Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: v3.40.0 dns regression DOT_PRIVATE_ADDRESS seems ignored. #2638

Open
ToxicMushroom opened this issue Jan 2, 2025 · 1 comment
Open

Bug: v3.40.0 dns regression DOT_PRIVATE_ADDRESS seems ignored. #2638

ToxicMushroom opened this issue Jan 2, 2025 · 1 comment

Comments

@ToxicMushroom
Copy link

ToxicMushroom commented Jan 2, 2025
edited
Loading

Is this urgent?

No

Host OS

Debian 12

CPU arch

aarch64

VPN service provider

NordVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

v3.40.0

What's the problem 🤔

v3.40.0 swapped dns backends to my understanding. I was having trouble resolving my dns records that pointed to local ips. Even after I finally discovered that gluetun was trying to protect me against dns rebinding via DOT_PRIVATE_ADDRESS, and I emptied the env variable the issue persisted.

For example the dns record:
192.168.0.33 sea.melijn.me

On v3.40.0 it does not respond with any entries:

root@zungenbrecher:~# docker exec -it gluetun /bin/sh
/ # getent hosts sea.melijn.me
/ #

I then downgraded to v3.39.1 without changing my settings and it started resolving fine:

root@zungenbrecher:/opt/vpn_exit_node# docker exec -it gluetun /bin/sh
/ # getent hosts sea.melijn.me
192.168.0.33      sea.melijn.me  sea.melijn.me

Share your logs (at least 10 lines)

gluetun    | Running version v3.39.1 built on 2024-09-29T18:16:23.495Z (commit 67ae5f5)

gluetun    | 2025-01-02T16:48:35Z INFO [routing] default route found: interface eth0, gateway 192.168.0.1, assigned IP 192.168.0.2 and family v4
gluetun    | 2025-01-02T16:48:35Z INFO [routing] local ethernet link found: eth0
gluetun    | 2025-01-02T16:48:35Z INFO [routing] local ipnet found: 192.168.0.0/20
gluetun    | 2025-01-02T16:48:35Z INFO [firewall] enabling...
gluetun    | 2025-01-02T16:48:35Z INFO [firewall] enabled successfully
gluetun    | 2025-01-02T16:48:36Z INFO [storage] creating /gluetun/servers.json with 20478 hardcoded servers
gluetun    | 2025-01-02T16:48:36Z INFO Alpine version: 3.20.3
gluetun    | 2025-01-02T16:48:36Z INFO OpenVPN 2.5 version: 2.5.10
gluetun    | 2025-01-02T16:48:36Z INFO OpenVPN 2.6 version: 2.6.11
gluetun    | 2025-01-02T16:48:36Z INFO Unbound version: 1.20.0
gluetun    | 2025-01-02T16:48:36Z INFO IPtables version: v1.8.10
gluetun    | 2025-01-02T16:48:36Z INFO Settings summary:
gluetun    | ├── VPN settings:
gluetun    | |   ├── VPN provider settings:
gluetun    | |   |   ├── Name: nordvpn
gluetun    | |   |   └── Server selection settings:
gluetun    | |   |       ├── VPN type: wireguard
gluetun    | |   |       ├── Countries: Netherlands
gluetun    | |   |       └── Wireguard selection settings:
gluetun    | |   └── Wireguard settings:
gluetun    | |       ├── Private key: 
gluetun    | |       ├── Interface addresses:
gluetun    | |       |   └── 10.5.0.2/32
gluetun    | |       ├── Allowed IPs:
gluetun    | |       |   ├── 0.0.0.0/0
gluetun    | |       |   └── ::/0
gluetun    | |       └── Network interface: tun0
gluetun    | |           └── MTU: 1400
gluetun    | ├── DNS settings:
gluetun    | |   ├── Keep existing nameserver(s): no
gluetun    | |   ├── DNS server address to use: 127.0.0.1
gluetun    | |   └── DNS over TLS settings:
gluetun    | |       ├── Enabled: yes
gluetun    | |       ├── Update period: disabled
gluetun    | |       ├── Unbound settings:
gluetun    | |       |   ├── Authoritative servers:
gluetun    | |       |   |   └── cloudflare
gluetun    | |       |   ├── Caching: yes
gluetun    | |       |   ├── IPv6: no
gluetun    | |       |   ├── Verbosity level: 1
gluetun    | |       |   ├── Verbosity details level: 0
gluetun    | |       |   ├── Validation log level: 0
gluetun    | |       |   ├── System user: root
gluetun    | |       |   └── Allowed networks:
gluetun    | |       |       ├── 0.0.0.0/0
gluetun    | |       |       └── ::/0
gluetun    | |       └── DNS filtering settings:
gluetun    | |           ├── Block malicious: no
gluetun    | |           ├── Block ads: no
gluetun    | |           ├── Block surveillance: no
gluetun    | |           └── Blocked IP networks:
gluetun    | |               └── 100.200.69.69/32
gluetun    | ├── Firewall settings:
gluetun    | |   └── Enabled: yes
gluetun    | ├── Log settings:
gluetun    | |   └── Log level: info
gluetun    | ├── Health settings:
gluetun    | |   ├── Server listening address: 127.0.0.1:9999
gluetun    | |   ├── Target address: cloudflare.com:443
gluetun    | |   ├── Duration to wait after success: 5s
gluetun    | |   ├── Read header timeout: 100ms
gluetun    | |   ├── Read timeout: 500ms
gluetun    | |   └── VPN wait durations:
gluetun    | |       ├── Initial duration: 6s
gluetun    | |       └── Additional duration: 5s
gluetun    | ├── Shadowsocks server settings:
gluetun    | |   └── Enabled: no
gluetun    | ├── HTTP proxy settings:
gluetun    | |   └── Enabled: no
gluetun    | ├── Control server settings:
gluetun    | |   ├── Listening address: :8000
gluetun    | |   ├── Logging: yes
gluetun    | |   └── Authentication file path: /gluetun/auth/config.toml
gluetun    | ├── OS Alpine settings:
gluetun    | |   ├── Process UID: 1000
gluetun    | |   └── Process GID: 1000
gluetun    | ├── Public IP settings:
gluetun    | |   ├── Fetching: every 12h0m0s
gluetun    | |   ├── IP file path: /tmp/gluetun/ip
gluetun    | |   └── Public IP data API: ipinfo
gluetun    | ├── Server data updater settings:
gluetun    | |   ├── Update period: 24h0m0s
gluetun    | |   ├── DNS address: 1.1.1.1:53
gluetun    | |   ├── Minimum ratio: 0.8
gluetun    | |   └── Providers to update: nordvpn
gluetun    | └── Version settings:
gluetun    |     └── Enabled: yes
gluetun    | 2025-01-02T16:48:36Z INFO [routing] default route found: interface eth0, gateway 192.168.0.1, assigned IP 192.168.0.2 and family v4
gluetun    | 2025-01-02T16:48:36Z INFO [routing] adding route for 0.0.0.0/0
gluetun    | 2025-01-02T16:48:36Z INFO [firewall] setting allowed subnets...
gluetun    | 2025-01-02T16:48:36Z INFO [routing] default route found: interface eth0, gateway 192.168.0.1, assigned IP 192.168.0.2 and family v4
gluetun    | 2025-01-02T16:48:36Z INFO [http server] http server listening on [::]:8000
gluetun    | 2025-01-02T16:48:36Z INFO [healthcheck] listening on 127.0.0.1:9999
gluetun    | 2025-01-02T16:48:36Z INFO [dns] using plaintext DNS at address 1.1.1.1
gluetun    | 2025-01-02T16:48:36Z INFO [firewall] allowing VPN connection...
gluetun    | 2025-01-02T16:48:36Z INFO [wireguard] Using available kernelspace implementation
gluetun    | 2025-01-02T16:48:36Z INFO [wireguard] Connecting to 213.232.87.182:51820
gluetun    | 2025-01-02T16:48:36Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
gluetun    | 2025-01-02T16:48:36Z INFO [healthcheck] healthy!
gluetun    | 2025-01-02T16:48:36Z INFO [dns] downloading DNS over TLS cryptographic files
gluetun    | 2025-01-02T16:48:37Z INFO [dns] downloading hostnames and IP block lists
gluetun    | 2025-01-02T16:48:37Z INFO [dns] init module 0: validator
gluetun    | 2025-01-02T16:48:37Z INFO [dns] init module 1: iterator
gluetun    | 2025-01-02T16:48:37Z INFO [dns] start of service (unbound 1.20.0).
gluetun    | 2025-01-02T16:48:38Z INFO [dns] generate keytag query _ta-4a5c-4f66-9728. NULL IN
gluetun    | 2025-01-02T16:48:38Z INFO [dns] generate keytag query _ta-4a5c-4f66-9728. NULL IN
gluetun    | 2025-01-02T16:48:38Z INFO [dns] ready
gluetun    | 2025-01-02T16:48:38Z INFO [ip getter] Public IP address is 193.142.201.51 (Netherlands, North Holland, Amsterdam)
gluetun    | 2025-01-02T16:48:38Z INFO [vpn] There is a new release v3.40.0 (v3.40.0) created 7 days ago

Share your configuration

services:
  gluetun:
    image: qmcgaw/gluetun:v3.40.0
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=nordvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=
      - SERVER_COUNTRIES=Netherlands
      - UPDATER_PERIOD=24h
      # dns
      - BLOCK_MALICIOUS=off
      - BLOCK_SURVEILLANCE=off
      - BLOCK_ADS=off
      - DNS_UPDATE_PERIOD=0
      - DOT_IPV6=off
      - DOT_PRIVATE_ADDRESS=100.200.69.69/32 # this was just to check if leaving it blank did not work as an edge case.
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 2, 2025

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ToxicMushroom