction             : Inbound
Action                : Allow
EdgeTraversalPolicy   : Block
LooseSourceMapping    : False
LocalOnlyMapping      : False
Owner                 :
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     : NotApplicable
PolicyStoreSource     : PersistentStore
PolicyStoreSourceType : Local

PS C:\> New-NetFirewallRule -DisplayName "Swarm DNS" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 53

Name                  : {79a20f1e-ead1-4ff3-b878-a150427db2a4}
DisplayName           : Swarm DNS
Description           :
DisplayGroup          :
Group                 :
Enabled               : True
Profile               : Any
Platform              : {}
Direction             : Inbound
Action                : Allow
EdgeTraversalPolicy   : Block
LooseSourceMapping    : False
LocalOnlyMapping      : False
Owner                 :
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     : NotApplicable
PolicyStoreSource     : PersistentStore
PolicyStoreSourceType : Local

Following this, Swarm Tasks will be able to resolve a Swarm Service name. It is not necessary to restart the Docker Engine or the Windows Sever.

$ docker service ls
ID                  NAME                MODE                REPLICAS            IMAGE                       PORTS
mh3t296k0feq        demo_cli            replicated          1/1                 microsoft/nanoserver:1803
40qj05x1sg9i        demo_web            replicated          2/2                 webapp:latest

# From the node on which the Task is running
$ docker ps --filter name=demo_cli
CONTAINER ID        IMAGE                       COMMAND               CREATED             STATUS              PORTS               NAMES
eded674bfdcc        microsoft/nanoserver:1803   "ping -t localhost"   2 hours ago         Up 2 hours                              demo_cli.1.5g7fqsjm6w6awpyy03bass2mv

# From the node on which the Task is running
$ docker exec -it eded674bfdcc curl demo_web
<html>
    <...snipped...>

What's Next

Docker and Microsoft support teams are currently working on this issue. This article will be updated as progress is made.