MatthewVance/unbound-docker-rpi

Cloudflare.com querys every 30 seconds

Closed this issue · 2 comments

loeffelpan commented

Describe the bug
Unbound queries cloudflare.com every 30 seconds via pihole (seen in piholes query logs). Pihole is configured as system-wide dns.

To Reproduce
Steps to reproduce the behavior:

  1. Docker run command or compose file:
version: '3'
services:
  unbound:
  container_name: unbound
  restart: unless-stopped
  volumes:
    - ./etc-unbound:/opt/unbound/etc/unbound
    - /dev/log:/dev/log
  image: mvance/unbound:latest
  network_mode: host
  1. Customizations (config files):
server:

  verbosity: 1
  port: 5335
  do-ip4: yes
  do-ip6: no

  hide-identity: yes
  hide-version: yes
  hide-trustanchor: yes
  prefetch: yes

  num-threads: 1

  private-address: 192.168.0.0/16
  private-address: 169.254.0.0/16
  private-address: 172.16.0.0/12
  private-address: 10.0.0.0/8
  private-domain: mydns.jdownloader.org
  1. cloudflare.com is queried every 30 seconds.
  2. Stopping unbound container and no further queries are gone.

Expected behavior
No constant queries to cloudflare.com.

Additional context
Please review also #1 and #14 .
In #1 there is Cloudflare configured as forward-dns, but healthcheck should check 1.1.1.1 and 1.0.0.1 and not cloudflared.com.
In #14 there's only quad9 configured as forward-dns and also cloudflare.com querys are seen.

MatthewVance commented

This code explains why this is expected behavior:

unbound-docker-rpi/1.17.0/Dockerfile

Line 133 in 9297c82

HEALTHCHECK --interval=30s --timeout=30s --start-period=10s --retries=3 CMD drill @127.0.0.1 cloudflare.com || exit 1

To check that the container can resolve an address, it has to look up a domain name, not IP addresses.

It's far from a perfect health check (see MatthewVance/unbound-docker#112). By default, it is setup for the Unbound container to query localhost for cloudflare.com (not cloudflared.com). It will either resolve those or forward to another DNS server. With the default config, it forwards those:

    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

#14 is expected behavior. Forward settings do not change the Docker health check command that tells the container to run drill @127.0.0.1 cloudflare.com.

You can override this by using: https://docs.docker.com/engine/reference/run/#healthcheck

You can re-build the image to use settings you prefer: https://docs.docker.com/engine/reference/builder/#healthcheck

Setting via Docker compose is also an option: https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck

loeffelpan commented

Thanks for explaination.
I will disable your healhcheck via compose file.