diff --git a/CHANGELOG.md b/CHANGELOG.md
index b1754378..7ce8bc73 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,11 +19,13 @@ and this project adheres to
 
 ### Fixed
 
+- Local PTR request recursion in Docker containers ([#3064]).
 - Ignoring client-specific filtering settings when filtering is disabled in
   general settings ([#2875]).
 - Disallowed domains are now case-insensitive ([#3115]).
 
 [#2875]: https://github.com/AdguardTeam/AdGuardHome/issues/2875
+[#3064]: https://github.com/AdguardTeam/AdGuardHome/issues/3064
 [#3115]: https://github.com/AdguardTeam/AdGuardHome/issues/3115
 
 
diff --git a/bamboo-specs/release.yaml b/bamboo-specs/release.yaml
index 46eb0ba4..c2f3f92c 100644
--- a/bamboo-specs/release.yaml
+++ b/bamboo-specs/release.yaml
@@ -229,7 +229,9 @@
   - 'adg-docker': 'true'
 
 'triggers':
-- 'cron': '0 30 14 ? * MON-FRI *'
+# Don't use minute values that end with a zero or a five as these are often used
+# in CI and so resources during these minutes can be quite busy.
+- 'cron': '0 42 13 ? * MON-FRI *'
 'branches':
   'create': 'manually'
   'delete':
diff --git a/internal/aghnet/systemresolvers_others.go b/internal/aghnet/systemresolvers_others.go
index c9417c9d..98a257c2 100644
--- a/internal/aghnet/systemresolvers_others.go
+++ b/internal/aghnet/systemresolvers_others.go
@@ -82,6 +82,12 @@ func validateDialedHost(host string) (err error) {
 	return nil
 }
 
+// dockerEmbeddedDNS is the address of Docker's embedded DNS server.
+//
+// See
+// https://github.com/moby/moby/blob/v1.12.0/docs/userguide/networking/dockernetworks.md.
+const dockerEmbeddedDNS = "127.0.0.11"
+
 // dialFunc gets the resolver's address and puts it into internal cache.
 func (sr *systemResolvers) dialFunc(_ context.Context, _, address string) (_ net.Conn, err error) {
 	// Just validate the passed address is a valid IP.
@@ -93,6 +99,17 @@ func (sr *systemResolvers) dialFunc(_ context.Context, _, address string) (_ net
 		return nil, fmt.Errorf("%s: %w", err, errBadAddrPassed)
 	}
 
+	// Exclude Docker's embedded DNS server, as it may cause recursion if
+	// the container is set as the host system's default DNS server.
+	//
+	// See https://github.com/AdguardTeam/AdGuardHome/issues/3064.
+	//
+	// TODO(a.garipov): Perhaps only do this when we are in the container?
+	// Maybe use an environment variable?
+	if host == dockerEmbeddedDNS {
+		return nil, errFakeDial
+	}
+
 	err = validateDialedHost(host)
 	if err != nil {
 		return nil, fmt.Errorf("validating dialed host: %w", err)
diff --git a/scripts/make/Dockerfile b/scripts/make/Dockerfile
index a1b2a945..da8bce06 100644
--- a/scripts/make/Dockerfile
+++ b/scripts/make/Dockerfile
@@ -37,13 +37,14 @@ RUN setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome
 # 67, 68 : DHCP
 # 80     : HTTP
 # 443    : HTTPS, DNS-over-HTTPS, DNSCrypt
-# 784    : DNS-over-QUIC
 # 853    : DNS-over-TLS
 # 3000   : HTTP alt
 # 3001   : HTTP beta
 # 5443   : DNSCrypt alt
-EXPOSE 53/tcp 53/udp 67/udp 68/udp 80/tcp 443/tcp 443/udp 784/udp\
-	853/tcp 3000/tcp 3001/tcp 5443/tcp 5443/udp
+# 6060   : HTTP pprof
+# 8853   : DNS-over-QUIC
+EXPOSE 53/tcp 53/udp 67/udp 68/udp 80/tcp 443/tcp 443/udp 853/tcp\
+	3000/tcp 3001/tcp 5443/tcp 5443/udp 6060/tcp 8853/udp
 
 WORKDIR /opt/adguardhome/work