Hey guys,
I'm trying to migrate from LXD to Proxmox but run into some problems.
Setup
- Proxmox VE host
- Ubuntu 24.04 unprivileged LXC container running Docker
- Docker stack: Pi-hole + Unbound + Gravity Sync + Nebula
- Docker network mode: host
- LXC network: bridged (vmbr0)
- Secondary Pi-hole IP: 192.168.50.160
- Primary Pi-hole: runs natively inside an unprivileged LXD container on another host — works perfectly
Problem
DNS (UDP/53) traffic fails when the Pi-hole stack runs inside Docker in the unprivileged LXC.
From inside the Proxmox LXC (the Docker container host):
- dig @192.168.50.160 google.com → times out
- nslookup google.com 192.168.50.160 → times out
- nslookup pi.hole 192.168.50.160 → works
From the Proxmox host:
- nslookup pi.hole 192.168.50.160 → works
- dig @192.168.50.160 pi.hole → works
- dig @192.168.50.160 google.com → times out
From LAN clients:
- nc -vuz 192.168.50.160 53 → succeeds (UDP port open)
But DNS queries from LAN clients still time out.
Observations
- Pi-hole web UI is reachable from the LAN, so TCP is fine.
- tcpdump shows DNS queries leaving the Proxmox host, but no UDP replies coming back from the container.
- Inside the LXC, only local DNS requests are visible; external ones never reach it.
Likely Cause
Inbound UDP traffic to Docker services inside unprivileged LXC containers does not fully pass through, even with --network=host.
It appears AppArmor or namespace restrictions block UDP reply handling for host-networked Docker containers, which affects DNS specifically.
Questions
- Is this a known limitation for Docker with --network=host inside unprivileged LXC containers on Proxmox?
- Is there a way to allow UDP (especially port 53) without making the LXC privileged — for example via AppArmor profile, lxc.apparmor.profile, or extra capabilities?
- Would switching Pi-hole to a macvlan or dedicated bridge network safely bypass this limitation?