Configuring Networking Mode and DNS Resolution in Docker Desktop (Mac & Windows) and SSH Agent Forwarding (Mac & Linux)

Choose the default IP protocol used when Docker creates new networks. This allows you to align Docker with your host’s network capabilities or organizational requirements, such as enforcing IPv6-only access. The options available are: - **Dual IPv4/IPv6** (Default): Supports both IPv4 and IPv6. Most flexible and ideal for environments with dual-stack networking. - **IPv4 only**: Only IPv4 addresses are used. Use this if your host or network does not support IPv6. - **IPv6 only**: Only IPv6 addresses are used. Best for environments transitioning to or enforcing IPv6-only connectivity. > [!NOTE] > > This setting can be overridden on a per-network basis using CLI flags or Compose file options. ### DNS resolution behavior Control how Docker filters DNS records returned to containers, improving reliability in environments where only IPv4 or IPv6 is supported. This setting is especially useful for preventing apps from trying to connect using IP families that aren't actually available, which can cause avoidable delays or failures. Depending on your selected network mode, the options available are: - **Auto (recommended)**: Docker detects your host's network stack and automatically filters out unsupported DNS record types (A for IPv4, AAAA for IPv6). - **Filter IPv4 (A records)**: Prevents containers from resolving IPv4 addresses. Only available in dual-stack mode. - **Filter IPv6 (AAAA records)**: Prevents containers from resolving IPv6 addresses. Only available in dual-stack mode. - **No filtering**: Docker returns all DNS records (A and AAAA), regardless of host support. > [!IMPORTANT] > > Switching the default networking mode resets the DNS filter to Auto. ### Using Settings Management If you're an administrator, you can use [Settings Management](/manuals/security/for-admins/hardened-desktop/settings-management/configure-json-file.md#networking) to enforce this Docker Desktop setting across your developer's machines. Choose from the following code snippets and at it to your `admin-settings.json` file. {{< tabs >}} {{< tab name="Networking mode" >}} Dual IPv4/IPv6: ```json { "defaultNetworkingMode": { "locked": true "value": "dual-stack" } } ``` IPv4 only: ```json { "defaultNetworkingMode": { "locked": true "value": "ipv4only" } } ``` IPv6 only: ```json { "defaultNetworkingMode": { "locked": true "value": "ipv6only" } } ``` {{< /tab >}} {{< tab name="DNS resolution" >}} Auto filter: ```json { "dnsInhibition": { "locked": true "value": "auto" } } ``` Filter IPv4: ```json { "dnsInhibition": { "locked": true "value": "ipv4" } } ``` Filter IPv6: ```json { "dnsInhibition": { "locked": true "value": "ipv6" } } ``` No filter: ```json { "dnsInhibition": { "locked": true "value": "none" } } ``` {{< /tab >}} {{< /tabs >}} ## Networking features for Mac and Linux ### SSH agent forwarding Docker Desktop for Mac and Linux lets you use the host’s SSH agent inside a container. To do this: 1. Bind mount the SSH agent socket by adding the following parameter to your `docker run` command: ```console $--mount type=bind,src=/run/host-services/ssh-auth.sock,target=/run/host-services/ssh-auth.sock ``` 2. Add the `SSH_AUTH_SOCK` environment variable in your container: ```console $ -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" ```

This section explains how to customize Docker's networking mode (Dual IPv4/IPv6, IPv4 only, IPv6 only) and DNS resolution behavior (Auto, Filter IPv4, Filter IPv6, No filtering) in Docker Desktop on Mac and Windows. It also provides code snippets for administrators to enforce these settings across developer machines using Settings Management. Additionally, it outlines the steps to enable SSH agent forwarding in Docker Desktop for Mac and Linux by bind mounting the SSH agent socket and setting the SSH_AUTH_SOCK environment variable within the container.