Can only access other containers via private IP, not DNS service/container name

[brstreetlaw]

I'm using:

• Docker Desktop on WSL2 with a custom kernel that includes wireguard
• portainer for easier UI-based management of containers and docker-compose ('stacks')
• traefik/letsencrypt for reverse proxy with https and sub-subdomains for web UI of most of my containers
• a user-defined bridge network so that I can have all my containers see/talk to each other, while keeping them organized into different 'stacks' that I can bring up/down and reconfigure without disrupting the others
• a vpn-services stack that runs only some of my containers through a nordlynx container using network_mode: service:vpn
• other stacks with other containers that need to interact locally with the containers that are behind the VPN

And everything almost works. The main problem is that my nordlynx container, and every other container networked behind it, can only ping the non-VPN containers using their local/private IP addresses, but not using their DNS names.

Here's how the stack / docker-compose yaml begins and ends for nordlynx:

version: "3.3"
services:
  vpn:
    image: ghcr.io/bubuntux/nordlynx:latest
    container_name: nordlynx
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
    environment:
      - TZ=America/Toronto
      - PRIVATE_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      - NET_LOCAL=172.16.0.0/12,192.168.0.0/16
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1  # Recomended if using ipv4 only
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      - proxy_net
    ports:
      - 9117:9117 #vpn'd container ABC
      - 9696:9696 #vpn'd container XYZ
      - 8191:8191 #vpn'd container flaresolverr
    restart: unless-stopped
  flaresolverr:
    image: ghcr.io/flaresolverr/flaresolverr:latest
    container_name: flaresolverr
    network_mode: service:vpn
    depends_on:
      - vpn
    environment:
      - LOG_LEVEL=info
      - LOG_HTML=false
      - TZ=America/Toronto
    #ports:
      #- 8191:8191 #bound through VPN container
    restart: unless-stopped

[further configuration of containers ABC and XYZ]

networks:
  proxy_net:
    external: true

I would like to not have to hard-code references to the IP addresses of my containers into the configuration of other containers, because Docker dynamically assigns these IP addresses and can even change subnets if I ever decide to re-create the user-defined network.

Having my VPN-networked containers communicate with my non-VPN containers via the reverse proxy isn't always viable, as the reverse proxy forces an SSL connection through an HTTPS address, while internal communication between containers (e.g. http://lidarr:8686/) can be safely non-encrypted. (My other containers have no problem reaching flaresolverr via http://vpn:8191 this way.)

Am I asking too much here? I feel like I'm very close to getting the right nordlynx environment variables to make these other containers locally accessible from the nordlynx container via their service and container names.

Seeing as this seems DNS-related, I used the command cat /etc/resolv.conf in each container's CLI. All the non-VPN containers have

nameserver 127.0.0.11
options ndots:0

meanwhile, nordlynx and its network-mode service:vpn associated containers all show

# Generated by resolvconf
nameserver 103.86.96.100
nameserver 103.86.99.100

As a possible solution, if I set the POST_UP environment variable to something like
echo 'nameserver 127.0.0.11' >> /etc/resolv.conf' will I be creating a DNS leak? How do I ensure that nordlynx only uses 127.0.0.11 to resolve local hostnames and not public URLs?

(Note: I tried exactly this but then from a CLI within nordlynx container, the 127.0.0.11 line is still missing from /etc/resolv.conf.)
from logs:

[2022-12-19T16:13:02-05:00] Connecting...
[#] 
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.5.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
[#] "echo 'nameserver 127.0.0.11' >> /etc/resolv.conf"
/usr/bin/wg-quick: line 295: echo 'nameserver 127.0.0.11' >> /etc/resolv.conf: No such file or directory
[#] resolvconf -d wg0 -f
[#] iptables-restore -n
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[2022-12-19T16:13:02-05:00] Connected! \(ᵔᵕᵔ)/

EDIT 2: so instead I used the environment variable DNS=103.86.96.100,103.86.99.100,127.0.0.11 which appears to resolve the problem above - the VPN containers can ping external URLs and also internal hostnames. But (a) how do I make sure only the internal hostnames are resolved through 127.0.0.11 and not external URLs, and (b) what's the likelihood that either NordVPN changes their two DNS IPs or Docker changes their internal DNS IP?

EDIT 3: when I use the DNS environment variable as above and then do nslookup google.ca from a CLI within the nordlynx container, it pretty much confirms that only 127.0.0.11 is being used to resolve that domain name - even though the subsequent pings to google.ca only go out over the wg0 interface. In this scenario, /etc/resolv.conf only contains nameserver 127.0.0.11.

EDIT 4: at least when NordVPN is properly connected, the closest I have come is to go into the nordlynx container CLI and run echo 'nameserver 127.0.0.11' >> /etc/resolv.conf so that there is now a 3rd DNS server. nslookup shows external URLs being resolved using the NordVPN DNS servers (103.86.96.100) while local container or server hostnames are resolved by 127.0.0.11. As noted above, the POST_UP environment variable can't seem to run this same command properly - and the solution seems to allow DNS leaks.