Bootstrap logic in proxy-dns mode
slowpeek opened this issue · comments
There is a flag bootstrap
and its corresponding env var TUNNEL_DNS_BOOTSTRAP
with a sane default value:
cloudflared/cmd/cloudflared/proxydns/cmd.go
Lines 50 to 55 in 00cd7c3
As I understand it, bootstraps are used to resolve domains in upstream urls.
So I set TUNNEL_DNS_UPSTREAM=https://dns.digitale-gesellschaft.ch/dns-query
and start cloudflared-linux-arm64 proxy-dns
. On my test system outgoing traffic is only allowed to tcp port 443. When I try to resolve a name there is such message in log:
ERR failed to connect to an HTTPS backend "https://dns.digitale-gesellschaft.ch/dns-query"
error="failed to perform an HTTPS request: Post \"https://dns.digitale-gesellschaft.ch/dns-query\":
dial tcp: lookup dns.digitale-gesellschaft.ch on 192.168.2.1:53:
write udp 192.168.2.3:44618->192.168.2.1:53: write: operation not permitted"
192.168.2.1:53
is the system resolver. 192.168.2.3
is the test system.
So instead of falling back to the secure bootstrap, it tried to use the cleartext system resolver. Should it be like that?