How do I prevent docker:dial_tcp_connection_refused in CI?

Standardize DNS and proxy settings on runners and developer machines. Add separate DNS and registry-port health checks in CI so resolver failures do not look like registry outages.

How can I manually validate docker:dial_tcp_connection_refused?

If the error contains `lookup` or `:53`, inspect the resolver first: `cat /etc/resolv.conf`, then `nslookup `. If DNS succeeds, test the registry port directly: `nc -vz 443` and `curl -vkI https:// /v2/`. Compare the failing environment to a working one so you can tell whether the refusal is local resolver config or remote service reachability.

dial tcp: connection refused

Where the Request Failed

Docker got a connection refused while trying to reach either the registry endpoint or the DNS resolver used to look it up.

Docker is telling you the request failed before it got a clean response back. Treat the connection path and the failing environment as the first suspects, not the package or image name.

Restore connectivity to the registry or daemon endpoint

If the message includes lookup or :53, fix DNS first by correcting resolver settings or restoring the local DNS service.

If DNS is fine, test the registry port directly and fix the listener, firewall, or proxy path that is rejecting the TCP connection.

Retry with docker --debug pull <image> only after the underlying refusal is resolved.

Separate DNS refusal from registry refusal

If the error contains lookup or :53, inspect the resolver first: cat /etc/resolv.conf, then nslookup <registry>.

If DNS succeeds, test the registry port directly:nc -vz <registry> 443 and curl -vkI https://<registry>/v2/

Compare the failing environment to a working one so you can tell whether the refusal is local resolver config or remote service reachability.

Why It Happens

Usually this comes down to the configured DNS resolver is down or refusing queries, often on 127.0.0.1, ::1, or a local network resolver, the registry or auth service is reachable by IP, but nothing is listening on the target port or a firewall rejects the TCP connect, or a proxy, VPN, or local security tool is refusing either DNS or HTTPS traffic before Docker can continue.

Prove the Failing Environment Can Reach It

nslookup <registry> succeeds and nc -vz <registry> 443 connects from the same machine or runner, and re-run the original Docker command and confirm the connection refused error is gone.

How resolver and registry ports fail differently

This is the part worth understanding if the quick fix did not hold. It explains what Docker is trying to do at the moment the error appears.

Docker first resolves the registry hostname, then opens a TCP connection to the registry or auth service.

A connection refused can come from the local DNS resolver during lookup, or from the remote host on the target port, so those cases must be checked separately.

Examples

ERROR: Get https://registry-1.docker.io/v2/: dial tcp: lookup registry-1.docker.io ... connection refused
dial tcp: lookup auth.docker.io on [::1]:53: read udp ...: connection refused

Prevent Repeat Connectivity Failures

To prevent this, standardize DNS and proxy settings on runners and developer machines, and add separate DNS and registry-port health checks in CI so resolver failures do not look like registry outages.