From eea68dbdd0b79f80e114367143b0797df659dcc9 Mon Sep 17 00:00:00 2001
From: Mathieu Virbel <mat@meltingrocks.com>
Date: Mon, 1 Dec 2025 18:26:10 -0600
Subject: [PATCH] feat: add ENABLE_DOCKER_DNS env var for service discovery

Adds configurable Docker embedded DNS (127.0.0.11) passthrough for
container service name resolution. Enabled by default to support
typical Docker Compose use cases.
---
 README.md         | 1 +
 network-filter.sh | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 637b824..8653c1a 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,7 @@ services:
 |---------------------|-------------|---------|
 | `ALLOWED_DOMAINS` | Comma-separated list of allowed domains with optional port specifications | (none - required) |
 | `DNS_SERVERS` | Comma-separated list of upstream DNS servers | `8.8.8.8,8.8.4.4` |
+| `ENABLE_DOCKER_DNS` | Enable Docker embedded DNS (127.0.0.11) for service discovery | `true` |
 | `RUN_SELFTEST` | Run connectivity tests on startup | `false` |
 
 ### Domain and port specification
diff --git a/network-filter.sh b/network-filter.sh
index ec3213a..e405250 100755
--- a/network-filter.sh
+++ b/network-filter.sh
@@ -12,12 +12,14 @@ setup_env() {
     DNS_SERVERS="${DNS_SERVERS:-8.8.8.8,8.8.4.4}"
     RUN_SELFTEST="${RUN_SELFTEST:-false}"
     IPSET_TIMEOUT="${IPSET_TIMEOUT:-600}"  # 10 minutes default
+    ENABLE_DOCKER_DNS="${ENABLE_DOCKER_DNS:-true}"  # Enable Docker embedded DNS for service discovery
 
     echo "--- Configuration ---"
     echo "DNS Servers: $DNS_SERVERS"
     echo "Allowed Domains: $ALLOWED_DOMAINS"
     echo "IPSet Timeout: $IPSET_TIMEOUT seconds"
     echo "Run Selftest on start: $RUN_SELFTEST"
+    echo "Docker DNS (127.0.0.11): $ENABLE_DOCKER_DNS"
 }
 
 # --- Domain Parsing ---
@@ -130,6 +132,11 @@ log-queries
 filter-AAAA
 EOF
 
+    # Add Docker embedded DNS for service discovery if enabled
+    if [[ "$ENABLE_DOCKER_DNS" == "true" ]]; then
+        echo "server=127.0.0.11" >> /etc/dnsmasq.conf
+    fi
+
     # Add server and ipset entries for all domains
     for domain in "${!DOMAIN_PORTSET[@]}"; do
         echo "server=/${domain}/${PRIMARY_DNS}" >> /etc/dnsmasq.conf