search

MatthewVance / unbound-docker-rpi

Run Unbound with latest version of OpenSSL on Raspberry Pi with Docker.
MIT License
136 stars 23 forks source link

Cloudflare.com querys every 30 seconds #41

Closed loeffelpan closed 1 year ago

loeffelpan commented 1 year ago

Describe the bug Unbound queries cloudflare.com every 30 seconds via pihole (seen in piholes query logs). Pihole is configured as system-wide dns.

To Reproduce Steps to reproduce the behavior:

  1. Docker run command or compose file: 
    version: '3'
services:
unbound:
container_name: unbound
restart: unless-stopped
volumes:
- ./etc-unbound:/opt/unbound/etc/unbound
- /dev/log:/dev/log
image: mvance/unbound:latest
network_mode: host

  2. Customizations (config files):

    server:

verbosity: 1
port: 5335
do-ip4: yes
do-ip6: no

hide-identity: yes
hide-version: yes
hide-trustanchor: yes
prefetch: yes

num-threads: 1

private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-domain: mydns.jdownloader.org
  3. cloudflare.com is queried every 30 seconds.
  4. Stopping unbound container and no further queries are gone.

Expected behavior No constant queries to cloudflare.com.

Additional context Please review also #1 and #14 . In #1 there is Cloudflare configured as forward-dns, but healthcheck should check 1.1.1.1 and 1.0.0.1 and not cloudflared.com. In #14 there's only quad9 configured as forward-dns and also cloudflare.com querys are seen.

MatthewVance commented 1 year ago

This code explains why this is expected behavior: https://github.com/MatthewVance/unbound-docker-rpi/blob/9297c82d943eea9c311ab6b9695819b338e8572f/1.17.0/Dockerfile#L133

To check that the container can resolve an address, it has to look up a domain name, not IP addresses.

It's far from a perfect health check (see https://github.com/MatthewVance/unbound-docker/issues/112). By default, it is setup for the Unbound container to query localhost for cloudflare.com (not cloudflared.com). It will either resolve those or forward to another DNS server. With the default config, it forwards those:

    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

https://github.com/MatthewVance/unbound-docker-rpi/issues/14 is expected behavior. Forward settings do not change the Docker health check command that tells the container to run drill @127.0.0.1 cloudflare.com.

You can override this by using: https://docs.docker.com/engine/reference/run/#healthcheck

You can re-build the image to use settings you prefer: https://docs.docker.com/engine/reference/builder/#healthcheck

Setting via Docker compose is also an option: https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck

loeffelpan commented 1 year ago

Thanks for explaination. I will disable your healhcheck via compose file.