Bug: New DNS not resolving

[epd5]

Is this urgent?

Yes

Host OS

Debian 12

CPU arch

x86_64

VPN service provider

AirVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-08-25T07:04:32.409Z (commit 01fa993)

What's the problem 🤔

The new DNS system doesn't seem to be resolving.
Bizarrely my P2P client could make some connections. My shadowsocks client that uses Gluetuns DNS however couldn't resolve any addresses. Reverting to v3.39 resolves issue (Unbound).
Running

Share your logs (at least 10 lines)

2024-08-26T19:54:28+01:00 INFO [dns] using plaintext DNS at address 9.9.9.9
2024-08-26T19:54:28+01:00 INFO [http server] http server listening on [::]:8000
2024-08-26T19:54:28+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-08-26T19:54:28+01:00 INFO [firewall] allowing VPN connection...
2024-08-26T19:54:28+01:00 INFO [wireguard] Using available kernelspace implementation
2024-08-26T19:54:28+01:00 INFO [wireguard] Connecting to 185.156.175.34:1637
2024-08-26T19:54:28+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-08-26T19:54:28+01:00 INFO [firewall] setting allowed input port 7262 through interface tun0...
2024-08-26T19:54:28+01:00 INFO [firewall] setting allowed input port 5055 through interface tun0...
2024-08-26T19:54:28+01:00 INFO [dns] downloading hostnames and IP block lists
2024-08-26T19:54:28+01:00 INFO [dns] DNS server listening on [::]:53
2024-08-26T19:54:28+01:00 INFO [healthcheck] healthy!
2024-08-26T19:54:30+01:00 WARN [dns] exchanging over DoT connection: read tcp 10.167.133.39:48128->9.9.9.9:853: i/o timeout
2024-08-26T19:54:30+01:00 WARN [dns] exchanging over DoT connection: read tcp 10.167.133.39:48142->9.9.9.9:853: i/o timeout
2024-08-26T19:54:32+01:00 WARN [dns] exchanging over DoT connection: read tcp 10.167.133.39:36718->149.112.112.9:853: i/o timeout
2024-08-26T19:54:34+01:00 WARN [dns] exchanging over DoT connection: read tcp 10.167.133.39:36730->149.112.112.9:853: i/o timeout
2024-08-26T19:54:36+01:00 WARN [dns] exchanging over DoT connection: read tcp 10.167.133.39:48176->9.9.9.9:853: i/o timeout
2024-08-26T19:54:37+01:00 WARN [dns] exchanging over DoT connection: read tcp 10.167.133.39:36782->149.112.112.9:853: i/o timeout
2024-08-26T19:54:37+01:00 WARN [dns] exchanging over DoT connection: read tcp 10.167.133.39:48222->9.9.9.9:853: i/o timeout
2024-08-26T19:54:37+01:00 WARN [dns] exchanging over DoT connection: read tcp 10.167.133.39:48232->9.9.9.9:853: i/o timeout
2024-08-26T19:54:38+01:00 WARN [dns] exchanging over DoT connection: read tcp 10.167.133.39:36816->149.112.112.9:853: i/o timeout

Share your configuration

gluetun:
          image: qmcgaw/gluetun:latest
          container_name: redacted
          hostname: redacted
          cap_add:
               - NET_ADMIN
          networks:
               redacted:
                    ipv4_address: redacted
               redacted:
          devices:
               - /dev/net/tun:/dev/net/tun
          volumes:
               - ./gluetun:/gluetun
          environment:
               - PUID=redacted
               - PGID=redacted
               - TZ=redacted
               - VPN_SERVICE_PROVIDER=airvpn
               - VPN_TYPE=wireguard
               - WIREGUARD_PRIVATE_KEY=redacted
               - WIREGUARD_PRESHARED_KEY=redacted
               - WIREGUARD_ADDRESSES=redacted
               - WIREGUARD_MTU=1424
               - WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL=30s
               - SERVER_COUNTRIES=redacted
               - HTTP_CONTROL_SERVER_LOG=off
               - DOT=on
               - DOT_PROVIDERS=quad9
               - DOT_CACHING=off
               - DNS_UPDATE_PERIOD=24h
               - BLOCK_MALICIOUS=false
               - BLOCK_SURVEILLANCE=false
               - BLOCK_ADS=false
               - SHADOWSOCKS=off
               - FIREWALL_VPN_INPUT_PORTS=redacted
               - FIREWALL_OUTBOUND_SUBNETS=redacted
               - HEALTH_TARGET_ADDRESS=quad9.net:443 
               - HEALTH_VPN_DURATION_INITIAL=120s
               - UPDATER_PERIOD=24h
          restart: unless-stopped

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[qdm12]

If you comment out DOT_PROVIDERS does it work then? 🤔

[epd5]

Can confirm removing DOT_PROVIDERS solved the issue.
Spun up a container with a very basic config, once I added in DOT_PROVIDERS it stopped being able to resolve.
Thanks for all your hard work!

Update: So this worked, but removing DOT_PROVIDERS from my original gluetun container has no effect on the issue. Will continue troubleshooting.

Update 2: Still receiving timeout / no route DOT errors when I set up a basic gluetun + linuxserver/firefox container setup. Guess that means it's a VPN / Debian 12 error/conflict. If I have time I'll troubleshoot those variables. Enabling/disabling UFW in Debian had no effect.

[poland153]

funny, i switched my wireguard custom config from torguard to protonvpn today, and also noticed the same DoT messages. I do have port forwarding on to let it figure itself out with protonvpn NAT, lets qbittorrent connect with UPnP/NAT I assume since torrents resolve hostnames (when they didnt before) and i get a solid connected green with good upload/download activity.

2024-08-31T00:29:34-05:00 INFO [ip getter] Public IP address is <redacted> (<redacted>, <redacted>, <redacted>)
2024-08-31T00:29:37-05:00 INFO [vpn] You are running 1 commit behind the most recent latest
2024-08-31T00:29:37-05:00 INFO [port forwarding] starting
2024-08-31T00:29:37-05:00 INFO [port forwarding] gateway external IPv4 address is <redacted>
2024-08-31T00:29:38-05:00 INFO [port forwarding] port forwarded is 56160
2024-08-31T00:29:38-05:00 INFO [firewall] setting allowed input port 56160 through interface tun0...
2024-08-31T00:29:38-05:00 INFO [port forwarding] writing port file /tmp/gluetun/forwarded_port
2024-08-31T00:30:02-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:59162->1.1.1.1:853: i/o timeout
2024-08-31T00:31:20-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:43932->1.0.0.1:853: i/o timeout
2024-08-31T00:31:20-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:34522->1.1.1.1:853: i/o timeout
2024-08-31T00:31:46-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:44042->1.0.0.1:853: i/o timeout
2024-08-31T00:32:13-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:38656->1.1.1.1:853: i/o timeout
2024-08-31T01:48:21-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:53602->1.0.0.1:853: i/o timeout
2024-08-31T01:48:22-05:00 INFO [healthcheck] healthy!
2024-08-31T02:08:35-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:37972->1.1.1.1:853: i/o timeout
2024-08-31T02:08:37-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:54474->1.0.0.1:853: i/o timeout
2024-08-31T02:10:12-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:55938->1.1.1.1:853: i/o timeout
2024-08-31T02:10:12-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:55940->1.1.1.1:853: i/o timeout
2024-08-31T02:10:14-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:55252->1.1.1.1:853: i/o timeout
2024-08-31T02:10:14-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:37082->1.0.0.1:853: i/o timeout
2024-08-31T02:12:44-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:42176->1.1.1.1:853: i/o timeout
2024-08-31T02:12:44-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:42174->1.1.1.1:853: i/o timeout
2024-08-31T02:12:46-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:42192->1.1.1.1:853: i/o timeout
2024-08-31T02:15:48-05:00 WARN [dns] exchanging over DoT connection: read tcp 10.2.0.2:56342->1.1.1.1:853: i/o timeout

[qdm12]

To be fair, it's fine if it happens from time to time. Unbound would simply not log these out. If your resolution would mostly not work that would be problematic, but it seems fine. Anyway, resolvers (OS, browser etc.) usually retry on a dns error.

I was thinking about logging these errors at the debug level, but in the end I didn't notice it happening much on my end within 24h so left it to warnings. Maybe it's worth having them at the debug level 🤔

[epd5]

So I had to disable Pi-Holes DNSSEC validation, that was the error I made. After a few minutes DNS started resolving, even with the timeout / no route to host errors appearing in the Gluetun log
Another finding I had though was using Gluetuns shadowsocks feature it was getting connection refused on ::53,, I assume thats just a missing iptables entry easily fixed.

[MicahBird]

I'm likewise having this issue and would appreciate any guidance. Although my case is a bit different, as I'm running Gluetun as a sidecar container in K8s. What is especially odd is that I'm able to curl and nslookup from the connected container's shells, but any DNS query made by the container's themselves fails. Any thoughts?
Env variables:

  DOT: "on"
  DOT_PROVIDERS: "quad9"

Edit: I've been able to workaround it by rolling back to the v3.39 image.

[eiqnepm]

I'm likewise having this issue and would appreciate any guidance. Although my case is a bit different, as I'm running Gluetun as a sidecar container in K8s. What is especially odd is that I'm able to curl and nslookup from the connected container's shells, but any DNS query made by the container's themselves fails. Any thoughts? Env variables:

  DOT: "on"
  DOT_PROVIDERS: "quad9"

Edit: I've been able to workaround it by rolling back to the v3.39 image.

I am also having this issue and the rollback also works for me.
I am running the latest version of Docker on a Debian 12 host.

compose.yaml

services:
  gluetun:
    cap_add:
      - NET_ADMIN
    container_name: gluetun
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - SERVER_COUNTRIES=👀
      - VPN_SERVICE_PROVIDER=surfshark
      - VPN_TYPE=wireguard
      - WIREGUARD_ADDRESSES=👀
      - WIREGUARD_PRIVATE_KEY=👀
      - HEALTH_TARGET_ADDRESS=127.0.0.1:9999
    image: ghcr.io/qdm12/gluetun:v3.39
    labels:
      - traefik.enable=true

      - traefik.http.routers.qbittorrent.entryPoints=webSecure
      - traefik.http.routers.qbittorrent.rule=Host(`qbittorrent.👀`)
      - traefik.http.services.qbittorrent.loadBalancer.server.port=8080
      - traefik.http.routers.qbittorrent.service=qbittorrent
    networks:
      - gluetun
    restart: unless-stopped
    volumes:
      - ./gluetun:/gluetun

[joshoohaah]

encountered this issue as well this week. Was trying various different VPNS (proton, PIA, Surfshark). Then messing with DOT turning on and off. having DOT OFF seemed to alleviate pieces.

However, reverting back to 3.39.1 version of gluetun container solved all issues.

[Mr-Hubiverse]

Is this fixed yet? been a sec and this makes the program worthless.

[eiqnepm]

Is this fixed yet? been a sec and this makes the program worthless.

I know it doesn't solve the issue, but you can set the DOT environment variable to off in the meantime until this is fixed. You can also set DNS_ADDRESS to something like 9.9.9.9.