Single dot domain/DNS root zone query issue with containerized wireguard

armujahid · December 25, 2022, 5:54pm

I got it fixed by binding the DNS listening port to the pihole node local address in the docker-compose file of Pi-hole,
in my case - "192.168.50.11:53:53/udp" instead of - "53:53/udp".

I am not sure why this solution worked. Solution was linked by someone on reddit. I have also added this in my reddit post liked above.
Related links:

github.com/linuxserver/docker-wireguard

Wireguard is performing an invalid DNS lookup about once per second

opened 04:21AM - 04 Mar 21 UTC

closed 03:18PM - 03 May 22 UTC

texneus

no-issue-activity

[linuxserverurl]: https://linuxserver.io [![linuxserver.io](https://raw.githubu…sercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] ------------------------------ ## Expected Behavior DNS lookups should only occur for legitimate web addresses. Lookups should stop or time out when no response is received rather than continue indefinately. ## Current Behavior My pihole logs are showing repeated (about 1x per second) requests from client IP 172.17.0.1 (the docker0 network adapter) to lookup ".". This has been going on since I set the container up (going on 2-3 weeks now). The activity stops when the Wireguard docker container is stopped. I have set pihole to block the request as otherwise pihole forwards the request to it's DNS provider. Blocking the DNS does not appear to affect wireguard functionality. There are no other Docker containers or services on this system (beyond those enabled by default with Raspian). ## Steps to Reproduce 1. Install pihole/pihole docker container and setup 2. Install linuxerver/wireguard docker container and setup (on the same system with pihole/pihole) 3. Observe repeated DNS lookups from 172.17.0.1 to "." in the pihole logs: ![Screenshot_20210303_214743](https://user-images.githubusercontent.com/23441049/109908694-5470fa80-7c6a-11eb-9463-1061823490ce.jpeg) ## Environment **OS:** Raspian 10 **CPU architecture:** arm32 (Raspberry Pi 4) **How docker service was installed:** From the official docker repo ## Command used to create docker container (run/create/compose/screenshot) ``` # docker create \ --name=wireguard \ --cap-add=NET_ADMIN \ --cap-add=SYS_MODULE \ --restart=on-failure:5 \ -e PUID=1000 \ -e PGID=1000 \ -e TZ="America/Chicago" \ -e SERVERURL=xxxxxxx.yyyyyyyy.zzz \ -e SERVERPORT=51820 \ -e PEERS=MPhone,MLaptop \ -e PEERDNS=auto \ -e INTERNAL_SUBNET=10.13.13.0 \ -p 51820:51820/udp \ -v /opt/wireguard/data/config:/config \ -v /lib/modules:/lib/modules \ -v /usr/src:/usr/src \ linuxserver/wireguard # docker start wireguard ``` ## Docker logs ``` # docker logs wireguard [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 01-envfile: executing... [cont-init.d] 01-envfile: exited 0. [cont-init.d] 10-adduser: executing... ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io ------------------------------------- To support the app dev(s) visit: WireGuard: https://www.wireguard.com/donations/ To support LSIO projects visit: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 1000 User gid: 1000 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 30-config: executing... Uname info: Linux fd7d47c206fe 5.10.11-v7l+ #1399 SMP Thu Jan 28 12:09:48 GMT 2021 armv7l armv7l armv7l GNU/Linux **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. **** **** Server mode is selected **** **** External server address is set to xxxxxxx.yyyyyyyy.zzz **** **** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container **** **** Internal subnet is set to 10.13.13.0 **** **** AllowedIPs for peers 0.0.0.0/0, ::/0 **** **** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.13.13.1 to use wireguard docker host's DNS. **** **** Server mode is selected **** **** No changes to parameters. Existing configs are used. **** [cont-init.d] 30-config: exited 0. [cont-init.d] 99-custom-scripts: executing... [custom-init] no custom files found exiting... [cont-init.d] 99-custom-scripts: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. [#] ip link add wg0 type wireguard .:53 CoreDNS-1.8.3 linux/arm, go1.16, 4293992 [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.13.13.1 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] ip -4 route add 10.13.13.3/32 dev wg0 [#] ip -4 route add 10.13.13.2/32 dev wg0 [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ```

Note that a user in docker-wireguard github issue is blaming pihole docker for this.