cloudflare / cloudflared

There is a flag bootstrap and its corresponding env var TUNNEL_DNS_BOOTSTRAP with a sane default value:

cloudflared/cmd/cloudflared/proxydns/cmd.go

Lines 50 to 55 in 00cd7c3

    
           &cli.StringSliceFlag{ 
        
           	Name:    "bootstrap", 
        
           	Usage:   "bootstrap endpoint URL, you can specify multiple endpoints for redundancy.", 
        
           	Value:   cli.NewStringSlice("https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query"), 
        
           	EnvVars: []string{"TUNNEL_DNS_BOOTSTRAP"}, 
        
           },

As I understand it, bootstraps are used to resolve domains in upstream urls.

So I set TUNNEL_DNS_UPSTREAM=https://dns.digitale-gesellschaft.ch/dns-query and start cloudflared-linux-arm64 proxy-dns. On my test system outgoing traffic is only allowed to tcp port 443. When I try to resolve a name there is such message in log:

ERR failed to connect to an HTTPS backend "https://dns.digitale-gesellschaft.ch/dns-query" 
error="failed to perform an HTTPS request: Post \"https://dns.digitale-gesellschaft.ch/dns-query\": 
dial tcp: lookup dns.digitale-gesellschaft.ch on 192.168.2.1:53: 
write udp 192.168.2.3:44618->192.168.2.1:53: write: operation not permitted"

192.168.2.1:53 is the system resolver. 192.168.2.3 is the test system.

So instead of falling back to the secure bootstrap, it tried to use the cleartext system resolver. Should it be like that?

	&cli.StringSliceFlag{
	Name: "bootstrap",
	Usage: "bootstrap endpoint URL, you can specify multiple endpoints for redundancy.",
	Value: cli.NewStringSlice("https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query"),
	EnvVars: []string{"TUNNEL_DNS_BOOTSTRAP"},
	},

Bootstrap logic in proxy-dns mode