Apparently, my laptop was using 75.75.75.75 from Comcast as one of its
DNS servers, and unfortunately that server was totally broken (dig
@75.75.75.75 never returned results). I had to edit
/etc/systemd/resolved.conf to override DNS=8.8.8.8, then things worked
again. How DNS resolution worked at all outside of Docker was unclear
to me, but overriding 75.75.75.75 makes it work inside as well (when
not operating in --network=host mode).
Radon Rosborough