Maybe I misread your message…
You can resolve redis-mq[.stackname.rancher.internal]
on any host and it will resolve to the 10.42.x.y IP(s) assigned to the container(s) of that services. Connecting to those IPs will go over the IPSec overlay network and get you to that container regardless of what host the client and service are on.
The actual host port 6379 is only published on hosts that are running the actual containers. So you cannot go to $any_public_host_ip_in_the_environment:6379. That would mean only one service could use that port in the entire environment.