unbound-docker icon indicating copy to clipboard operation
unbound-docker copied to clipboard
verified publisher icon klutchell

Unusually long queries when container in macvlan network

Open axeleroy opened this issue 3 years ago • 0 comments

Hello,

I have my PiHole set up in a macvlan network and wanted to add unbound within it. Unfortunately, DNS queries to unbound are unusually long.

# Query made from the pihole container
dig @unbound google.com +timeout=120

; <<>> DiG 9.16.27-Debian <<>> @unbound google.com +timeout=120
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33490
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 70430 msec
;; SERVER: 192.168.0.2#53(192.168.0.2)
;; WHEN: Sat Aug 06 17:31:20 CEST 2022
;; MSG SIZE  rcvd: 39

When the container is set in a bridge network, queries are under 100ms. I can't wrap my head around why DNS queries would take 700 times longer because unbound is in a macvlan network.

For context, here is my docker-compose

version: '3'

services:

  pihole:
    container_name: pihole
    image: pihole/pihole:2022.07.1
    depends_on:
      - unbound
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
      - "80:80/tcp"
    environment:
      TZ: "Europe/Paris"
      WEBPASSWORD: "xxx"
      SERVER_IP: "192.168.0.153"
      # DNS1: "unbound"
      DNS1: "1.1.1.1" # Had to revert to CloudFlare's DNS
    volumes:
      - /home/axel/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
      - /home/axel/pihole/etc-pihole:/etc/pihole
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    networks:
      macvlan_eth1:
        ipv4_address: 192.168.0.153

  unbound:
    container_name: unbound
    image: klutchell/unbound:latest
    restart: unless-stopped
    networks:
      - macvlan_eth1
  
  tls-proxy:
    image: dns-over-tls:latest-arm
    container_name: pihole-tls-proxy
    depends_on:
      - pihole
    ports:
      - "853:853/tcp"
    environment:
      DNS_UPSTREAM_ADDRESS: "pihole"
      DNS_UPSTREAM_PORT: 53
      TLS_CERTIFICATE: "xxx"
      TLS_CERTIFICATE_KEY: "xxx"
    volumes:
      - bunkerweb_bunkerweb-data:/certificates:ro
    networks:
      macvlan_eth1:
        ipv4_address: 192.168.0.154
   
networks:
  macvlan_eth1:
    driver: macvlan
    driver_opts:
      parent: eth1
    ipam:
      config:
        - subnet: "192.168.0.0/24"
          ip_range: "192.168.0.128/26"
          gateway: "192.168.0.1"
 
volumes:
  bunkerweb_bunkerweb-data:
    external: true

axeleroy avatar Aug 06 '22 15:08 axeleroy