Publishing container ports is insecure by default. Meaning, when you publish a container's ports it becomes available not only to the Docker host, but to the outside world as well.
If you include the localhost IP address (
127.0.0.1) with the publish flag, only the Docker host can access the published container port.
docker run -p 127.0.0.1:8080:80 nginx
By default, containers inherit the DNS settings of the host, as defined in the
/etc/resolv.confconfiguration file. Containers that attach to the defaultbridgenetwork receive a copy of this file. Containers that attach to a custom network use Docker's embedded DNS server.