Explore networking how-tos on Docker Desktop

Table of contents

This page explains how to configure and use networking features, connect containers to host services, work behind proxies or VPNs, and troubleshoot common issues.

For details on how Docker Desktop routes network traffic and file I/O between containers, the VM, and the host, see Network overview.

Core networking how-tos

Connect a container to a service on the host

The host has a changing IP address, or none if you have no network access. To connect to services running on your host, use the special DNS name:

Name	Description
`host.docker.internal`	Resolves to the internal IP address of your host
`gateway.docker.internal`	Resolves to the gateway IP of the Docker VM

Example

Run a simple HTTP server on port 8000:

$ python -m http.server 8000

Then run a container, install curl, and try to connect to the host using the following commands:

$ docker run --rm -it alpine sh
# apk add curl
# curl http://host.docker.internal:8000
# exit

Connect to a container from the host

To access containerized services from your host or local network, publish ports with the -p or --publish flag. For example:

$ docker run -d -p 80:80 --name webserver nginx

Docker Desktop makes whatever is running on port 80 in the container, in this case, nginx, available on port 80 of localhost.

Tip
The syntax for -p is HOST_PORT:CLIENT_PORT.

To publish all ports, use the -P flag. For example, the following command starts a container (in detached mode) and the -P flag publishes all exposed ports of the container to random ports on the host.

$ docker run -d -P --name webserver nginx

Alternatively, you can also use host networking to give the container direct access to the network stack of the host.

See the run command for more details on publish options used with docker run.

All inbound connections pass through the Docker Desktop backend process (com.docker.backend (Mac), com.docker.backend (Windows), or qemu (Linux), which handles port forwarding into the VM. For more details, see How exposed ports work

Working with VPNs

Docker Desktop networking can work when attached to a VPN.

To do this, Docker Desktop intercepts traffic from the containers and injects it into the host as if it originated from the Docker application.

For details about how this traffic appears to host firewalls and endpoint detection systems, see Firewalls and endpoint visibility.

Working with proxies

Docker Desktop can use your system proxy or a manual configuration. To configure proxies:

Navigate to the Resources tab in Settings.
From the dropdown menu select Proxies.
Switch on the Manual proxy configuration toggle.
Enter your HTTP, HTTPS or SOCKS5 proxy URLS.

For more details on proxies and proxy configurations, see the Proxy settings documentation.

Network how-tos for Mac and Windows

With Docker Desktop version 4.42 and later, you can control how Docker handles container networking and DNS resolution to better support a range of environments — from IPv4-only to dual-stack and IPv6-only systems. These settings help prevent timeouts and connectivity issues caused by incompatible or misconfigured host networks.

You can set the following settings on the Network tab in the Docker Desktop Dashboard settings, or if you're an admin, with Settings Management via the admin-settings.json file, or the Admin Console

Note
These settings can be overridden on a per-network basis using CLI flags or Compose file options.

Default networking mode

Choose the default IP protocol used when Docker creates new networks. This allows you to align Docker with your host’s network capabilities or organizational requirements, such as enforcing IPv6-only access.

Mode	Description
Dual IPv4/IPv6 (default)	Supports both IPv4 and IPv6. Most flexible.
IPv4 only	Uses only IPv4 addressing.
IPv6 only	Uses only IPv6 addressing.

DNS resolution behavior

Control how Docker filters DNS records returned to containers, improving reliability in environments where only IPv4 or IPv6 is supported. This setting is especially useful for preventing apps from trying to connect using IP families that aren't actually available, which can cause avoidable delays or failures.

Option	Description
Auto (recommended)	Automatically filters unsupported record types. (A for IPv4, AAAA for IPv6)
Filter IPv4 (A records)	Blocks IPv4 lookups. Only available in dual-stack mode.
Filter IPv6 (AAAA records)	Blocks IPv6 lookups. Only available in dual-stack mode.
No filtering	Returns both A and AAAA records.

Important
Switching the default networking mode resets the DNS filter to Auto.

Network how-tos for Mac and Linux

SSH agent forwarding

Docker Desktop for Mac and Linux lets you use the host’s SSH agent inside a container. To do this:

Bind mount the SSH agent socket by adding the following parameter to your docker run command:

$--mount type=bind,src=/run/host-services/ssh-auth.sock,target=/run/host-services/ssh-auth.sock

Add the SSH_AUTH_SOCK environment variable in your container:
$ -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock"

To enable the SSH agent in Docker Compose, add the following flags to your service:

services:
 web:
   image: nginx:alpine
   volumes:
     - type: bind
       source: /run/host-services/ssh-auth.sock
       target: /run/host-services/ssh-auth.sock
   environment:
     - SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock

Explore networking how-tos on Docker Desktop

Core networking how-tos

Connect a container to a service on the host

Example

Connect to a container from the host

Working with VPNs

Working with proxies

Network how-tos for Mac and Windows

Default networking mode

DNS resolution behavior

Network how-tos for Mac and Linux

SSH agent forwarding

Known limitations

Changing internal IP addresses

There is no `docker0` bridge on the host

I cannot ping my containers

Per-container IP addressing is not possible