Passing DNS requests through tcp

Traefik Traefik v3 (latest)
,
1

So I'm actually playing around with reverse proxying so nothing is crucial here. I have a DNS server configured to answer requests on port 53. My DNS server is technitium. Both my DNS server and traefik are running through docker.

In a nutshell, the DNS requests are working using the "q" client like this:

$ q archtm.example.com @TCP://ns1.example.com        
archtm.example.com. 1h A 10.0.1.107

However I'm receiving a bunch of errors in the traefik logs similar to what's below. To help decipher some of the ip addresses in the file I have the following IPs:
-- Testing "q" client sending out dns requests: 10.8.110.1
-- Docker traefik container: IPAddress": "172.19.0.3"
-- Docker dns-server container: IPAddress": "172.19.0.2"
Error log:

2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/tcp/ipallowlist/ip_allowlist.go:60 > Connection from 10.8.110.1:61313 accepted middlewareName=ipallowlist@file middlewareType=IPAllowListerTCP
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:41 > Handling TCP connection address=dns-server:53 remoteAddr=10.8.110.1:61313
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:113 > Error while setting TCP connection deadline error="set tcp 172.19.0.3:53: use of closed network connection"
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/tcp/ipallowlist/ip_allowlist.go:60 > Connection from 10.8.110.1:49240 accepted middlewareName=ipallowlist@file middlewareType=IPAllowListerTCP
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:41 > Handling TCP connection address=dns-server:53 remoteAddr=10.8.110.1:49240
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:113 > Error while setting TCP connection deadline error="set tcp 172.19.0.3:53: use of closed network connection"
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/tcp/ipallowlist/ip_allowlist.go:60 > Connection from 10.8.110.1:37033 accepted middlewareName=ipallowlist@file middlewareType=IPAllowListerTCP
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:41 > Handling TCP connection address=dns-server:53 remoteAddr=10.8.110.1:37033
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:113 > Error while setting TCP connection deadline error="set tcp 172.19.0.3:53: use of closed network connection"
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/tcp/ipallowlist/ip_allowlist.go:60 > Connection from 10.8.110.1:47187 accepted middlewareName=ipallowlist@file middlewareType=IPAllowListerTCP
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:41 > Handling TCP connection address=dns-server:53 remoteAddr=10.8.110.1:47187
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/middlewares/tcp/ipallowlist/ip_allowlist.go:60 > Connection from 10.8.110.1:62773 accepted middlewareName=ipallowlist@file middlewareType=IPAllowListerTCP
2025-02-16T08:21:25-06:00 DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:41 > Handling TCP connection address=dns-server:53 remoteAddr=10.8.110.1:62773
2025-02-16T08:21:26-06:00 DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:104 > Error while terminating TCP connection error="close tcp 172.19.0.3:53->10.8.110.1:62773: use of closed network connection"

Perhaps this is normal?? Anyway to help debug the situation here is the section of my docker compose file for both the services:

  • traefik
  • dns-server
    (for ease of experimentation I'm configuring the tcp routers for the dns-server container using the file yaml method rather than docker labels)
  traefik:
    image: traefik:latest
    container_name: traefik
    hostname: traefik
    restart: always
    networks:
      - net
    ports:
      - 80:80
      - 443:443
      - 3000:3000
      - 853:853
      - 53:53
    command:
      - --accesslog.fields.names.StartUTC=drop
    healthcheck:
      test: traefik healthcheck --ping
      <<: *healthcheck-parameters
    <<: *log-parameters
   ...
   ...
  dns-server:
    container_name: dns-server
    hostname: ns1.gohilton.com
    image: technitium/dns-server:latest
    restart: unless-stopped
    healthcheck:
      <<: *technitium-healthcheck
    networks:
      - net
    ports:
      - "5380:5380/tcp" #DNS web console (HTTP)
      - "53443:53443/tcp" #DNS web console (HTTPS)
      - "53:53/udp" #DNS service
    expose:
      - "8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
      - "853/tcp"  #DNS over TLS
      - "53/tcp"

For my traefik static configuration file, I have the following (/etc/traefik/traefik.yml):

entryPoints:
  web:
    address: :80
    forwardedHeaders:
      insecure: true
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
    forwardedHeaders:
      insecure: true
  ping:
    address: :3000
  dot:
    address: :853
  tcp:
    address: :53

My tcp router configuration (/etc/traefik/conf.d/tcp.yml):

---
tcp:
  routers:
    router-tcp:
      rule: "ClientIP(`10.8.110.0/24`)"
      entryPoints:
        - tcp
      middlewares:
        - ipallowlist
      service: sv-tcp

  middlewares:
    ipallowlist:
      ipAllowList:
        sourceRange:
          - "10.8.110.1/24"
          - "10.0.1.1/24"
          - "172.19.0.0/16"

  services:
    sv-tcp:
      loadBalancer:
        servers:
          - address: "dns-server:53"

Are the errors I'm getting normal in the traefik log?

2

Regular DNS queries use port 53/UDP, that’s not something Traefik usually handles.

"Use of closed network connection" usually only happens when you shut down the Traefik container. It’s only a DBG message.

3

@bluepuma77 Thanks for your reply - you're always helpful

My scenario posted was just messing around with traefik and the various tcp/upd proxy capabilities.

It was actually quite easy to configure 53/UDP traefik through traefik with a UPD config. I'm not sure why you would want this other than possibly a load balancer situation, but it totally proxied the requests.

In terms of closed network connection -- in this instance it didn't happen with closing down traefik, rather than proxying a DNS query over TCP. The query still worked in my test setup, I just received the DBG messages as such. Doesn't sound like a big deal.

I only got on this topic since I had originally configured traefik to proxy DOH DNS requests. The actually DNS server (technitium can fulfill DNS requests over upd/53, tcp/53, DOT/853, DOH/443 and QUIC/853. My problem with DOH was I already had traefik configured to listen on 443, so I needed to proxy DOH requests through traefik to the backend/upstream dns server. Once I managed to get this figured out, I just thought to myself -- well let's see if you can proxy every other request as well -- which can be done.