Gitlab Runner Docker-in-Docker not working as expected

Having spent way too many hours trying to get dind to work, I now have to resort to asking here.

First I'd like to mention that my goal would be to run docker in docker using the dind service as mentioned in the docs, but all I seem to be able to get success with is mounting the docker unix socket, which results in spawning job containers as siblings to the runner, which I don't want.

I've tried numerous combinations of settings of DOCKER_HOST, DOCKER_TLS_CERTDIR as detailed in my forum post, but nothing seems to work.

So today I started over from scratch, and I followed the docker setup for registering a runner:

docker run --rm --name gl-registrator -v "$(pwd)/config:/etc/gitlab-runner" gitlab/gitlab-runner register -n \
  --url https://gitlab.com/ \
  --registration-token rqYezvSC4rmtLXX1PzMG \
  --docker-host "tcp://docker:2375" \ # <<---- ADDED THIS
  --executor docker \
  --description "My Docker Runner" \
  --docker-image "docker:19.03.1" \
  --docker-privileged \
  --docker-volumes "/certs/client"

And starting the runner itself:

docker run -d --name gitlab-runner --restart always \
  -v $(pwd)/config:/etc/gitlab-runner \
  -v /var/run/docker.sock:/var/run/docker.sock \ # <---- REMOVED THIS
  gitlab/gitlab-runner:latest

Note that in the above snippets, the runner startup examples show that the container should mount the unix socket. Is this correct for the dind case as well, or should it be removed as I have in my attempts to get dind working?

After removing the unix socket from the runner container, I got an error I've seen in several other threads:

ERROR: Job failed (system failure): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? (executor_docker.go:985:0s)

So now I add the line --docker-host "tcp://docker:2375" \ to the registrator container according to numerous other threads on dind issues, but this only results in the error changing into this:

ERROR: Preparation failed: error during connect: Get http://docker:2375/v1.25/info: dial tcp: lookup docker on 8.8.8.8:53: no such host (executor_docker.go:985:0s)

All of the above is run by this job definition in my .gitlab-ci.yml:

build docker:
  image: docker:19.03.1
  variables:
    DOCKER_TLS_CERTDIR: "/certs"
    DOCKER_HOST: tcp://docker:2375 # <<--- ADDED
  services:
    - docker:19.03.1-dind
  stage: build
  script:
    - docker build <...>

In short the docs are unclear on how to set dind up properly (ie. does the runner need unix socket?), how it should behave (should the job containers spawn alongside the runner or inside it? how can I know when there is no full example of running dind without mounting the unix socket to the runner?)

If anyone has a full example of setting up dind propely, it would be greatly appreciated!