Bug: Server data updater does not use DOT when enable

[k-matti]

Is this urgent?

No

Host OS

Unraid

CPU arch

x86_64

VPN service provider

AirVPN

What are you using to run the container

docker run

What is the version of Gluetun

Running version latest built on 2024-08-17T18:15:23.123Z (commit bc55c25)

What's the problem 🤔

DOT is enable but in logs I can see that server list update is using plain dns:

Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53 
|   ├── Minimum ratio: 0.8
|   └── Providers to update: airvpn

Share your logs (at least 10 lines)

Running version latest built on 2024-08-17T18:15:23.123Z (commit bc55c25)

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-08-18T10:25:54+02:00 INFO [routing] default route found: interface eth0, gateway 192.168.0.1, assigned IP 192.168.0.134 and family v4
2024-08-18T10:25:54+02:00 INFO [routing] local ethernet link found: eth0
2024-08-18T10:25:54+02:00 INFO [routing] local ipnet found: 192.168.0.0/24
2024-08-18T10:25:54+02:00 INFO [firewall] enabling...
2024-08-18T10:25:54+02:00 INFO [firewall] enabled successfully
2024-08-18T10:25:54+02:00 INFO [storage] merging by most recent 20615 hardcoded servers and 20615 servers read from /gluetun/servers.json
2024-08-18T10:25:54+02:00 INFO Alpine version: 3.20.2
2024-08-18T10:25:54+02:00 INFO OpenVPN 2.5 version: 2.5.10
2024-08-18T10:25:54+02:00 INFO OpenVPN 2.6 version: 2.6.11
2024-08-18T10:25:54+02:00 INFO Unbound version: 1.20.0
2024-08-18T10:25:54+02:00 INFO IPtables version: v1.8.10
2024-08-18T10:25:54+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: airvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Server names: Dalim, Menkent, Piautos, Xuange, Ain, Wazn
|   |       └── Wireguard selection settings:
|   |           └── Endpoint port: 47107
|   └── Wireguard settings:
|       ├── Private key: kKQ...2Y=
|       ├── Pre-shared key: nwl...NY=
|       ├── Interface addresses:
|       |   └── REDACTED
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: wg0
|           └── MTU: 1400
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: no
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   ├── VPN input ports:
|   |   └── 7239
|   └── Outbound subnets:
|       └── 10.6.69.0/24
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: github.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: Europe/Warsaw
├── Public IP settings:
|   ├── Fetching: every 24h0m0s
|   ├── IP file path: /gluetun/ip
|   ├── Public IP data API: ipinfo
|   └── API token: [set]
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: airvpn
└── Version settings:
    └── Enabled: yes
2024-08-18T10:25:54+02:00 INFO [routing] default route found: interface eth0, gateway 192.168.0.1, assigned IP 192.168.0.134 and family v4
2024-08-18T10:25:54+02:00 INFO [routing] adding route for 0.0.0.0/0
2024-08-18T10:25:54+02:00 INFO [firewall] setting allowed subnets...
2024-08-18T10:25:54+02:00 INFO [routing] default route found: interface eth0, gateway 192.168.0.1, assigned IP 192.168.0.134 and family v4
2024-08-18T10:25:54+02:00 INFO [routing] adding route for 10.6.69.0/24
2024-08-18T10:25:54+02:00 INFO [http server] http server listening on [::]:8000
2024-08-18T10:25:54+02:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-08-18T10:25:54+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-08-18T10:25:54+02:00 INFO [firewall] allowing VPN connection...
2024-08-18T10:25:54+02:00 INFO [wireguard] Using available kernelspace implementation
2024-08-18T10:25:54+02:00 INFO [wireguard] Connecting to 128.127.104.79:47107
2024-08-18T10:25:54+02:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-08-18T10:25:54+02:00 INFO [firewall] setting allowed input port 7239 through interface wg0...
2024-08-18T10:25:54+02:00 INFO [dns] downloading DNS over TLS cryptographic files
2024-08-18T10:25:55+02:00 INFO [healthcheck] healthy!
2024-08-18T10:25:57+02:00 INFO [http server] 200 GET /ip wrote 17B to 192.168.0.51:50340 in 78.09µs
2024-08-18T10:25:57+02:00 INFO [dns] downloading hostnames and IP block lists
2024-08-18T10:26:03+02:00 INFO [http server] 200 GET /ip wrote 17B to 192.168.0.51:50341 in 26.059µs
2024-08-18T10:26:05+02:00 INFO [dns] init module 0: validator
2024-08-18T10:26:05+02:00 INFO [dns] init module 1: iterator
2024-08-18T10:26:05+02:00 INFO [dns] start of service (unbound 1.20.0).
2024-08-18T10:26:06+02:00 INFO [dns] generate keytag query _ta-4a5c-4f66-9728. NULL IN
2024-08-18T10:26:07+02:00 INFO [dns] ready
2024-08-18T10:26:08+02:00 INFO [healthcheck] healthy!
2024-08-18T10:26:08+02:00 INFO [ip getter] Public IP address is 128.127.104.80 (Sweden, Stockholm, Stockholm)
2024-08-18T10:26:09+02:00 INFO [vpn] You are running on the bleeding edge of latest!
2024-08-18T10:26:21+02:00 INFO [http server] 200 GET /ip wrote 253B to 192.168.0.51:50344 in 36.1µs

Share your configuration

docker run
  -d
  --name='GluetunVPN'
  --net='br0'
  --ip='192.168.0.134'
  --privileged=true
  -e TZ="Europe/Warsaw"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="Tower"
  -e HOST_CONTAINERNAME="GluetunVPN"
  -e 'TZ'='Europe/Warsaw'
  -e 'VPN_SERVICE_PROVIDER'='airvpn'
  -e 'VPN_TYPE'='wireguard'
  -e 'VPN_INTERFACE'='wg0'
  -e 'VPN_ENDPOINT_PORT'=''
  -e 'VPN_ENDPOINT_IP'=''
  -e 'WIREGUARD_IMPLEMENTATION'='auto'
  -e 'WIREGUARD_PRIVATE_KEY'=''
  -e 'WIREGUARD_PRESHARED_KEY'=''
  -e 'WIREGUARD_PUBLIC_KEY'=''
  -e 'WIREGUARD_ADDRESSES'=''
  -e 'SERVER_REGIONS'=''
  -e 'SERVER_COUNTRIES'=''
  -e 'SERVER_CITIES'=''
  -e 'SERVER_NAMES'='Dalim,Menkent,Piautos,Xuange,Ain,Wazn'
  -e 'SERVER_HOSTNAMES'=''
  -e 'FIREWALL'='on'
  -e 'FIREWALL_VPN_INPUT_PORTS'='7239'
  -e 'FIREWALL_INPUT_PORTS'=''
  -e 'FIREWALL_OUTBOUND_SUBNETS'='10.6.69.0/24 '
  -e 'FIREWALL_DEBUG'='off'
  -e 'LOG_LEVEL'='info'
  -e 'DOT'='on'
  -e 'DOT_PROVIDERS'='cloudflare'
  -e 'DOT_PRIVATE_ADDRESS'='127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112'
  -e 'DOT_VERBOSITY'='1'
  -e 'DOT_VERBOSITY_DETAILS'='0'
  -e 'DOT_VALIDATION_LOGLEVEL'='0'
  -e 'DOT_CACHING'='off'
  -e 'DOT_IPV6'='off'
  -e 'DNS_KEEP_NAMESERVER'='off'
  -e 'PUBLICIP_API'='ipinfo'
  -e 'PUBLICIP_API_TOKEN'=''
  -e 'WIREGUARD_ENDPOINT_PORT'='47107'
  -e 'HEALTH_SERVER_ADDRESS'='127.0.0.1:9999'
  -e 'HEALTH_TARGET_ADDRESS'='github.com:443'
  -e 'HEALTH_VPN_DURATION_INITIAL'='6s'
  -e 'HEALTH_VPN_DURATION_ADDITION'='5s'
  -e 'UPDATER_PERIOD'='24h'
  -e 'PUBLICIP_FILE'='/gluetun/ip'
  -e 'PUBLICIP_PERIOD'='24h'
  -e 'VERSION_INFORMATION'='on'
  -e 'TCP_PORT_8000'='8000'
  -e 'HTTP_CONTROL_SERVER_LOG'='on'
  -e 'PUID'='1000'
  -e 'PGID'='1000'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.webui='http://[IP]:[PORT:8000]/v1/publicip/ip'
  -l net.unraid.docker.icon='https://raw.githubusercontent.com/qdm12/gluetun/master/doc/logo_256.png'
  -v '/mnt/cache/appdata/gluetun':'/gluetun':'rw'
  --cap-add=NET_ADMIN
  --restart always 'qmcgaw/gluetun'

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[qdm12]

Ha I guess I got caught before I could implement it:

gluetun/internal/configuration/settings/updater.go

Lines 132 to 136 in 3bf937d

	// TODO this is currently using Cloudflare in
	// plaintext to not be blocked by DNS over TLS by default.
	// If a plaintext address is set in the DNS settings, this one will be used.
	// use custom future encrypted DNS written in Go without blocking
	// as it's too much trouble to start another parallel unbound instance for now.

This is blocked by #137 which is about to be merged finally. Let's keep this opened!