search

qdm12 / dns

Docker DNS server on steroids to access DNS-over-TLS from Cloudflare, Google, Quad9, Quadrant or CleanBrowsing
https://hub.docker.com/r/qmcgaw/cloudflare-dns-server
MIT License
219 stars 37 forks source link

Running 2.0.0-rc3 with network_mode: host - issues that are persistent in all images #110

Closed Kampe closed 2 years ago

Kampe commented 2 years ago

hello! attempting to update to the latest versions as I'm having issues when my network loses connectivity, this container never is able to reconnect and continue serving requests. However my issue at the moment seems to be that I run this container with host networking for a plethora of reasons on my raspi, I also give it the requested permissions set below:

  cloudflared:
    container_name: cloudflared
    image: qmcgaw/dns:v2.0.0-rc3
    environment:
      - VERBOSITY=0
      - VERBOSITY_DETAILS=0
      - BLOCK_MALICIOUS=off
      - BLOCK_SURVEILLANCE=off
      - BLOCK_ADS=off
      - CHECK_UNBOUND=off
      - DOT_RESOLVERS=cloudflare,google
      - DOH_RESOLVERS=cloudflare,google
      - LISTENINGPORT=5054
      - UPDATE_PERIOD=24h
    restart: always
    cap_add:
      - NET_ADMIN
      - NET_RAW
    ports:
      - 5054:5054/tcp
      - 5054:5054/udp
    network_mode: host

In the logs I see a lot of these:

2022/05/08 20:27:04 INFO [24739200603521024] unbound[16:1] error: ssl handshake failed crypto error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time
2022/05/08 20:27:04 INFO [24739200603521024] unbound[16:1] error: and additionally crypto error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time
2022/05/08 20:27:04 INFO [24739200603521024] unbound[16:1] error: and additionally crypto error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time
2022/05/08 20:27:04 INFO [24739200603521024] unbound[16:1] error: and additionally crypto error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time
2022/05/08 20:27:04 INFO [24739200603521024] unbound[16:1] error: and additionally crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022/05/08 20:27:04 INFO [24739200603521024] unbound[16:1] error: ssl handshake failed crypto error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time
2022/05/08 20:27:04 INFO [24739200603521024] unbound[16:1] error: and additionally crypto error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time
2022/05/08 20:27:04 INFO [24739200603521024] unbound[16:1] error: and additionally crypto error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time
2022/05/08 20:27:04 INFO [24739200603521024] unbound[16:1] error: and additionally crypto error:0D0D90AD:asn1 encoding routines:ASN1_TIME_adj:error getting time
2022/05/08 20:27:04 INFO [24739200603521024] unbound[16:1] error: and additionally crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022/05/08 20:27:09 INFO unbound loop exited
2022/05/08 20:27:09 WARN healthcheck server: shutting down (context canceled)
2022/05/08 20:27:09 ERROR DNS is not working: after 10 tries: lookup github.com on 192.168.1.1:53: server misbehaving
2022/05/08 20:27:09 INFO Shutdown successful

What needs to be done here to allow this container to perform its duties as it was with the latest version? I'm running rasbian, so I gave updating libseccomp-dev on the host a shot. https://github.com/qdm12/dns/issues/77

This had no effect unfortunately.

qdm12 commented 2 years ago

Please use image qmcgaw/dns:v2.0.0-beta, it's rather stable, documentation is available on the v2.0.0-beta branch of the repo. It will most likely work. It does implement DoT and DoH, and also uses less resources as far as I've seen (there is also Prometheus metrics etc.). It's in beta since the Go programming API is not fully finished for stable usage.

The older image (still :latest) using Unbound will soon be deprecated, and I won't really fix it anymore.

Thanks for your understanding!