M1 Mac address already in use port 53 by mDnsResponder

[nicekiwi]

Description

I'm encountering this issue again, on MacOS Sonoma after the latest Docker Desktop update and restarting MacOS.

#5335

Macbook Air M1
MacOS 14.0 (23A344)
Docker Desktop 4.24.0 (122432)

Reproduce

docker run -p 53:53 -it --rm alpine ash

Expected behavior

No response

docker version

Client:
 Cloud integration: v1.0.35+desktop.5
 Version:           24.0.6
 API version:       1.43
 Go version:        go1.20.7
 Git commit:        ed223bc
 Built:             Mon Sep  4 12:28:49 2023
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.24.0 (122432)
 Engine:
  Version:          dev
  API version:      1.44 (minimum version 1.12)
  Go version:       go1.20.8
  Git commit:       HEAD
  Built:            Tue Sep 26 11:52:32 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.22
  GitCommit:        8165feabfdfe38c65b599c4993d227328c231fca
 runc:
  Version:          1.1.8
  GitCommit:        v1.1.8-0-g82f18fe
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    24.0.6
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2-desktop.5
    Path:     /Users/ezra/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.22.0-desktop.2
    Path:     /Users/ezra/.docker/cli-plugins/docker-compose
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/ezra/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.20
    Path:     /Users/ezra/.docker/cli-plugins/docker-extension
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v0.1.0-beta.8
    Path:     /Users/ezra/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/ezra/.docker/cli-plugins/docker-sbom
  scan: Docker Scan (Docker Inc.)
    Version:  v0.26.0
    Path:     /Users/ezra/.docker/cli-plugins/docker-scan
  scout: Docker Scout (Docker Inc.)
    Version:  v1.0.7
    Path:     /Users/ezra/.docker/cli-plugins/docker-scout

Server:
 Containers: 15
  Running: 11
  Paused: 0
  Stopped: 4
 Images: 64
 Server Version: dev
 Storage Driver: stargz
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.4.16-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 3
 Total Memory: 3.842GiB
 Name: docker-desktop
 ID: 933609a0-5ad0-4978-95d3-977004e883f7
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

7ABA3113-529E-442E-9D86-EE5D06BCD06A/20231003015243

Additional Info

Re-installing the previous version 4.23.0 does resolve the issue for me.

[plandolt]

I encounter the same problem with version 4.24.0 on macos sonoma and a M1 chip. As soon as I start docker lsof shows the following:

sudo lsof -i :53                                                                                                                                                                                                                                                                                                                                                    COMMAND    PID           USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
mDNSRespo 2517 _mdnsresponder   33u  IPv4 0x801397550777cd39      0t0  UDP *:domain
mDNSRespo 2517 _mdnsresponder   34u  IPv6 0x801397550777d939      0t0  UDP *:domain
mDNSRespo 2517 _mdnsresponder   44u  IPv4 0x8013974b6e7d6bb9      0t0  TCP *:domain (LISTEN)
mDNSRespo 2517 _mdnsresponder   48u  IPv6 0x8013974b72748879      0t0  TCP *:domain (LISTEN)

Going back to version 4.23.0 solves the problem and can be used as a workaround.

[robbiehobby]

Same issue on Intel chip.

[BrentRobert]

Same issue on M1. Rolling back to 4.23.0 resolves the issue.

[adrianliegmann]

That same issue on M1 and MacOS Sonoma. Downgrade to Docker 4.23.0 works correctly.

[bsousaa]

Can you try this workaround?

1. Edit ~/Library/Group\ Containers/group.com.docker/settings.json and add "kernelForUDP": false
2. Restart Docker Desktop

[adrianliegmann]

Can you try this workaround?

1. Edit `~/Library/Group\ Containers/group.com.docker/settings.json` and add `"kernelForUDP": false`

2. Restart Docker Desktop

@bsousaa For me that workaround works correctly.

[nicekiwi]

Can you try this workaround?

1. Edit ~/Library/Group\ Containers/group.com.docker/settings.json and add "kernelForUDP": false
2. Restart Docker Desktop

Yes, that does resolve the issue on 4.24 for me.

[simonrw]

Do you have "Internet Sharing" enabled in your settings?

I find that with this enabled, mDNSResponder binds to port 53, and without it port 53 is free.

[BrentRobert]

Do you have "Internet Sharing" enabled in your settings?

I find that with this enabled, mDNSResponder binds to port 53, and without it port 53 is free.

It's not enabled. The issue lies in a settings change on Docker Desktop since 4.23.0

[alexlo03]

Workaround works for me.

Note workaround is now doc'd at https://docs.docker.com/desktop/release-notes/#4240 "known issues / for mac"

[uphlewis]

Same issue with Docker 4.24.0 (122432) on Intel MBP running Monterey 12.6.9 (21G726).

The suggested kernelForUDP workaround fixed the issue for me too, thank you!

harry@Harrys-MacBook-Pro: ~$ sudo lsof -i :53 # with docker stopped
harry@Harrys-MacBook-Pro: ~$ sudo lsof -i :53 # with docker running
COMMAND   PID           USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
mDNSRespo 314 _mdnsresponder   40u  IPv4 0xb56646544beaa53d      0t0  UDP *:domain
mDNSRespo 314 _mdnsresponder   60u  IPv6 0xb56646544beaa84d      0t0  UDP *:domain
mDNSRespo 314 _mdnsresponder   62u  IPv4 0xb56646544df55115      0t0  TCP *:domain (LISTEN)
mDNSRespo 314 _mdnsresponder   67u  IPv6 0xb56646544bd9490d      0t0  TCP *:domain (LISTEN)
harry@Harrys-MacBook-Pro: ~$ code ~/Library/Group\ Containers/group.com.docker/settings.json # workaround applied
harry@Harrys-MacBook-Pro: ~$ sudo lsof -i :53 # after restarting docker
harry@Harrys-MacBook-Pro: ~$

[alexlo03]

@bsousaa Is this considered a bug that will be fixed in a future version of Docker For Mac? Thanks 🙏

[amjerm]

Workaround worked for me as well. Thanks!

[bsousaa]

@alexlo03 yes it is considered a bug with a documented workaround. We will post news as soon as we can.

[fwolfst]

Just for the archive: a former workaround were setting these settings:

Does not solve the issue anymore.

[PaulWeinsberg]

Try to deactivate network acceleration by adding "kernelForUDP": false, in the settings.json file located at ~/Library/Group Containers/group.com.docker/settings.json

This solve the issue on my mac.

[HeavyLab]

Try to deactivate network acceleration by adding "kernelForUDP": false, in the settings.json file located at ~/Library/Group Containers/group.com.docker/settings.json

This solve the issue on my mac.

Thanks this actually solved my problem as well !

[debo]

Adding my experience here hoping to add some additional element of thought to the conversation.

My kernelForUDP settings is true and I don't have this issue so, whilst a solution it feels still like a workaround. For what is worth I noticed that on my machine (M2 Pro running Ventura still) mDNSresponder is actually listening over UDP:5353 and not over TCP:53. I wonder if it's because of the fact I also have the internet sharing option disabled like @simonrw suggested or some other setup on my machine that I can't recall now, but I don't have this issue and I didn't have to change docker settings are suggested.

Also, by reading the mDNSResponder description here it looks like it should be listening to UDP:5353 so it feels like it's something else that is forcing to TCP:53 for some of you.

[Veraxus]

I just started experiencing this after updating Docker Desktop to 4.24.2 (124339)

@bsousaa's workaround fixed the issue for me.

[debo]

Little update, I'm running Docker Desktop to 4.24.2 (124339) on two different Mac one is an M1 Pro and the other is and M2 Pro. Both have kernelForUDP set to true and it actually turns out they both have the following output for sudo lsof -I -P:

mDNSRespo   664 _mdnsresponder    6u  IPv4 0xca551a3476c9e4ed      0t0    UDP *:5353
mDNSRespo   664 _mdnsresponder    7u  IPv6 0xca551a3476cbf0ed      0t0    UDP *:5353
mDNSRespo   664 _mdnsresponder   53u  IPv4 0xca551a3476e1cced      0t0    UDP *:53
mDNSRespo   664 _mdnsresponder   59u  IPv6 0xca551a3476e1d0ed      0t0    UDP *:53
mDNSRespo   664 _mdnsresponder   62u  IPv4 0xca551a347312e36d      0t0    TCP *:53 (LISTEN)
mDNSRespo   664 _mdnsresponder   63u  IPv6 0xca551a3e0fdf482d      0t0    TCP *:53 (LISTEN)

And I don't see the port conflict error.

[aheck]

There will be a checkbox in Docker Desktop 4.26 (to be released end of November 2023) to change the value of kernelForUDP from the UI:

[holyoaks]

The workaround does NOT solve the issue for me. I have tried 4.24.x and 4.25 and neither works with kernelForUDP: false. Only reverting to 4.23 works for me.

[bmelton-mdsol]

The kernelforUDP workaround doesn't work for me either with 4.25.1

[djs55]

@holyoaks @bmelton-mdsol next time you see this issue could you upload a diagnostics and quote the ID here? I installed a fresh download of build 4.25.1 (128006), edited my settings.json and started DD. I have nothing listening on port 53:

% netstat -an | grep 53 
udp4       0      0  *.5353                 *.*                               
udp6       0      0  *.5353                 *.*                               
udp4       0      0  *.5353                 *.*                               
dbeaf592e4dc5351 stream      0      0 dbeaf58950174f09                0                0                0 /Users/djs55/Library/Containers/com.docker.docker/Data/diagnosticd.direct.sock
dbeaf592e4dd5351 stream    117      0                0                0                0                0 /var/run/docker.sock
dbeaf592e7675351 stream      0      0                0 dbeaf592e7675289                0                0
dbeaf592e7675289 stream      0      0                0 dbeaf592e7675351                0                0
dbeaf592e4dced19 stream      0      0 dbeaf5894b5389e1                0                0                0 /Users/djs55/Library/Group Containers/BJ4HAAB9B3.ZoomClient3rd/s.zoomclient
dbeaf592e4de5f19 dgram       0      0                0 dbeaf592e4dea099                0 dbeaf592e4de5361
dbeaf592e4de5361 dgram       0      0                0 dbeaf592e4dea099                0 dbeaf592e4de60a9
       3        1       38    65536    65536 com.apple.net.netagent 
       6       21        0    65536    65536 com.apple.net.ipsec_control 
       a        1        0    65536    65536 com.apple.net.rvi_control 
       c        4        0    65536     2048 com.apple.uart.wlan-debug 
       e        4        0    65536     2048 com.apple.spmi.nfc 

and my Linux VM doesn't have the vmnet.framework eth1 (it's the activation of the vmnet.framework or Internet connection sharing which causes mDNSresponder to allocate port 53):

% docker run --rm --pid host --privileged -it justincormack/nsenter1 /sbin/ifconfig eth1
ifconfig: eth1: error fetching interface information: Device not found

When I set kernelForUDP back to true, I see the eth1 interface and mDNSresponder allocating the port as expected.

[Mika571]

Can you try this workaround?

1. Edit ~/Library/Group\ Containers/group.com.docker/settings.json and add "kernelForUDP": false
2. Restart Docker Desktop

@adrianliegmann thanks so much have been tearing my hair out on this for so long.

[hotrungnhan]

i think we can closed this issue. fix it in docker 4.26.1 it by uncheck the use kernel network for UDP

There will be a checkbox in Docker Desktop 4.26 (to be released end of November 2023) to change the value of kernelForUDP from the UI:

[nicekiwi]

I've stopped using Docker for development, AFAIK this has been resolved, though some people still seem to have the issue.

[dimohamdy]

Before running your docker command, run this command in the terminal like this

sudo lsof -t -i :53 | xargs sudo kill -9

docker run -p 53:53 -it --rm alpine ash

[Veraxus]

There was a regression in 4.27.2 and this is once again a problem.

[renestalder]

There was a regression in 4.27.2 and this is once again a problem.

Seems to work as expected for me on my M2 Mac having the "Use kernel networking for UDP" option under "Resources -> Network" deactivated.

I updated from 4.26 to 4.27.2 without issues so far.

[nicekiwi]

There was a regression in 4.27.2 and this is once again a problem.

Seems to work as expected for me on my M2 Mac having the "Use kernel networking for UDP" option under "Resources -> Network" deactivated.

I updated from 4.26 to 4.27.2 without issues so far.

Same for me, no DNS issues with 4.27.2 with "Use kernel networking for UDP" disabled.

[lacorde]

Confirmed fixed for me with 4.28.0 (Intel Mac).

I still had the issue with 4.27.2, even though "Use kernel networking for UDP" was disabled.

[ArneBo]

Still an issue on macOS 14.6.1 with 4.33.0 and with 4.34.0
The workaround is not working

[ernstmulder]

As I am using Docker to run PiHole which needs TCP/UDP port 53 and decent support for UDP (not using kernel networking for UDP has annoying issues, some (LAN) DNS requests time out) I was hoping for a programmable workaround. I remember reading that there is a particular Docker terminal command to toggle "Use kernel networking for UDP" but I can not find it documented anywhere.

The only way I know now to get PiHole running reliably after a system- or Docker reboot is this particular way:

Create your Docker Container using "--restart=no" to prevent it from starting automatically.

And after every reboot:

1. In Docker, disable "Use kernel networking for UDP".
2. Start the Container, it runs without UDP port conflicts since it is not using kernel networking for UDP.
3. In Docker, enable "Use kernel networking for UDP".
4. Start the Container again, no conflicts now and it runs using kernel networking for UDP.

This is Docker 4.34.2 running under macOS 14.7 on a M1 Mac mini.

20241120 EDIT: Beware that using this trick will flush all custom pf firewall rules one might have set.

[tbreuss]

This is still an Issue for my environment using an Intel Macbook:

• MacBook Pro (13'', 2020, Intel)
• macOS Sonoma Version 14.7.1 (23H222)
• Internet Sharing disabled
• Docker Desktop 4.35.1 (173168)

With docker started:

sudo lsof -i -P -n | grep LISTEN | grep :53                                 
mDNSRespo 231 _mdnsresponder   42u  IPv4 0xe22b3e886810a0d8      0t0    TCP *:53 (LISTEN)
mDNSRespo 231 _mdnsresponder   43u  IPv6 0xfde65027957d4067      0t0    TCP *:53 (LISTEN)

And kernelForUDP set to false:

cat ~/Library/Group\ Containers/group.com.docker/settings.json | grep kernel
  "kernelForUDP": false,

I still have this error when using port 53 for dnsmasq for example:

docker compose up
[+] Running 1/1
 ✔ Container dnsmasq-docker-dnsmasq-1  Recreated                                                                                                                  0.1s 
Attaching to dnsmasq-1
Gracefully stopping... (press Ctrl+C again to force)
Error response from daemon: Ports are not available: exposing port UDP 0.0.0.0:53 -> 0.0.0.0:0: listen udp4 0.0.0.0:53: bind: address already in use

As soon as I quit Docker Desktop the port 53 isn't used any more.

[ernstmulder]

In the end I gave up, I wasn't able to get my virtual Pi-hole to run reliably using Docker on my M1 Mac.

I have now switched to running my virtual Pi-hole using a faceless Debian 12 VM with Pi-hole using VirtualBox 7.1.4 and a custom LaunchAgent and using its own local IP address. Stable, auto-start after reboot and logging in, and using less memory.

[ninjacoder30]

I am facing same issue (Error response from daemon: Ports are not available: exposing port UDP 127.0.0.1:53 -> 0.0.0.0:0: command failed)- System with intel chip and MacOS - sequoia 15.2.

• Also i am not able to see settings.json under ~/Library/Group\ Containers/group.com.docker/ folder. tried saving resources but still that file is not getting created. -
• verified Internet sharing is off.

docker desktop version -4.37.2

Client:
Version: 27.4.0
API version: 1.47
Go version: go1.22.10
Git commit: bde2b89
Built: Sat Dec 7 10:35:43 2024
OS/Arch: darwin/amd64
Context: desktop-linux

Server: Docker Desktop 4.37.2 (179585)
Engine:
Version: 27.4.0
API version: 1.47 (minimum version 1.24)
Go version: go1.22.10
Git commit: 92a8393
Built: Sat Dec 7 10:38:57 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.21
GitCommit: 472731909fa34bd7bc9c087e4c27943f9835f111
runc:
Version: 1.1.13
GitCommit: v1.1.13-0-g58aa920
docker-init:
Version: 0.19.0
GitCommit: de40ad0

Docker Compose version v2.31.0-desktop.2