DNS Configurations Keep Getting Dumped

[LordFransie]

I'm using cloudflare DOT and I have constant issues with the containers connected to my gluetun container losing DNS. When I restart the cluster I have a period where all the containers have access to DNS queries but after a while nothing resolves. These are the docker logs

Running version latest built on 2025-09-26T17:01:11.025Z (commit 72a49af)

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2025-09-29T00:47:46Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.36 and family v4
2025-09-29T00:47:46Z INFO [routing] local ethernet link found: eth0
2025-09-29T00:47:46Z INFO [routing] local ipnet found: 172.17.0.0/16
2025-09-29T00:47:46Z INFO [firewall] enabling...
2025-09-29T00:47:46Z INFO [firewall] enabled successfully
2025-09-29T00:47:48Z INFO [storage] merging by most recent 20776 hardcoded servers and 20776 servers read from /gluetun/servers.json
2025-09-29T00:47:48Z INFO Alpine version: 3.20.7
2025-09-29T00:47:48Z INFO OpenVPN 2.5 version: 2.5.10
2025-09-29T00:47:48Z INFO OpenVPN 2.6 version: 2.6.11
2025-09-29T00:47:48Z INFO IPtables version: v1.8.10
2025-09-29T00:47:48Z INFO Settings summary:
├── VPN settings:
| ├── VPN provider settings:
| | ├── Name: private internet access
| | └── Server selection settings:
| | ├── VPN type: openvpn
| | └── OpenVPN server selection settings:
| | ├── Protocol: UDP
| | └── Private Internet Access encryption preset: normal
| └── OpenVPN settings:
| ├── OpenVPN version: 2.6
| ├── User: [set]
| ├── Password: [set]
| ├── Private Internet Access encryption preset: normal
| ├── Network interface: tun0
| ├── Run OpenVPN as: nonrootuser
| └── Verbosity level: 1
├── DNS settings:
| └── Keep existing nameserver(s): yes
├── Firewall settings:
| ├── Enabled: yes
| └── Outbound subnets:
| ├── 192.168.0.0/16
| ├── 172.16.0.0/12
| └── 10.0.0.0/8
├── Log settings:
| └── Log level: info
├── Health settings:
| ├── Server listening address: 127.0.0.1:9999
| ├── Target address: cloudflare.com:443
| ├── Duration to wait after success: 5s
| ├── Read header timeout: 100ms
| ├── Read timeout: 500ms
| └── VPN wait durations:
| ├── Initial duration: 6s
| └── Additional duration: 5s
├── Shadowsocks server settings:
| └── Enabled: no
├── HTTP proxy settings:
| └── Enabled: no
├── Control server settings:
| ├── Listening address: :8001
| ├── Logging: yes
| └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
| └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
| ├── Process UID: 99
| └── Process GID: 100
├── Public IP settings:
| ├── IP file path: /gluetun/ip
| └── Public IP data base API: ipinfo
└── Version settings:
└── Enabled: yes
2025-09-29T00:47:48Z WARN DNS address is set to 8.8.8.8 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2025-09-29T00:47:48Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.36 and family v4
2025-09-29T00:47:48Z INFO [routing] adding route for 0.0.0.0/0
2025-09-29T00:47:48Z INFO [firewall] setting allowed subnets...
2025-09-29T00:47:48Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.36 and family v4
2025-09-29T00:47:48Z INFO [routing] adding route for 192.168.0.0/16
2025-09-29T00:47:48Z INFO [routing] adding route for 172.16.0.0/12
2025-09-29T00:47:48Z INFO [routing] adding route for 10.0.0.0/8
2025-09-29T00:47:48Z WARN [dns] ⚠️⚠️⚠️ keeping the default container nameservers, this will likely leak DNS traffic outside the VPN and go through your container network DNS outside the VPN tunnel!
2025-09-29T00:47:48Z INFO [http server] http server listening on [::]:8001
2025-09-29T00:47:48Z INFO [healthcheck] listening on 127.0.0.1:9999
2025-09-29T00:47:48Z INFO [firewall] allowing VPN connection...
2025-09-29T00:47:48Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-09-29T00:47:48Z INFO [openvpn] library versions: OpenSSL 3.3.4 1 Jul 2025, LZO 2.10
2025-09-29T00:47:48Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]102.129.232.106:1198
2025-09-29T00:47:48Z INFO [openvpn] UDPv4 link local: (not bound)
2025-09-29T00:47:48Z INFO [openvpn] UDPv4 link remote: [AF_INET]102.129.232.106:1198
2025-09-29T00:47:48Z INFO [openvpn] [siliconvalley403] Peer Connection Initiated with [AF_INET]102.129.232.106:1198
2025-09-29T00:47:49Z INFO [openvpn] TUN/TAP device tun0 opened
2025-09-29T00:47:49Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2025-09-29T00:47:49Z INFO [openvpn] /sbin/ip link set dev tun0 up
2025-09-29T00:47:49Z INFO [openvpn] /sbin/ip addr add dev tun0 10.9.112.129/24
2025-09-29T00:47:49Z INFO [openvpn] UID set to nonrootuser
2025-09-29T00:47:49Z INFO [openvpn] Initialization Sequence Completed
2025-09-29T00:47:49Z INFO [healthcheck] healthy!
2025-09-29T00:47:49Z INFO [ip getter] Public IP address is 102.129.232.106 (United States, California, Santa Clara - source: ipinfo)
2025-09-29T00:47:50Z INFO [vpn] You are running on the bleeding edge of latest!

2025-09-29T00:48:54Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 100.100.100.100:53: write udp 100.90.153.117:48604->100.100.100.100:53: write: operation not permitted)
2025-09-29T00:48:54Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-09-29T00:48:54Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION
2025-09-29T00:48:54Z INFO [vpn] stopping
2025-09-29T00:48:54Z INFO [vpn] starting
2025-09-29T00:48:54Z INFO [firewall] allowing VPN connection...
2025-09-29T00:48:54Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-09-29T00:48:54Z INFO [openvpn] library versions: OpenSSL 3.3.4 1 Jul 2025, LZO 2.10
2025-09-29T00:48:54Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]188.126.89.36:1198
2025-09-29T00:48:54Z INFO [openvpn] UDPv4 link local: (not bound)
2025-09-29T00:48:54Z INFO [openvpn] UDPv4 link remote: [AF_INET]188.126.89.36:1198
2025-09-29T00:48:55Z INFO [openvpn] [helsinki402] Peer Connection Initiated with [AF_INET]188.126.89.36:1198
2025-09-29T00:48:55Z INFO [openvpn] TUN/TAP device tun0 opened
2025-09-29T00:48:55Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2025-09-29T00:48:55Z INFO [openvpn] /sbin/ip link set dev tun0 up
2025-09-29T00:48:55Z INFO [openvpn] /sbin/ip addr add dev tun0 10.2.112.47/24
2025-09-29T00:48:55Z INFO [openvpn] UID set to nonrootuser
2025-09-29T00:48:55Z INFO [openvpn] Initialization Sequence Completed
2025-09-29T00:49:04Z ERROR [vpn] waiting for DNS to be ready: DNS is not working: after 10 tries: lookup github.com on 100.100.100.100:53: write udp 100.90.153.117:36265->100.100.100.100:53: write: operation not permitted
2025-09-29T00:49:04Z ERROR [vpn] getting public IP address information: fetching information: Get "https://ipinfo.io/": dial tcp: lookup ipinfo.io on 100.100.100.100:53: write udp 100.90.153.117:50414->100.100.100.100:53: write: operation not permitted
2025-09-29T00:49:05Z INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 100.100.100.100:53: write udp 100.90.153.117:35689->100.100.100.100:53: write: operation not permitted)
2025-09-29T00:49:05Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-09-29T00:49:05Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU HAVE READ AND TRIED EVERY POSSIBLE SOLUTION

I've gone through several configuration setups and I'm still having this issue. I have noticed that this only occurs after a connected container tries to make a DNS query. I can run ping in the gluetun container for as long as I want as many times as I want, but the second a client connects and tries to do this it gets very mad.