Conversation
…ions Co-authored-by: ek <ek@drimble.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Bug: DNS Resolution Failure in Docker Container
The application's DNS resolution, including subdomain bruteforce, is hard-coded to use the local Unbound DNS resolver (127.0.0.1). The docker-entrypoint.sh attempts to start Unbound but proceeds even if it fails, only issuing a warning. This creates a critical dependency without fallback to external DNS servers (e.g., 8.8.8.8). Consequently, all DNS operations will fail if Unbound is unavailable, yet the container will appear to start successfully.
main.py#L581-L582
Lines 581 to 582 in 8973412
main.py#L623-L624
Lines 623 to 624 in 8973412
docker-entrypoint.sh#L18-L49
Lines 18 to 49 in 8973412
BugBot free trial expires on July 24, 2025
Learn more in the Cursor dashboard.
Was this report helpful? Give feedback by reacting with 👍 or 👎
|
|
||
| 2. **`start-unbound.sh`** - Unbound initialization script | ||
| - Downloads root hints | ||
| - Initializes DNSSEC trust anchor |
There was a problem hiding this comment.
could be extreme overhead on cpu cycles
Will check and bump.
| libpcap-dev && \ | ||
| libpcap-dev \ | ||
| unbound \ | ||
| dnsutils \ |
| print_info " PID: $(pgrep unbound)" | ||
| else | ||
| print_warning "✗ Unbound is not running" | ||
| return 1 |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
| print_info "Testing $domain..." | ||
|
|
||
| # Test with local Unbound cache | ||
| local_time=$(time (nslookup $domain 127.0.0.1 > /dev/null 2>&1) 2>&1 | grep real | awk '{print $2}') |
There was a problem hiding this comment.
can mock with regular gnu binaries that will populate ARP and perform lookup and don't exit errcode
|
|
||
| # Create necessary directories | ||
| print_status "Creating directories..." | ||
| sudo mkdir -p /var/lib/unbound |
|
|
||
| # Start Unbound | ||
| print_status "Starting Unbound DNS resolver..." | ||
| sudo unbound -c /etc/unbound/unbound.conf |
There was a problem hiding this comment.
.service file can handle health check / retries
| do-udp: yes | ||
| do-tcp: yes | ||
|
|
||
| # Access control |
There was a problem hiding this comment.
I'd opt for adding ssrf prot for rfc 1918, 1122, 4192, 4193, 4291 and 6598+3927
|
|
||
| # Message cache settings | ||
| msg-cache-size: 128m | ||
| msg-cache-slabs: 4 |
There was a problem hiding this comment.
sysctl.conf may need additional tweaks
| hide-identity: yes | ||
| hide-version: yes | ||
| harden-glue: yes | ||
| harden-dnssec-stripped: yes |
| neg-cache-size: 16m | ||
|
|
||
| # Performance tuning | ||
| num-threads: 2 |
|
[bot] jacked in and scanned PR.
as an AI I can make mistakes please 👍🏻 or 👎🏻 for feedback |
| check_unbound_status() { | ||
| print_header "Unbound Status" | ||
|
|
||
| if pgrep unbound > /dev/null; then |
There was a problem hiding this comment.
| if pgrep unbound > /dev/null; then | |
| if ! pgrep unbound > /dev/null; then |
| print_header "Unbound Status" | ||
|
|
||
| if pgrep unbound > /dev/null; then | ||
| print_info "✓ Unbound is running" |
There was a problem hiding this comment.
| print_info "✓ Unbound is running" | |
| print_warning "😔 Unbound is not up" |
|
|
||
| if pgrep unbound > /dev/null; then | ||
| print_info "✓ Unbound is running" | ||
| print_info " PID: $(pgrep unbound)" |
There was a problem hiding this comment.
| print_info " PID: $(pgrep unbound)" |
| if pgrep unbound > /dev/null; then | ||
| print_info "✓ Unbound is running" | ||
| print_info " PID: $(pgrep unbound)" | ||
| else |
There was a problem hiding this comment.
| else | |
| exit 1 # 😭 |
| print_info "✓ Unbound is running" | ||
| print_info " PID: $(pgrep unbound)" | ||
| else | ||
| print_warning "✗ Unbound is not running" |
There was a problem hiding this comment.
| print_warning "✗ Unbound is not running" |
| print_info " PID: $(pgrep unbound)" | ||
| else | ||
| print_warning "✗ Unbound is not running" | ||
| return 1 |
There was a problem hiding this comment.
| return 1 | |
| print_info "🥳💾 - unbound up. holds pid $(pgrep unbound)" |
| else | ||
| print_warning "✗ Unbound is not running" | ||
| return 1 | ||
| fi |
| if [ -f "/etc/resolv.conf" ]; then | ||
| cat /etc/resolv.conf | grep -v "^#" | grep -v "^$" | ||
| else | ||
| print_warning "/etc/resolv.conf not found" |
There was a problem hiding this comment.
show_dns_config() {
print_header "DNS Configuration"
print_info "Current DNS settings (resolv.conf / systemd-resolved):"
if command -v resolvectl >/dev/null 2>&1; then
resolvectl dns
elif [ -f /etc/resolv.conf ]; then
grep -E '^[^#[:space:]]' /etc/resolv.conf
fi
print_info ""
print_info "ARP cache (kernel view):"
ip neigh show
print_info ""
print_info "Active DNS queries (UDP/53 sockets):"
ss -uap | grep ':53' || print_warning "No active DNS queries"
print_info ""
print_info "Kernel domain settings:"
sysctl -a 2>/dev/null | grep 'domain'
}
|
|
||
| print_info "Current DNS settings:" | ||
| if [ -f "/etc/resolv.conf" ]; then | ||
| cat /etc/resolv.conf | grep -v "^#" | grep -v "^$" |
There was a problem hiding this comment.
| cat /etc/resolv.conf | grep -v "^#" | grep -v "^$" | |
| grep -v "^#" /etc/resolv.conf | grep -v "^$" |
3 participants
Implement unbound dns caching