diff --git a/Dockerfile b/Dockerfile index 0a8971f9..8e384033 100644 --- a/Dockerfile +++ b/Dockerfile @@ -75,6 +75,7 @@ ENV VPNSP=pia \ BLOCK_ADS=off \ UNBLOCK= \ DNS_UPDATE_PERIOD=24h \ + DNS_PLAINTEXT_ADDRESS=1.1.1.1 \ # Firewall FIREWALL=on \ EXTRA_SUBNETS= \ diff --git a/README.md b/README.md index 9177468f..98fd128e 100644 --- a/README.md +++ b/README.md @@ -220,6 +220,7 @@ None of the following values are required. | `BLOCK_SURVEILLANCE` | `off` | `on`, `off` | Block surveillance hostnames and IPs with Unbound | | `BLOCK_ADS` | `off` | `on`, `off` | Block ads hostnames and IPs with Unbound | | `UNBLOCK` | |i.e. `domain1.com,x.domain2.co.uk` | Comma separated list of domain names to leave unblocked with Unbound | +| `DNS_PLAINTEXT_ADDRESS` | `1.1.1.1` | Any IP address | IP address to use as DNS resolver if `DOT` is `off` | ### Firewall diff --git a/cmd/gluetun/main.go b/cmd/gluetun/main.go index 56971644..dae0cf1a 100644 --- a/cmd/gluetun/main.go +++ b/cmd/gluetun/main.go @@ -186,7 +186,7 @@ func _main(background context.Context, args []string) int { } if allSettings.ShadowSocks.Enabled { - nameserver := "" + nameserver := allSettings.DNS.PlaintextAddress.String() if allSettings.DNS.Enabled { nameserver = "127.0.0.1" } @@ -225,6 +225,10 @@ func _main(background context.Context, args []string) int { go unboundRunLoop(ctx, startUnboundCh, logger, dnsConf, allSettings.DNS, allSettings.System.UID, allSettings.System.GID, waiter, streamMerger, httpServer) if !allSettings.DNS.Enabled { httpServer.SetUnboundRestart(func() {}) + dnsConf.UseDNSInternally(allSettings.DNS.PlaintextAddress) + if err := dnsConf.UseDNSSystemWide(allSettings.DNS.PlaintextAddress); err != nil { + logger.Error(err) + } } go func() { diff --git a/internal/params/dns.go b/internal/params/dns.go index 7c287ae5..e20ab9b7 100644 --- a/internal/params/dns.go +++ b/internal/params/dns.go @@ -143,3 +143,17 @@ func (r *reader) GetDNSUpdatePeriod() (period time.Duration, err error) { } return time.ParseDuration(s) } + +// GetDNSPlaintext obtains the plaintext DNS address to use if DNS over TLS is disabled +// from the environment variable DNS_PLAINTEXT_ADDRESS +func (r *reader) GetDNSPlaintext() (ip net.IP, err error) { + s, err := r.envParams.GetEnv("DNS_PLAINTEXT_ADDRESS", libparams.Default("1.1.1.1")) + if err != nil { + return nil, err + } + ip = net.ParseIP(s) + if ip == nil { + return nil, fmt.Errorf("DNS plaintext address %q is not a valid IP address", s) + } + return ip, nil +} diff --git a/internal/params/params.go b/internal/params/params.go index 34df0188..e72d6fdc 100644 --- a/internal/params/params.go +++ b/internal/params/params.go @@ -29,6 +29,7 @@ type Reader interface { GetDNSOverTLSPrivateAddresses() (privateAddresses []string, err error) GetDNSOverTLSIPv6() (ipv6 bool, err error) GetDNSUpdatePeriod() (period time.Duration, err error) + GetDNSPlaintext() (ip net.IP, err error) // System GetUID() (uid int, err error) diff --git a/internal/settings/dns.go b/internal/settings/dns.go index 37e1555b..73d3c77d 100644 --- a/internal/settings/dns.go +++ b/internal/settings/dns.go @@ -2,6 +2,7 @@ package settings import ( "fmt" + "net" "strings" "time" @@ -14,6 +15,7 @@ import ( type DNS struct { Enabled bool Providers []models.DNSProvider + PlaintextAddress net.IP AllowedHostnames []string PrivateAddresses []string Caching bool @@ -28,13 +30,13 @@ type DNS struct { } func (d *DNS) String() string { - if !d.Enabled { - return "DNS over TLS settings: disabled" - } const ( enabled = "enabled" disabled = "disabled" ) + if !d.Enabled { + return fmt.Sprintf("DNS over TLS disabled, using plaintext DNS %s", d.PlaintextAddress) + } caching, blockMalicious, blockSurveillance, blockAds, ipv6 := disabled, disabled, disabled, disabled, disabled if d.Caching { caching = enabled @@ -80,7 +82,11 @@ func (d *DNS) String() string { // GetDNSSettings obtains DNS over TLS settings from environment variables using the params package. func GetDNSSettings(paramsReader params.Reader) (settings DNS, err error) { settings.Enabled, err = paramsReader.GetDNSOverTLS() - if err != nil || !settings.Enabled { + if err != nil { + return settings, err + } + if !settings.Enabled { + settings.PlaintextAddress, err = paramsReader.GetDNSPlaintext() return settings, err } settings.Providers, err = paramsReader.GetDNSOverTLSProviders()