LXC Container on Proxmox Can’t Resolve DNS — Outbound UDP Works, But No Replies

I'm trying to configure a reverse proxy on an LXC Container in proxmox, however the container is not able to resolve DNS. The proxmox node has no issue with DNS, and both the node and the container are able to ping outbound. The container specifically is able to make outbound DNS requests but just receives no response. As a note, I have some restrictions being in an apartment on my apartments internet. Unfortunately I do not have access to my primary router configuration and my homelab is behind a secondary bridged router. So I've had to make some work arounds regarding this. Since I don't have access to the main apartment router and can't forward ports or run custom DNS there, I needed a local solution to resolve DNS inside my container. Initially, I tried just pointing the container to public nameservers (like 1.1.1.1 and 8.8.8.8), but DNS responses never made it back — likely because of how my network handles outbound NAT from bridged containers. To work around this, I enabled SNAT on the Proxmox node to ensure that all outgoing traffic from the container gets rewritten with the node’s IP. This should’ve made return traffic more reliable. I also set up dnsmasq on the Proxmox node as a local DNS forwarder. The idea was that the container would send DNS requests to the node (10.124.16.3), which would forward them to public resolvers and relay the responses back. This avoids having to deal with external DNS servers rejecting packets from unexpected source IPs. I've made sure dnsmasq is working by running ss -lunp | grep 53 and got the following: udp UNCONN 0 0 10.124.16.3:53 0.0.0.0:* users:(("dnsmasq",pid=xxx,fd=x)) Despite this, the container still fails to resolve DNS — even when dnsmasq is working correctly and requests are visible in tcpdump. 10.124.16.3 is the proxmox node and 10.124.16.4 is the container

Here's the node network configuration page (/etc/network/interfaces)

auto lo
iface lo inet loopback

iface enp5s0 inet manual

auto vmbr0
iface vmbr0 inet static
    address 10.124.16.3/22
    gateway 10.124.16.1
    bridge-ports enp5s0
    bridge-stp off
    bridge-fd 0

   post-up iptables -t nat -A POSTROUTING -s 10.124.16.0/22 -o vmbr0 -j SNAT --to-source 10.124.16.3

   post-down iptables -t nat -D POSTROUTING -s 10.124.16.0/22 -o vmbr0 -j SNAT --to-source 10.124.16.3


heres the container config (/etc/pve/lxc/.conf)

arch: amd64
cores: 1
memory: 256
swap: 256
hostname: cf-tunnel
net0: name=eth0,bridge=vmbr0,firewall=1,gw=10.124.16.1,ip=10.124.16.4/22,type=veth
unprivileged: 1
features: nesting=1

and in the container (/etc/resolv.conf) it contains

    nameserver 1.1.1.1
    nameserver 8.8.8.8

When I run tcpdump -ni vmbr0 port 53 on the node and I dig on the container with dig google.com (I've also tried digging with specific DNS servers with @1.1.1.1) Here's the output I get in the tcpdump

root@geeksquad:~# tcpdump -ni vmbr0 host 10.124.16.4 and port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
23:13:56.887877 IP 10.124.16.4.38419 > 1.1.1.1.53: 19663+ [1au] A? google.com. (51)
23:14:00.280550 IP 10.124.16.4.52162 > 10.124.16.3.53: 19721+ [1au] TXT? protocol-v2.argotunnel.com. (55)
23:14:01.892819 IP 10.124.16.4.39216 > 1.1.1.1.53: 19663+ [1au] A? google.com. (51)
23:14:05.307826 IP 10.124.16.4.44721 > 10.124.16.3.53: 13780+ [1au] SRV? _v2-origintunneld._tcp.argotunnel.com. (66)
23:14:06.898125 IP 10.124.16.4.59178 > 1.1.1.1.53: 19663+ [1au] A? google.com. (51)
23:14:10.308108 IP 10.124.16.4.48477 > 10.124.16.3.53: 45090+ [1au] SRV? _v2-origintunneld._tcp.argotunnel.com. (66)
23:14:25.321538 IP 10.124.16.4.56031 > 10.124.16.3.53: 17689+ [1au] SRV? _v2-origintunneld._tcp.argotunnel.com. (66)

also checking journalctl -u dnsmasq I get this

Jul 07 23:56:31 geeksquad systemd: Started dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server.
Jul 07 23:57:22 geeksquad systemd: Stopping dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server...
Jul 07 23:57:22 geeksquad dnsmasq: exiting on receipt of SIGTERM
Jul 07 23:57:22 geeksquad systemd: dnsmasq.service: Deactivated successfully.
Jul 07 23:57:22 geeksquad systemd: Stopped dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server.
Jul 07 23:57:22 geeksquad systemd: Starting dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server...
Jul 07 23:57:22 geeksquad dnsmasq: started, version 2.90 cachesize 150
Jul 07 23:57:22 geeksquad dnsmasq: DNS service limited to local subnets
Jul 07 23:57:22 geeksquad dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cr>
Jul 07 23:57:22 geeksquad dnsmasq: reading /etc/resolv.conf
Jul 07 23:57:22 geeksquad dnsmasq: using nameserver 1.1.1.1#53
Jul 07 23:57:22 geeksquad dnsmasq: using nameserver 8.8.8.8#53
Jul 07 23:57:22 geeksquad dnsmasq: read /etc/hosts - 11 names
Jul 07 23:57:22 geeksquad systemd: Started dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server.
Jul 07 23:57:33 geeksquad dnsmasq: reading /etc/resolv.conf
Jul 07 23:57:33 geeksquad dnsmasq: ignoring nameserver 10.124.16.3 - local interface
Jul 07 23:59:23 geeksquad dnsmasq: reading /etc/resolv.conf
Jul 07 23:59:23 geeksquad dnsmasq: using nameserver 1.1.1.1#53
Jul 07 23:59:23 geeksquad dnsmasq: using nameserver 8.8.8.8#53

Any help at all would be appreciated. As far as firewall rules go, I do not believe that's the issue. I set my firewall rules within the proxmox gui but have tried all variations of allowing all traffic in and out temporarily and have also disabled the firewalls entirely as a test, Neither changing the outcome.