Bug: Won't use local DNS seems to stay on 1.1.1.1

[cwilliams5]

Is this urgent?

No

Host OS

Raspbian GNU/Linux 11 (bullseye)

CPU arch

aarch64

VPN service provider

Custom

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2025-01-22T08:30:14.628Z (commit 13532c8)

What's the problem 🤔

tldr Gluetun keeps reverting back to 1.1.1.1 despite all efforts to use a local DNS.

I have an interesting network configuration:

• Ports 53 and 853 are blocked at the hardware firewall from my network
• Local DNS servers of 192.168.10.11 and .12 use pihole, with an upstream DNS over HTTPS through a cloudflared tunnel

Long story short, I can't seem to fine any combination of settings for Gluetun that will get it to use my DNS. It still wants to go out to 1.1.1.1. I've even tried removing the 192.168 out of DOT_PRIVATE_ADDRESS. Below is the latest config but I have tried hours of every concievable combination of DOT on/off, every DNS setting I can find in every config. The only thing that gets it to work is whitelisting the docker host's IP address at my unifi firewall to allow it to do DNS lookups on 53 and 853.

Here is the behavior I would expect:

• When no VPN tunnel is open, any necessary DNS queries use my local DNS servers.
• As soon as a VPN tunnel is open, stop using my local DNS and do all DNS queries THROUGH the VPN tunnel (to 1.1.1.1, whomever i dont care)

If there is a configuration that makes that possible, I'm all ears. I really did try everything for hours to not clog up this thing with a needless issue, so hope I didn't miss anything obvious.

Share your logs (at least 10 lines)

Running version latest built on 2025-01-22T08:30:14.628Z (commit 13532c8)
🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2025-02-23T00:11:06-08:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1, assigned IP 172.27.0.2 and family v4
2025-02-23T00:11:06-08:00 INFO [routing] local ethernet link found: eth0
2025-02-23T00:11:06-08:00 INFO [routing] local ipnet found: 172.27.0.0/16
2025-02-23T00:11:06-08:00 INFO [firewall] enabling...
2025-02-23T00:11:06-08:00 INFO [firewall] enabled successfully
2025-02-23T00:11:09-08:00 INFO [storage] merging by most recent 20776 hardcoded servers and 20776 servers read from /gluetun/servers.json
2025-02-23T00:11:09-08:00 INFO Alpine version: 3.20.5
2025-02-23T00:11:09-08:00 INFO OpenVPN 2.5 version: 2.5.10
2025-02-23T00:11:09-08:00 INFO OpenVPN 2.6 version: 2.6.11
2025-02-23T00:11:09-08:00 INFO IPtables version: v1.8.10
2025-02-23T00:11:09-08:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: perfect privacy
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       ├── Cities: amsterdam
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.6
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   └── Keep existing nameserver(s): yes
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: america/los_angeles
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: perfect privacy
└── Version settings:
    └── Enabled: yes
2025-02-23T00:11:09-08:00 WARN DNS address is set to 192.168.10.11 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2025-02-23T00:11:09-08:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1, assigned IP 172.27.0.2 and family v4
2025-02-23T00:11:09-08:00 INFO [routing] adding route for 0.0.0.0/0
2025-02-23T00:11:09-08:00 INFO [firewall] setting allowed subnets...
2025-02-23T00:11:09-08:00 INFO [routing] default route found: interface eth0, gateway 172.27.0.1, assigned IP 172.27.0.2 and family v4
2025-02-23T00:11:09-08:00 WARN [dns] ⚠️⚠️⚠️  keeping the default container nameservers, this will likely leak DNS traffic outside the VPN and go through your container network DNS outside the VPN tunnel!
2025-02-23T00:11:09-08:00 INFO [http server] http server listening on [::]:8000
2025-02-23T00:11:09-08:00 INFO [healthcheck] listening on 127.0.0.1:9999
2025-02-23T00:11:09-08:00 INFO [firewall] allowing VPN connection...
2025-02-23T00:11:09-08:00 INFO [openvpn] OpenVPN 2.6.11 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-02-23T00:11:09-08:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2025-02-23T00:11:09-08:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2025-02-23T00:11:09-08:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]37.48.94.1:443
2025-02-23T00:11:09-08:00 INFO [openvpn] UDPv4 link local: (not bound)
2025-02-23T00:11:09-08:00 INFO [openvpn] UDPv4 link remote: [AF_INET]37.48.94.1:443
2025-02-23T00:11:15-08:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 127.0.0.11:53: server misbehaving)
2025-02-23T00:11:15-08:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-02-23T00:11:15-08:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025-02-23T00:11:15-08:00 INFO [vpn] stopping
2025-02-23T00:11:15-08:00 INFO [vpn] starting
2025-02-23T00:11:15-08:00 INFO [firewall] allowing VPN connection...
2025-02-23T00:11:16-08:00 INFO [openvpn] OpenVPN 2.6.11 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-02-23T00:11:16-08:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2025-02-23T00:11:16-08:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2025-02-23T00:11:16-08:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]95.211.95.233:443
2025-02-23T00:11:16-08:00 INFO [openvpn] UDPv4 link local: (not bound)
2025-02-23T00:11:16-08:00 INFO [openvpn] UDPv4 link remote: [AF_INET]95.211.95.233:443
2025-02-23T00:11:27-08:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 127.0.0.11:53: server misbehaving)
2025-02-23T00:11:27-08:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-02-23T00:11:27-08:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025-02-23T00:11:27-08:00 INFO [vpn] stopping
2025-02-23T00:11:27-08:00 INFO [vpn] starting
2025-02-23T00:11:27-08:00 INFO [firewall] allowing VPN connection...
2025-02-23T00:11:27-08:00 INFO [openvpn] OpenVPN 2.6.11 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-02-23T00:11:27-08:00 INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2025-02-23T00:11:27-08:00 WARN [openvpn] No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2025-02-23T00:11:27-08:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]37.48.94.1:443
2025-02-23T00:11:27-08:00 INFO [openvpn] UDPv4 link local: (not bound)
2025-02-23T00:11:27-08:00 INFO [openvpn] UDPv4 link remote: [AF_INET]37.48.94.1:443
2025-02-23T00:08:38-08:00 INFO [openvpn] UDPv4 link remote: [AF_INET]85.17.28.145:443
2025-02-23T00:08:49-08:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.27.0.2:47196->1.1.1.1:53: write: operation not permitted)
2025-02-23T00:08:49-08:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-02-23T00:08:49-08:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025-02-23T00:08:49-08:00 INFO [vpn] stopping
2025-02-23T00:08:49-08:00 INFO [vpn] starting

Share your configuration

---
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 9015:8888/tcp # HTTP control server
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    volumes:
      - gluetun:/gluetun
    environment:
      - "autoheal=true"  # set to try to heal on health problem
      - VPN_SERVICE_PROVIDER=perfect privacy
      - OPENVPN_USER=XXXXXX
      - OPENVPN_PASSWORD=XXXXXX
      - SERVER_CITIES=Amsterdam
      - TZ=America/Los_Angeles
      # we have to try very hard to force it to use our dns
      - DNS_KEEP_NAMESERVER=on
      - DNS_ADDRESS=192.168.10.11
      # and then we have to take 192.168.10.0 out of its dns firewall
      - DOT_PRIVATE_ADDRESS=127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112

      # Server list updater
      # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
      - UPDATER_PERIOD=24h
    dns:
      - 192.168.10.11
      - 192.168.10.12

volumes:
  gluetun:
    external: true

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image