Open belgotux opened 2 years ago
Maybe try with qmcgaw/dns:v2.0.0-beta
? The latest image based on Unbound will be not supported anymore quite soon.
Also maybe fastmirror.pp.ua
is blocked. By default BLOCK_MALICIOUS=on
so you might want to turn it off.
Hello Quentin,
Thanks for your quick reply. Yes it's blocking, just try with the BLOCK_MALICIOUS='off'
.
But the logs don't put any information about that, just retry and only have this is the logs, maybe need to add something about block in the logs ?
pihole-unbound-DoT | 2022/03/31 13:41:43 INFO [1648734103] unbound[18:0] debug: using localzone pp.ua. static
With the verbosity at max :
VERBOSITY: 5
VERBOSITY_DETAILS: 4
http://fastmirror.pp.ua is a mirror for open-source big projects, how can I check or pull request for this ?
For the beta, I see that it works, it's not the same malicious link ? dcdown
and dcupd
with both stable and beta with the BLOCK_MALICIOUS: 'on'
and the beta work unlike the stable
dot:
image: qmcgaw/dns:latest
container_name: pihole-unbound-DoT
environment:
PROVIDERS: 'cloudflare'
CACHING: 'off'
BLOCK_MALICIOUS: 'on'
VERBOSITY: 2
VERBOSITY_DETAILS: 1
networks:
dnsnet:
ipv4_address: 10.10.10.34
restart: unless-stopped
dot2:
image: qmcgaw/dns:v2.0.0-beta
container_name: pihole-unbound-DoT2
environment:
PROVIDERS: 'cloudflare'
CACHING: 'off'
BLOCK_MALICIOUS: 'on'
VERBOSITY: 1
VERBOSITY_DETAILS: 1
networks:
dnsnet:
ipv4_address: 10.10.10.36
restart: unless-stopped
root@9a19adbf2353:/# dig fastmirror.pp.ua @10.10.10.34
; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @10.10.10.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57706
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fastmirror.pp.ua. IN A
;; Query time: 43 msec
;; SERVER: 10.10.10.34#53(10.10.10.34)
;; WHEN: Thu Mar 31 16:11:53 CEST 2022
;; MSG SIZE rcvd: 45
root@9a19adbf2353:/# dig fastmirror.pp.ua @10.10.10.36
; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @10.10.10.36
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55536
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fastmirror.pp.ua. IN A
;; ANSWER SECTION:
fastmirror.pp.ua. 13535 IN A 93.126.105.202
;; Query time: 17 msec
;; SERVER: 10.10.10.36#53(10.10.10.36)
;; WHEN: Thu Mar 31 16:11:56 CEST 2022
;; MSG SIZE rcvd: 77
Sorry for the huge delay answering. v2.0.0-beta is a totally different program really, it's coded from scratch and doesn't use Unbound. Maybe that was a bug back then? Try pulling the newer image? I also don't see fastmirror.pp.ua in https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated so maybe it's no longer blocked 🤔
With the v2.0.0-beta image, you can also log all requests and/or responses using MIDDLEWARE_LOG_ENABLED=on
with MIDDLEWARE_LOG_REQUESTS=on
and MIDDLEWARE_LOG_RESPONSES=on
if you want, and there is also #123 which could be fun to watch. There are also Prometheus metrics available although that is not PER domain.
EDIT: Also v2.0.0-beta is about to come out of beta and be the newer stable version.
Hello,
I've got some troubles with dns resolution with your image. Example with fastmirror.pp.ua (debian image or libreoffice download). The docker file is simple, one service for DoT and one with pihole on top. I doing my test inside my pihole docker (most easy to install debug tools with apt). I ask the DNS request directly to the DoT container with the image qmcgaw/dns. I've change the PROVIDERS: from
'cloudflare,quad9'
to 'cloudflare' do simplify the test.The test is reproducible, I've try on a fresh vps in another datacenter directly with the docker-compose file and same results.
My tests :
kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com fastmirror.pp.ua
dig fastmirror.pp.ua @1.1.1.1
dig fastmirror.pp.ua @10.10.10.34
dig perdu.com @10.10.10.34
The output :
The docker-compose :