How do I use OpenVZ 7 hardware node for name service caching with *all* container types?

I've stopped using OpenVZ for a couple of years and now I'm back at it I feel somewhat overwhelmed by the increased level of complexity. I'm just stuck for hours on this simple task: I want to use the hardware node as my local DNS cache for *all* container types (which paradigm is new to me), host and bridged. I have only containers. I have successfully configured dnsmasq to listen on both br0 and virbr0, the interfaces for bridged and host-only containers, respectively. I could confirm the step with dig @interface and that works. What doesn't work: - name resolution in any container times out - pinging the hardware node address gives no reply From the hardware node: # prlsrvctl net list Network ID Type Bound To Bridge Slave interfaces Bridged bridged enp2s0 br0 Host-Only host-only virbr0 With virbr0: 10.37.130.2/24 and br0:192.168.xx.5/28. I've run prlctl set --nameserver 10.37.130.2 and even though it has no name resolution. I *suppose* I need to add a rule to iptables but, man, there are so many even for local processes! Even common sense doesn't help: I've tried adding a rule to accept UDP packets on port 53 for both interfaces... no way, there's something else. Just don't know what to hack: - I don't know if dnsmasq receives the DNS requests - I don't know if it sends responses - I don't know if the responses are blocked by the firewall. Here's what I have with tcpdump, whether I add my firewall rule or not: # tcpdump tcpdump: WARNING: venet0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 23:03:20.876113 IP 192.168.xx.4.53894 > myhostname.local.domain: 32621+ A? google.com. (28) 23:03:25.875974 IP 192.168.xx.4.53894 > myhostname.local.domain: 32621+ A? google.com. (28) ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel This happens when I do a simple host google.com from a container that has the host command. From that container: # ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=39 time=328 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=39 time=19.8 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=39 time=20.3 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=39 time=20.3 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=39 time=44.1 ms 64 bytes from 8.8.8.8: icmp_seq=6 ttl=39 time=20.4 ms ^C --- 8.8.8.8 ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5002ms rtt min/avg/max/mdev = 19.836/75.699/328.996/113.614 ms Then why the ... does the firewall list these rules? -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT Frustratingly complicated.