Bug: dns over tls does not work

Is this urgent?

Yes

Host OS

Ubuntu 24.04

CPU arch

x86_64

VPN service provider

Custom

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-10-28T09:25:35.847Z (commit f1f3472)

What's the problem 🤔

I try to connect to kaspersky vpn. it connects but get a lot of "2024-11-02T08:37:22+01:00 WARN [dns] exchanging over dns over tls connection: EOF" messages and: 2024-11-02T08:37:24+01:00 INFO [dns] falling back on plaintext DNS at address 1.1.1.1 2024-11-02T08:37:24+01:00 WARN [dns] DNS is not working: after 10 tries: lookup github.com on 127.0.0.1:53: server misbehaving 2024-11-02T08:37:24+01:00 INFO [dns] attempting restart in 10s with an increasing timer What am I missing in my configuration ?

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version latest built on 2024-10-28T09:25:35.847Z (commit f1f3472)
📣 All control server routes will become private by default after the v3.41.0 release
🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-11-02T08:37:12+01:00 INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.10 and family v4
2024-11-02T08:37:12+01:00 INFO [routing] local ethernet link found: eth0
2024-11-02T08:37:12+01:00 INFO [routing] local ipnet found: 172.21.0.0/16
2024-11-02T08:37:12+01:00 INFO [firewall] enabling...
2024-11-02T08:37:12+01:00 INFO [firewall] enabled successfully
2024-11-02T08:37:13+01:00 INFO [storage] merging by most recent 20553 hardcoded servers and 20553 servers read from /gluetun/servers.json
2024-11-02T08:37:13+01:00 INFO Alpine version: 3.20.3
2024-11-02T08:37:13+01:00 INFO OpenVPN 2.5 version: 2.5.10
2024-11-02T08:37:13+01:00 INFO OpenVPN 2.6 version: 2.6.11
2024-11-02T08:37:13+01:00 INFO IPtables version: v1.8.10
2024-11-02T08:37:13+01:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       └── OpenVPN server selection settings:
|   |           ├── Protocol: UDP
|   |           └── Custom configuration file: /gluetun/custom.conf
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.6
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Custom configuration file: /gluetun/custom.conf
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: europe/paris
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2024-11-02T08:37:13+01:00 INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.10 and family v4
2024-11-02T08:37:13+01:00 INFO [routing] adding route for 0.0.0.0/0
2024-11-02T08:37:13+01:00 INFO [firewall] setting allowed subnets...
2024-11-02T08:37:13+01:00 INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.10 and family v4
2024-11-02T08:37:13+01:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-11-02T08:37:13+01:00 INFO [http server] http server listening on [::]:8000
2024-11-02T08:37:13+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-11-02T08:37:13+01:00 INFO [firewall] allowing VPN connection...
2024-11-02T08:37:13+01:00 INFO [openvpn] Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-11-02T08:37:13+01:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-11-02T08:37:13+01:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-11-02T08:37:13+01:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.30.222:1194
2024-11-02T08:37:13+01:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-11-02T08:37:13+01:00 INFO [openvpn] UDPv4 link remote: [AF_INET]146.70.30.222:1194
2024-11-02T08:37:13+01:00 INFO [openvpn] [Aura OpenVPN Prod Server] Peer Connection Initiated with [AF_INET]146.70.30.222:1194
2024-11-02T08:37:14+01:00 ERROR [openvpn] Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.6.11)
2024-11-02T08:37:14+01:00 INFO [openvpn] TUN/TAP device tun0 opened
2024-11-02T08:37:14+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-11-02T08:37:14+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-11-02T08:37:14+01:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.236.16.4/20
2024-11-02T08:37:14+01:00 INFO [openvpn] UID set to nonrootuser
2024-11-02T08:37:14+01:00 INFO [openvpn] Initialization Sequence Completed
2024-11-02T08:37:14+01:00 INFO [dns] downloading hostnames and IP block lists
2024-11-02T08:37:14+01:00 INFO [healthcheck] healthy!
2024-11-02T08:37:15+01:00 INFO [dns] DNS server listening on [::]:53
2024-11-02T08:37:15+01:00 WARN [dns] exchanging over dns over tls connection: EOF
2024-11-02T08:37:15+01:00 WARN [dns] exchanging over dns over tls connection: EOF
2024-11-02T08:37:15+01:00 WARN [dns] exchanging over dns over tls connection: EOF
....................

2024-11-02T08:37:24+01:00 INFO [dns] falling back on plaintext DNS at address 1.1.1.1
2024-11-02T08:37:24+01:00 WARN [dns] DNS is not working: after 10 tries: lookup github.com on 127.0.0.1:53: server misbehaving
2024-11-02T08:37:24+01:00 INFO [dns] attempting restart in 10s
2024-11-02T08:37:24+01:00 INFO [ip getter] Public IP address is 146.70.30.195 (United Kingdom, England, London - source: ipinfo)
2024-11-02T08:37:24+01:00 INFO [vpn] You are running on the bleeding edge of latest!
2024-11-02T08:37:25+01:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-11-02T08:37:25+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-02T08:37:25+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-02T08:37:25+01:00 INFO [vpn] stopping
2024-11-02T08:37:25+01:00 INFO [vpn] starting
2024-11-02T08:37:25+01:00 INFO [firewall] allowing VPN connection...
2024-11-02T08:37:25+01:00 INFO [openvpn] Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-11-02T08:37:25+01:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-11-02T08:37:25+01:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2024-11-02T08:37:25+01:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.30.222:1194
2024-11-02T08:37:25+01:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-11-02T08:37:25+01:00 INFO [openvpn] UDPv4 link remote: [AF_INET]146.70.30.222:1194
2024-11-02T08:37:25+01:00 INFO [openvpn] [Aura OpenVPN Prod Server] Peer Connection Initiated with [AF_INET]146.70.30.222:1194
2024-11-02T08:37:25+01:00 ERROR [openvpn] Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.6.11)
2024-11-02T08:37:25+01:00 INFO [openvpn] TUN/TAP device tun0 opened
2024-11-02T08:37:25+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-11-02T08:37:25+01:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2024-11-02T08:37:25+01:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.236.48.8/20
2024-11-02T08:37:25+01:00 ERROR [openvpn] OpenVPN tried to add an IP route which already exists (RTNETLINK answers: File exists)
2024-11-02T08:37:25+01:00 WARN [openvpn] Previous error details: Linux route add command failed: external program exited with error status: 2
2024-11-02T08:37:25+01:00 ERROR [openvpn] Linux route add command failed
2024-11-02T08:37:25+01:00 INFO [openvpn] UID set to nonrootuser
2024-11-02T08:37:25+01:00 INFO [openvpn] Initialization Sequence Completed
2024-11-02T08:37:25+01:00 INFO [ip getter] Public IP address is 146.70.30.195 (United Kingdom, England, London - source: ipinfo)
2024-11-02T08:37:28+01:00 INFO [healthcheck] healthy!
2024-11-02T08:37:34+01:00 INFO [dns] downloading hostnames and IP block lists
2024-11-02T08:37:35+01:00 INFO [dns] DNS server listening on [::]:53

Share your configuration

# Define a glueten service ##################

  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    # line above must be uncommented to allow external containers to connect.
    # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    volumes:
      - ./gluetun:/gluetun
      - ./gluetun/credentials.ovpn:/gluetun/custom.conf:ro
    environment:
      # See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=openvpn
      # OpenVPN:
      - OPENVPN_USER=1xxxxxxxxxxxxxxxxxxxxxx
      - OPENVPN_PASSWORD=xxxxxxxxxxxxxxxxxxx
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
      # Wireguard:
      # - WIREGUARD_PRIVATE_KEY=wOEI9rqqbDwnN8/Bpp22sVz48T71vJ4fYmFWujulwUU=
      # - WIREGUARD_ADDRESSES=10.64.222.21/32
      # Timezone for accurate log times
      - TZ=Europe/Paris
      # Server list updater
      # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
      - UPDATER_PERIOD=

qdm12 / gluetun