macOS Client: Docker Container's Second Connections to Twingate DNS Resource Fails

Last updated: April 3, 2026

Applicable to:
  • Twingate Component: Client
  • Platform: macOS
  • 3rd Party Component: Docker for Mac

Overview

In the sequence of conditions, the Twingate Client is running on the macOS host. A Docker container is able to connect to a DNS resource the first connection attempt, but fails subsequent attempts. The Docker container successfully resolves DNS from the Twingate resolvers the first attempt, but leverages different resolvers on subsequent attempts.

Symptoms

  • Container instance's first connection to a Twingate protected Resource is successful. Subsequent connection attempts fail.

Troubleshooting

  1. When performing an nslookup or dig in the container for the first time, you will see a CGNAT IP returned. 
    / # nslookup tg_resource.internal
    Server: 192.168.65.5
    Address: 192.168.65.5:53

    Non-authoritative answer:
    Name: tg_resource.internal
    Address: 100.98.196.176
  2. Performing the nslookup or dig the second time, you will see a non-CGNAT IP returned. 
    / # nslookup tg_resource.internal
    Server: 192.168.65.5
    Address: 192.168.65.5:53

    Non-authoritative answer:
    Name: tg_resource.internal
    Address: 10.140.140.65

Resolution

When starting the Docker container instance, add in the following command line arguments to the Docker run command to force the container to use the Twingate resolvers. 

—dns=100.95.0.251 —dns=100.95.0.252 —dns=100.95.0.253 —dns=100.95.0.254