Wireguard DNS traffic to TLD

Hi all,
Two days ago I’ve deployed Wireguard and it works like a charm - even deployed in Portainer :wink: on OMV5
Thanks for huge work (not only with wireguard-docker) for community.

I’ve noticed when I start wireguard container I can see in pi-hole log that appears NS queries to “dot” (TLD) every 1-2 seconds

No peers are connected to Wireguard docker at this time yet.
Something is misconfigured by me or there is another reason of such traffic?
I’ve found no answers in search engines.
Many thanks in advance for any help.

Hi all,

I’m facing the same problem. Any solution?

I’m bumping this thread with a solution that worked for me. Wireguard’s CoreDNS was configured to use the CoreDNS forward plugin to forward all DNS requests to the nameservers defined in /etc/resolv.conf. The forward plugin also performs a health check on those servers by sending the query . IN NS every 0.5 seconds. This can be disabled by adding max_fails 0 in /config/coredns/Corefile. Corefile should now look like the following (assuming no other changes have been made):

. { loop forward . /etc/resolv.conf { max_fails 0 } }

More information on forward can be found at https://coredns.io/plugins/forward/. I hope this helps someone out there!

These failing health checks are likely due to incorrectly configured pi-hole (common when running it in a container). The dns address does not match the sender of the response (ie. dns address set to host IP and port, but the response from pi-hole is sent through the docker network so it’s coming from pi-hole’s docker IP).

We don’t recommend running pi-hole in a container for this reason and others. Much better to run it on a dedicated pi on the lan like it was originally intended.