I just upgraded to Fedora 32 and suddenly my docker containers could not resolve any DNS. The DNS inside my Docker containers could not for example resolve github.com hence my docker builds were failing.

Reason was that there is a change in the NAT forwarding.

Solution is to enable ip masquerading so packets coming from docker will be forwarded on to the internet.

Find your interface to the internet.

You need to find which interface you are using to go out to the internet. You can achieve this by using the *route* command.

In my case, running route shows me that my default route (The one that has Destination: 0.0.0.0) is my wlp5s0 device. This is my wifi.

[[email protected] ~]$ route -n 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    600    0        0 wlp5s0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-0dddd80888f2
...
...

We can list all interfaces with the nmcli command and find the devide that has route4 0.0.0.0/0

[[email protected] ~]$ nmcli 
wlp5s0: connected to RadHome-Guest5G
        "Qualcomm Atheros QCA6174"
        wifi (ath10k_pci), 9C:B6:D0:61:84:31, hw, mtu 1500
        ip4 default
        inet4 192.168.0.181/24
        route4 0.0.0.0/0
        route4 192.168.0.0/24
        inet6 fe80::971d:58f1:5af:d30c/64
        route6 fe80::/64
        route6 ff00::/8

br-0dddd80888f2: connected to br-0dddd80888f2
        "br-0dddd80888f2"
        bridge, 02:42:39:C5:82:D4, sw, mtu 1500
        inet4 172.18.0.1/16
        route4 172.18.0.0/16
        inet6 fe80::42:39ff:fec5:82d4/64
        route6 fe80::/64
        route6 ff00::/8

br-4daf777d907d: connected to br-4daf777d907d
        "br-4daf777d907d"
        bridge, 02:42:47:13:2E:D0, sw, mtu 1500
        inet4 172.19.0.1/16
        route4 172.19.0.0/16
        inet6 fe80::42:47ff:fe13:2ed0/64
        route6 fe80::/64
        route6 ff00::/8

........

Configure the interface to do masquerading

Run the following command. Replace wlp5s0 with the interface you found from above.

sudo firewall-cmd --get-zone-of-interface=wlp5s0

Which gives me:

FedoraWorkstation

Now we finally enable masquerading. On a default 32 Fedora firewalld setup, this is always "FedoraWorkstation" unless you renamed it.

sudo firewall-cmd --zone=FedoraWorkstation --add-masquerade --permanent
sudo firewall-cmd --reload
sudo systemctl restart docker

and your docker containers should work again.