Bug: Unexpected DNS_ADDRESS behavior? (split-resolution)

[geonon436]

Is this urgent?

No

Host OS

Ubuntu 24.04

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2025-01-22T08:30:14.628Z (commit 13532c8)

What's the problem 🤔

Traffic is split between the value set in DNS_ADDRESS and 127.0.0.1, at least from what I can tell.

I have DNS_ADDRESS set to a local instance of Dnsmasq, this routes to local services manually, and everything else upstream to a second instance of Gluetun.

firefox gluetun - set to secure core only USA
dns gluetun - set to switzerland

After everything is running I can access local services. So, it's definitely hitting the Dnsmasq for those. If I remove the DNS_ADDRESS value, it stops resolving local services, just to add evidence as to Dnsmasq working. However, when I visit https://dnsleaktest.com it shows Los Angeles (current secure location), and not Switzerland. The DNS queries should be routing through the instance pointing at Switzerland.

Does Gluetun attempt to resolve to both the value set in DNS_ADDRESS and 127.0.0.1 (local Unbound)? I would think that all DNS traffic would route through the value set as DNS_ADDRESS.

Share your logs (at least 10 lines)

2025-04-16T00:19:54Z INFO [routing] default route found: interface eth0, gateway 10.42.2.1, assigned IP 10.42.2.2 and family v4
2025-04-16T00:19:54Z INFO [routing] adding route for 192.168.1.0/24
2025-04-16T00:19:54Z INFO [routing] adding route for 192.168.2.0/24
2025-04-16T00:19:54Z INFO [routing] adding route for 10.42.0.0/16
2025-04-16T00:19:54Z INFO [dns] using plaintext DNS at address 10.42.0.40 <---- dnsmasq
2025-04-16T00:19:54Z INFO [http server] http server listening on [::]:8000
2025-04-16T00:19:54Z INFO [healthcheck] listening on 127.0.0.1:9999
2025-04-16T00:19:54Z INFO [firewall] allowing VPN connection...
2025-04-16T00:19:54Z INFO [wireguard] Using available kernelspace implementation
2025-04-16T00:19:54Z INFO [wireguard] Connecting to 185.159.156.109:51820
2025-04-16T00:19:54Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeou
t errors indicate the Wireguard connection is not working.
2025-04-16T00:19:54Z INFO [dns] downloading hostnames and IP block lists
2025-04-16T00:19:56Z WARN [dns] cannot update filter block lists: Get "https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated": EOF, Get "https://raw.githubuse
rcontent.com/qdm12/files/master/malicious-ips.updated": EOF
2025-04-16T00:19:56Z INFO [dns] attempting restart in 10s
2025-04-16T00:19:57Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": EOF
2025-04-16T00:19:58Z ERROR [vpn] cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/commits": EOF
2025-04-16T00:19:59Z INFO [healthcheck] healthy!
2025-04-16T00:20:06Z INFO [dns] downloading hostnames and IP block lists
2025-04-16T00:20:10Z INFO [dns] DNS server listening on [::]:53
2025-04-16T00:20:11Z INFO [dns] ready

Share your configuration

networks:
  default:
    ipam:
      config:
        - subnet: 10.42.10.0/24
  gluetun_dns:
    external: true

services:  
  gluetun-firefox:
    image: qmcgaw/gluetun
    container_name: gluetun-firefox
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      VPN_SERVICE_PROVIDER: protonvpn
      VPN_TYPE: wireguard
      WIREGUARD_PRIVATE_KEY: [redacted]
      SERVER_COUNTRIES: United States
      SECURE_CORE_ONLY: on
      FIREWALL_OUTBOUND_SUBNETS: 192.168.1.0/24,192.168.2.0/24,10.42.0.0/16
      DNS_ADDRESS: 10.42.0.40 # dnsmasq address
    networks:
      - default
      - gluetun_dns

  firefox:
    image: jlesage/firefox
    container_name: firefox
    restart: unless-stopped
    volumes:
      - ./firefox:/config
    environment:
      USER_ID: ${PUID}
      GROUP_ID: ${PGID}
      TZ: ${TZ}
    network_mode: service:gluetun-firefox

---------------------------------------------------

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: webhost-gluetun
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      VPN_SERVICE_PROVIDER: protonvpn
      VPN_TYPE: wireguard
      WIREGUARD_PRIVATE_KEY: [redacted]
      SERVER_COUNTRIES: Switzerland
      FIREWALL_OUTBOUND_SUBNETS: 192.168.1.0/24,192.168.2.0/24,10.42.0.0/16
    networks:
      gluetun_dns:
        ipv4_address: 10.42.0.20
    expose:
      - 53

  dnsmasq:
    image: andyshinn/dnsmasq
    container_name: webhost-dnsmasq
    volumes:
      - ./dnsmasq/dnsmasq.conf:/etc/dnsmasq.conf
    restart: unless-stopped
    networks:
      gluetun_dns:
        ipv4_address: 10.42.0.40

---------------------------------------------------

# relevant Dnsmasq config
# prevent traffic from leaking to the host's DNS
no-resolv

# use gluetun's dns for anything not defined below
server=10.42.0.20

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image