Hello,
I have a pi-hole deployed on my NAS using Docker and a macvlan network (so it has its own IP address and does not interfere with the host's DNS resolver) and I have been trying to get it to answer to DNS queries using TCP (the goal is to setup DNS over TLS using a reverse-proxy).
The weird thing is, if I make the same DNS query with UDP then with TCP, it works:
axel@axel-Inspiron-7370:~$ kdig @192.168.0.153 axeleroy.com +tcp
;; WARNING: response timeout for 192.168.0.153@53(TCP)
;; ERROR: failed to query server 192.168.0.153@53(TCP)
axel@axel-Inspiron-7370:~$ kdig @192.168.0.153 axeleroy.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 65363
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; axeleroy.com. IN A
;; ANSWER SECTION:
axeleroy.com. 3600 IN A 213.186.33.5
;; Received 46 B
;; Time 2022-07-24 18:37:58 CEST
;; From 192.168.0.153@53(UDP) in 49.5 ms
axel@axel-Inspiron-7370:~$ kdig @192.168.0.153 axeleroy.com +tcp
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 38467
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; axeleroy.com. IN A
;; ANSWER SECTION:
axeleroy.com. 3598 IN A 213.186.33.5
;; Received 46 B
;; Time 2022-07-24 18:38:00 CEST
;; From 192.168.0.153@53(TCP) in 7.1 ms
To note, I had to add the DNSMASQ_LISTENING=all environment variable to Docker in order to get TCP to work at all. I also have the following capabilities enabled: CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_NET_ADMIN and CAP_SYS_NICE.
Has anyone any idea of what I might have missed?