Wireguard is performing an invalid DNS lookup about once per second

[texneus]

---

Expected Behavior

DNS lookups should only occur for legitimate web addresses. Lookups should stop or time out when no response is received rather than continue indefinately.

Current Behavior

My pihole logs are showing repeated (about 1x per second) requests from client IP 172.17.0.1 (the docker0 network adapter) to lookup ".". This has been going on since I set the container up (going on 2-3 weeks now). The activity stops when the Wireguard docker container is stopped. I have set pihole to block the request as otherwise pihole forwards the request to it's DNS provider. Blocking the DNS does not appear to affect wireguard functionality. There are no other Docker containers or services on this system (beyond those enabled by default with Raspian).

Steps to Reproduce

1. Install pihole/pihole docker container and setup
2. Install linuxerver/wireguard docker container and setup (on the same system with pihole/pihole)
3. Observe repeated DNS lookups from 172.17.0.1 to "." in the pihole logs:
   

Environment

OS: Raspian 10
CPU architecture: arm32 (Raspberry Pi 4)
How docker service was installed: From the official docker repo

Command used to create docker container (run/create/compose/screenshot)

# docker create \
     --name=wireguard \
     --cap-add=NET_ADMIN \
     --cap-add=SYS_MODULE \
     --restart=on-failure:5 \
     -e PUID=1000 \
     -e PGID=1000 \
     -e TZ="America/Chicago" \
     -e SERVERURL=xxxxxxx.yyyyyyyy.zzz \
     -e SERVERPORT=51820 \
     -e PEERS=MPhone,MLaptop \
     -e PEERDNS=auto \
     -e INTERNAL_SUBNET=10.13.13.0 \
     -p 51820:51820/udp \
     -v /opt/wireguard/data/config:/config \
     -v /lib/modules:/lib/modules \
     -v /usr/src:/usr/src \
     linuxserver/wireguard

# docker start wireguard

Docker logs

# docker logs wireguard
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing... 
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing... 

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \ 
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    1000
User gid:    1000
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-config: executing... 
Uname info: Linux fd7d47c206fe 5.10.11-v7l+ #1399 SMP Thu Jan 28 12:09:48 GMT 2021 armv7l armv7l armv7l GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** Server mode is selected ****
**** External server address is set to xxxxxxx.yyyyyyyy.zzz ****
**** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
**** Internal subnet is set to 10.13.13.0 ****
**** AllowedIPs for peers 0.0.0.0/0, ::/0 ****
**** PEERDNS var is either not set or is set to "auto", setting peer DNS to 10.13.13.1 to use wireguard docker host's DNS. ****
**** Server mode is selected ****
**** No changes to parameters. Existing configs are used. ****
[cont-init.d] 30-config: exited 0.
[cont-init.d] 99-custom-scripts: executing... 
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-scripts: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[#] ip link add wg0 type wireguard
.:53
CoreDNS-1.8.3
linux/arm, go1.16, 4293992
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.13.13.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 10.13.13.3/32 dev wg0
[#] ip -4 route add 10.13.13.2/32 dev wg0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[github-actions]

Thanks for opening your first issue here! Be sure to follow the bug or feature issue templates!

[DerRockWolf]

I'm also observing the same behavior.

In my case supposedly due to this the wireguard container also doesn't seem to accept an answer from the pihole.

How did you configure the wg container to use your pihole container?

[texneus]

I have my router set to use pihole as DNS so my whole network uses it.

[DerRockWolf]

I could fix this issue by connecting the pihole and wireguard container directly together with a network.
See my docker-compose.yml files for reference: (They are placed in different directories)

version: "2"

networks:
  pihole:
    driver: bridge
    ipam:
      config:
        - subnet: 172.30.0.0/16

services:
  pihole:
    container_name: pihole
    hostname: pihole
    image: pihole/pihole:latest
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 67:67/udp
      - 80:80/tcp
      - 443:443/tcp
    networks:
      pihole:
        ipv4_address: 172.30.0.2
    volumes:
      - ./etc-pihole/:/etc/pihole/
      - ./etc-dnsmasq.d/:/etc/dnsmasq.d/
    dns:
      - 127.0.0.1
    restart: unless-stopped

version: "3"
networks:
  pihole:
    external: true
    name: pihole_pihole

services:
  wireguard:
    image: ghcr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules
    networks:
      pihole:
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
    dns:
    - 172.30.0.2  # ip of pihole

A DNS request to . is returning a SOA record. The wireguard container is probably trying to get that.

[texneus]

Yes indeed, adding the DNS entries to the container has made everything quiet. I genuinely do not know if this is a workaround for a real prolem or a true fix, so I'll leave it up to the powers to be to decide if this should be closed or stay open for more action.

[DerRockWolf]

Could you elaborate on what and how you've added the DNS entries to the container?

[texneus]

I did exactly as you suggested and added my pihole DNS entries to the wireguard container (nothing else was changed).

docker create \
 --name=$DOCNAME \
 --cap-add=NET_ADMIN \
 --cap-add=SYS_MODULE \
 --dns=PIHOLE#1_IP_ADDRESS \
 --dns=PIHOLE#2_IP_ADDRESS \
 --restart=on-failure:5 \
 -e PUID=1000 \
 -e PGID=1000 \
 -e TZ="America/Chicago" \
 -e SERVERURL=xxxxxxx.yyyyyyyy.zzz \
 -e SERVERPORT=51820 \
 -e PEERS=MPhone,MLaptop \
 -e PEERDNS=auto \
 -e INTERNAL_SUBNET=10.13.13.0 \
 -p 51820:51820/udp \
 -v /opt/wireguard/data/config:/config \
 -v /lib/modules:/lib/modules \
 -v /usr/src:/usr/src \
 linuxserver/wireguard

EDIT: Since my router's DNS points at both Pihole's, could I have / should I put my router IP address instead?

[DerRockWolf]

Since my router's DNS points at both Pihole's, could I have / should I put my router IP address instead?

I think that it should work regardless.

I still have a few question, because I could only fix my problem with connecting both container together:

• Are you speaking about two piholes now?
• Are they running on the same docker host?
• Are PIHOLE#1_IP_ADDRESS and PIHOLE#2_IP_ADDRESS addresses from docker, like 172.*.*.* or is this the IP of your docker host with mapped ports.

[texneus]

I don't see where you are "joining" networks, but I am not fluent in docker compose. I see where you create a bridge network from the Pihole docker but per docker documentation (see https://docs.docker.com/network/) that is what docker defaults to if not otherwise specified. I'm probably missing something subtle here.

I do have two piholes ever since I had pi power supply die while on a trip (when else would it do so?) leaving a non-accessable network in it's wake since my dynamic DNS software couldn't function. They are not on the same host but ARE on the same network. Pihole1 is docker and on the same raspberry pi host with docker wireguard. Pihole2 is also docker but runs on my server. The IP address I specified are the physical IPs (192.168.1.3 and 192.168.1.219 respectively), not localhost or 127.0.0.1

As it relates to this issue...I don't think it's relevant. Only the Pihole plus Wireguard had this problem. The second pihole was also removed to check.

[DerRockWolf]

I'm probably missing something subtle here.

No. You're totally right. I somehow forgot while writing the comment that compose is creating a network by default.
I actually have two docker-compose.yml files within different directories, that's why I need to specify a network.

As it relates to this issue...I don't think it's relevant.

You are right. I was just curious because you suddenly spoke about two piholes :)

Back to topic:
The real issues seems to be that the wireguard container is trying to get the SOA record of the DNS server but isn't accepting it (Pihole is actually responding to these requests).
This could have different reasons. One of I could think of is that the container isn't receiving the answer directly from the DNS server because of some internal Docker DNS magic. But this could also be completely false.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[CrookedBIOS]

I got it fixed by binding the DNS listening port to the specific external IP in the docker-compose file of Pi-hole,
in my case - "192.168.1.5:53:53/udp" instead of - "53:53/udp". I found the solution in another issue regarding DNS resolution in other docker containers when using Pi-hole.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[koenvanzuijlen]

I was also experiencing this issue @CrookedBIOS fix seems to have helped. But I don't really know why Wireguard doesn't accept the answer from Pi-hole? The queries were correctly forwarded to the DNS provider configured.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[lk3de]

Adding a comment to keep the issue open - I solved it as well using the recommendation from @CrookedBIOS. I'm not sure if this is an issue that needs to be fixed on the Wireguard side or on the Pi-hole side. Maybe someone else is able to dig deeper and find the root cause.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[simonmcnair]

Is this the reason ? https://github.com/linuxserver/docker-wireguard/blob/master/root/defaults/Corefile

[aptalca]

This is not an issue with wireguard or coredns, or our image. It has to do with running pihole in a container, and incorrectly accessing it (docker network vs host mapped port).

We don't recommend running DNS (or DHCP) servers in a container for various reasons including this one.

Closing.