DNS_PLAINTEXT_ADDRESS, fixes #176

Dockerfile

@@ -75,6 +75,7 @@ ENV VPNSP=pia \
     BLOCK_ADS=off \
     UNBLOCK= \
     DNS_UPDATE_PERIOD=24h \
+    DNS_PLAINTEXT_ADDRESS=1.1.1.1 \
     # Firewall
     FIREWALL=on \
     EXTRA_SUBNETS= \

README.md

@@ -220,6 +220,7 @@ None of the following values are required.
 | `BLOCK_SURVEILLANCE` | `off` | `on`, `off` | Block surveillance hostnames and IPs with Unbound |
 | `BLOCK_ADS` | `off` | `on`, `off` | Block ads hostnames and IPs with Unbound |
 | `UNBLOCK` | |i.e. `domain1.com,x.domain2.co.uk` | Comma separated list of domain names to leave unblocked with Unbound |
+| `DNS_PLAINTEXT_ADDRESS` | `1.1.1.1` | Any IP address | IP address to use as DNS resolver if `DOT` is `off` |
 
 ### Firewall
 

cmd/gluetun/main.go

@@ -186,7 +186,7 @@ func _main(background context.Context, args []string) int {
 	}
 
 	if allSettings.ShadowSocks.Enabled {
-		nameserver := ""
+		nameserver := allSettings.DNS.PlaintextAddress.String()
 		if allSettings.DNS.Enabled {
 			nameserver = "127.0.0.1"
 		}
@@ -225,6 +225,10 @@ func _main(background context.Context, args []string) int {
 	go unboundRunLoop(ctx, startUnboundCh, logger, dnsConf, allSettings.DNS, allSettings.System.UID, allSettings.System.GID, waiter, streamMerger, httpServer)
 	if !allSettings.DNS.Enabled {
 		httpServer.SetUnboundRestart(func() {})
+		dnsConf.UseDNSInternally(allSettings.DNS.PlaintextAddress)
+		if err := dnsConf.UseDNSSystemWide(allSettings.DNS.PlaintextAddress); err != nil {
+			logger.Error(err)
+		}
 	}
 
 	go func() {

internal/params/dns.go

@@ -143,3 +143,17 @@ func (r *reader) GetDNSUpdatePeriod() (period time.Duration, err error) {
 	}
 	return time.ParseDuration(s)
 }
+
+// GetDNSPlaintext obtains the plaintext DNS address to use if DNS over TLS is disabled
+// from the environment variable DNS_PLAINTEXT_ADDRESS
+func (r *reader) GetDNSPlaintext() (ip net.IP, err error) {
+	s, err := r.envParams.GetEnv("DNS_PLAINTEXT_ADDRESS", libparams.Default("1.1.1.1"))
+	if err != nil {
+		return nil, err
+	}
+	ip = net.ParseIP(s)
+	if ip == nil {
+		return nil, fmt.Errorf("DNS plaintext address %q is not a valid IP address", s)
+	}
+	return ip, nil
+}

internal/params/params.go

@@ -29,6 +29,7 @@ type Reader interface {
 	GetDNSOverTLSPrivateAddresses() (privateAddresses []string, err error)
 	GetDNSOverTLSIPv6() (ipv6 bool, err error)
 	GetDNSUpdatePeriod() (period time.Duration, err error)
+	GetDNSPlaintext() (ip net.IP, err error)
 
 	// System
 	GetUID() (uid int, err error)

internal/settings/dns.go

@@ -2,6 +2,7 @@ package settings
 
 import (
 	"fmt"
+	"net"
 	"strings"
 	"time"
 
@@ -14,6 +15,7 @@ import (
 type DNS struct {
 	Enabled               bool
 	Providers             []models.DNSProvider
+	PlaintextAddress      net.IP
 	AllowedHostnames      []string
 	PrivateAddresses      []string
 	Caching               bool
@@ -28,13 +30,13 @@ type DNS struct {
 }
 
 func (d *DNS) String() string {
-	if !d.Enabled {
-		return "DNS over TLS settings: disabled"
-	}
 	const (
 		enabled  = "enabled"
 		disabled = "disabled"
 	)
+	if !d.Enabled {
+		return fmt.Sprintf("DNS over TLS disabled, using plaintext DNS %s", d.PlaintextAddress)
+	}
 	caching, blockMalicious, blockSurveillance, blockAds, ipv6 := disabled, disabled, disabled, disabled, disabled
 	if d.Caching {
 		caching = enabled
@@ -80,7 +82,11 @@ func (d *DNS) String() string {
 // GetDNSSettings obtains DNS over TLS settings from environment variables using the params package.
 func GetDNSSettings(paramsReader params.Reader) (settings DNS, err error) {
 	settings.Enabled, err = paramsReader.GetDNSOverTLS()
-	if err != nil || !settings.Enabled {
+	if err != nil {
+		return settings, err
+	}
+	if !settings.Enabled {
+		settings.PlaintextAddress, err = paramsReader.GetDNSPlaintext()
 		return settings, err
 	}
 	settings.Providers, err = paramsReader.GetDNSOverTLSProviders()