Issue Docker containers unable to resolve DNS or access external network on Plesk Obsidian 18.0.76 Update #4 (Collabora / Nextcloud issue)

[first4it]

Server operating system version

AlmaLinux 9.7 (Moss Jungle Cat)

Plesk version and microupdate number

18.0.76 Update #4

I am raising this as a potential infrastructure-level issue affecting Docker networking on Plesk, rather than an application-specific problem.

Environment:

• Plesk Obsidian 18.0.76 Update #4
• Docker Engine 29.3.1
• AlmaLinux (Plesk managed server)
• Dedicated server (not shared hosting)
• Nextcloud installed via Plesk
• Collabora Online (collabora/code) deployed via Docker
• Separate subdomains:
  • Nextcloud: files.example.com
  • Collabora: collabora.example.com

Issue:

Nextcloud Office integration fails when opening .doc / .docx files.

The error shown in Nextcloud:

“Failed to establish socket connection or socket connection closed unexpectedly”

Collabora logs show:

• Failed to lookup host
• Temporary failure in name resolution
• Failed to connect to Nextcloud host on port 443

Observed behaviour:

• Collabora /hosting/discovery endpoint works correctly
• WebSocket connection (/cool/.../ws) upgrades successfully (101)
• Reverse proxy configuration is correct
• SSL termination via Plesk works correctly

However:

• DNS resolution inside Docker containers fails
• External HTTP requests from containers fail
• Containers cannot reach public internet resources

Diagnostics performed:

From inside the Collabora container:

• getent hosts <nextcloud-domain> hangs
• DNS resolution fails
• WOPI calls fail due to hostname lookup

From test containers:

• docker run alpine ping 8.8.8.8 → fails
• docker run alpine wget Example Domain → hangs
• Alpine package install fails due to unreachable repositories

From host:

• DNS resolution works correctly
• HTTPS access to Nextcloud works
• Docker NAT and forwarding appear correctly configured
• ip_forward = 1
• MASQUERADE rule present for 172.17.0.0/16

Firewall checks:

• Plesk Firewall forwarding policy tested (Allow) → no change
• DOCKER-USER ACCEPT rule tested → no change

Conclusion from testing:

Docker bridge networking on this host cannot reliably:

• resolve DNS
• reach external HTTP services

This causes Collabora to fail WOPI communication with Nextcloud.

This is not a misconfiguration of:

• Nextcloud
• Collabora
• Reverse proxy
• SSL

Workaround:

Running Collabora in host network mode resolves the issue completely:

docker run --network host ...

Result:

• DNS works
• WOPI works
• Documents open correctly

Concern:

This should not be required.

Docker containers should be able to:

• resolve external DNS
• access outbound HTTP/HTTPS

without requiring host networking.

Using host mode:

• bypasses Docker networking entirely
• is not ideal for isolation or portability
• is not manageable via the Plesk Docker UI

Questions:

1. Is this a known issue with Docker networking on recent Plesk versions?
2. Is there a known interaction between Plesk firewall / nftables / Docker bridge networking that could cause this?
3. Are additional routing or firewall adjustments required on Plesk-managed servers for Docker containers to access external DNS?
4. Is this related to provider network topology (e.g. routed gateways like 10.x.x.x) and how Docker NAT behaves in that scenario?

Expectation:

A standard Plesk + Docker setup should allow containers to:

• resolve DNS
• access external services

without requiring host network mode.

Summary:

• Issue affects Docker networking layer
• Breaks Collabora / Nextcloud Office
• Reproducible with simple test containers
• Workaround exists but is not ideal

If anyone has experienced similar behaviour or has a recommended fix that restores normal Docker bridge networking, I would appreciate their input.