From 1b789b5f81ddfd758688a166f5e4573fd27d79bd Mon Sep 17 00:00:00 2001 From: Ainar Garipov Date: Thu, 13 May 2021 14:30:40 +0300 Subject: [PATCH] Pull request: dnsforward: exclude docker dns Updates #3064. Squashed commit of the following: commit 2cfeb830853dffcb26968d0a4d21b623f00da275 Author: Ainar Garipov Date: Thu May 13 14:02:08 2021 +0300 all: imp code, expose pprof port commit a22656a3fd24253f7327eff5168ea84391c8d758 Author: Ainar Garipov Date: Thu May 13 13:34:05 2021 +0300 all: imp code, dockerfile commit 35e2145fe061d0d803b46578539499ecfe9d3ea4 Author: Ainar Garipov Date: Thu May 13 12:34:09 2021 +0300 dnsforward: exclude docker dns --- CHANGELOG.md | 2 ++ bamboo-specs/release.yaml | 4 +++- internal/aghnet/systemresolvers_others.go | 17 +++++++++++++++++ scripts/make/Dockerfile | 7 ++++--- 4 files changed, 26 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b1754378..7ce8bc73 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,11 +19,13 @@ and this project adheres to ### Fixed +- Local PTR request recursion in Docker containers ([#3064]). - Ignoring client-specific filtering settings when filtering is disabled in general settings ([#2875]). - Disallowed domains are now case-insensitive ([#3115]). [#2875]: https://github.com/AdguardTeam/AdGuardHome/issues/2875 +[#3064]: https://github.com/AdguardTeam/AdGuardHome/issues/3064 [#3115]: https://github.com/AdguardTeam/AdGuardHome/issues/3115 diff --git a/bamboo-specs/release.yaml b/bamboo-specs/release.yaml index 46eb0ba4..c2f3f92c 100644 --- a/bamboo-specs/release.yaml +++ b/bamboo-specs/release.yaml @@ -229,7 +229,9 @@ - 'adg-docker': 'true' 'triggers': -- 'cron': '0 30 14 ? * MON-FRI *' +# Don't use minute values that end with a zero or a five as these are often used +# in CI and so resources during these minutes can be quite busy. +- 'cron': '0 42 13 ? * MON-FRI *' 'branches': 'create': 'manually' 'delete': diff --git a/internal/aghnet/systemresolvers_others.go b/internal/aghnet/systemresolvers_others.go index c9417c9d..98a257c2 100644 --- a/internal/aghnet/systemresolvers_others.go +++ b/internal/aghnet/systemresolvers_others.go @@ -82,6 +82,12 @@ func validateDialedHost(host string) (err error) { return nil } +// dockerEmbeddedDNS is the address of Docker's embedded DNS server. +// +// See +// https://github.com/moby/moby/blob/v1.12.0/docs/userguide/networking/dockernetworks.md. +const dockerEmbeddedDNS = "127.0.0.11" + // dialFunc gets the resolver's address and puts it into internal cache. func (sr *systemResolvers) dialFunc(_ context.Context, _, address string) (_ net.Conn, err error) { // Just validate the passed address is a valid IP. @@ -93,6 +99,17 @@ func (sr *systemResolvers) dialFunc(_ context.Context, _, address string) (_ net return nil, fmt.Errorf("%s: %w", err, errBadAddrPassed) } + // Exclude Docker's embedded DNS server, as it may cause recursion if + // the container is set as the host system's default DNS server. + // + // See https://github.com/AdguardTeam/AdGuardHome/issues/3064. + // + // TODO(a.garipov): Perhaps only do this when we are in the container? + // Maybe use an environment variable? + if host == dockerEmbeddedDNS { + return nil, errFakeDial + } + err = validateDialedHost(host) if err != nil { return nil, fmt.Errorf("validating dialed host: %w", err) diff --git a/scripts/make/Dockerfile b/scripts/make/Dockerfile index a1b2a945..da8bce06 100644 --- a/scripts/make/Dockerfile +++ b/scripts/make/Dockerfile @@ -37,13 +37,14 @@ RUN setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome # 67, 68 : DHCP # 80 : HTTP # 443 : HTTPS, DNS-over-HTTPS, DNSCrypt -# 784 : DNS-over-QUIC # 853 : DNS-over-TLS # 3000 : HTTP alt # 3001 : HTTP beta # 5443 : DNSCrypt alt -EXPOSE 53/tcp 53/udp 67/udp 68/udp 80/tcp 443/tcp 443/udp 784/udp\ - 853/tcp 3000/tcp 3001/tcp 5443/tcp 5443/udp +# 6060 : HTTP pprof +# 8853 : DNS-over-QUIC +EXPOSE 53/tcp 53/udp 67/udp 68/udp 80/tcp 443/tcp 443/udp 853/tcp\ + 3000/tcp 3001/tcp 5443/tcp 5443/udp 6060/tcp 8853/udp WORKDIR /opt/adguardhome/work