search

cloudflare / cloudflared

Cloudflare Tunnel client (formerly Argo Tunnel)
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide
Apache License 2.0
9.32k stars 830 forks source link

cloudflared daemon resolving addresses that are blocked by 1.1.1.3 #252

Open jaredmo opened 4 years ago

jaredmo commented 4 years ago

The cloudflared daemon appears to be using 1.1.1.1 even when 1.1.1.3 is specified as the upstream URL. See example below. A website that should be blocked is resolving.

Info on daemon startup: Environment variables map[config:/etc/cloudflared/config.yml no-autoupdate:true origincert:/etc/cloudflared/cert.pem proxy-dns:true proxy-dns-port:5053 proxy-dns-upstream:https://1.1.1.3/dns-query, https://1.0.0.3/dns-query]

dig results with cloudflared daemon:

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Raspbian <<>> @127.0.0.1 -p5053 pornhub.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58580
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pornhub.com.                   IN      A

;; ANSWER SECTION:
pornhub.com.            2887    IN      A       66.254.114.41

;; Query time: 12 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Tue Oct 27 09:15:46 CDT 2020
;; MSG SIZE  rcvd: 67

dig results using 1.1.1.3 directly:

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Raspbian <<>> @1.1.1.3 pornhub.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6271
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pornhub.com.                   IN      A

;; ANSWER SECTION:
pornhub.com.            60      IN      A       0.0.0.0

;; Query time: 10 msec
;; SERVER: 1.1.1.3#53(1.1.1.3)
;; WHEN: Tue Oct 27 09:16:59 CDT 2020
;; MSG SIZE  rcvd: 56
lfv89 commented 4 years ago

I'm going through the exact same thing right now.

$ cloudflared --version
cloudflared version 2020.10.2 (built 2020-10-21-1858 UTC)
GlenMerlin commented 3 years ago

Can confirm having the same issue

pi@raspberrypi:~ $ dig @127.0.0.1 -p 5053 pornhub.com

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Raspbian <<>> @127.0.0.1 -p 5053 pornhub.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54118
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pornhub.com.                   IN      A

;; ANSWER SECTION:
pornhub.com.            1552    IN      A       66.254.114.41

;; Query time: 33 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Tue Dec 01 08:05:37 GMT 2020
;; MSG SIZE  rcvd: 67
homespuneffects commented 3 years ago

Confirming this issue. Is there a workaround? I'm not finding where the upstream server is in the code. At least not yet.

cloudflared version 2021.1.5 (built 2021-1-18-1215UTC)