gluetun: Bug: 1.1.1.1 shouldn't be there for Kubernetes sidecar

Is this urgent?

Yes

Host OS

Kubernetes, Mixed

CPU arch

None

VPN service provider

AirVPN

What are you using to run the container

Kubernetes

What is the version of Gluetun

Latest

What’s the problem 🤔

With kubernetes it’s vital to be able to fully resolve internal cluster DNS. However with both:

  DNS_KEEP_NAMESERVER: on
  DOT: off

It still stupidly adds 1.1.1.1, where the docs state it will “keep your current server”. While it in theory keeps the server, users don’t expect the first (primary!) server to be turned into a public DNS server.

That’s not expected and causes issues, as a lot of application rely on only the first(!) server in the resolve file, which is set to 1.1.1.1 completely bricking internal cluster resolve on some kubernetes clusters.

While this can be manually adapted against by altering the DNS server, this is not a flexible and expectable setup.

If this is expected behavior (which is still weird), can we at least have something as simple as: DNS: off

So we can just not have Gluetun try to fuck with DNS settings at all. This should also be relatively easy to add, as it’s just a general toggle.

Share your logs

In this case not really relevant I think, as the behavior has been reported before...
Though not in this context.

Share your configuration

No response

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 7
  • Comments: 16 (4 by maintainers)

Most upvoted comments

Can you guys try image qmcgaw/gluetun:pr-1742 (see #137 (comment)) to see if this is resolved? This will get merged soon (finishing dnssec optional implementation before merging)

Using qmcgaw/gluetun:pr-1742 does not resolve the issue. 1.1.1.1 is still there

+1
ksimm1 on Aug 7, 2023

So I have confirmed through testing that adding:

DNS_ADDRESS: 172.17.0.10
DNS_KEEP_NAMESERVER: on
DOT: off

… this container is STILL injecting 1.1.1.1 into resolv.conf and breaking cluster.local resolution.

$ cat /etc/resolv.conf
nameserver 1.1.1.1
nameserver 172.17.0.10
search ix-sonarr.svc.cluster.local svc.cluster.local cluster.local
options ndots:2

There needs to be an option to fully switch this off as per the bug report. This should be, ideally, handled by configuring the upstream in CoreDNS to 1.1.1.1 or setting the DHCP DNS servers to 1.1.1.1, not being forcibly injected by the container. This feature is nice for people who don’t have those preferred options, but it should not be the default behaviour.

UPDATE:

Not sure why but deleting the chart I was using and readding only the two lines below managed to work around the 1.1.1.1 injection, however the need to turn this off entirely is still there.

DNS_ADDRESS: 172.17.0.10
DNS_KEEP_NAMESERVER: on
+1
Routhinator on May 17, 2023
Read more comments on GitHub
← gluetun: Bug: iptables table `filter': Table does not exist, exit status 3
gluetun: Bug: AUTH_FAILED for fastestvpn →