I finally spent some time digging into this, and I think I’ve figured it out. It looks like the hassio-dns container, running CoreDNS and the coredns-fallback plugin is forwarding all types of failing DNS lookups to Cloudflare:
bash-5.0# more /config/corefile
.:53 {
log
errors
loop
hosts /config/hosts {
fallthrough
}
template ANY AAAA local.hass.io hassio {
rcode NOERROR
}
mdns
forward . dns://my.internal.dns.server dns://127.0.0.1:5553 {
except local.hass.io
policy sequential
health_check 5s
}
fallback REFUSED . dns://127.0.0.1:5553
fallback SERVFAIL . dns://127.0.0.1:5553
fallback NXDOMAIN . dns://127.0.0.1:5553
cache 10
}
.:5553 {
log
errors
forward . tls://1.1.1.1 tls://1.0.0.1 {
tls_servername cloudflare-dns.com
except local.hass.io
health_check 10s
}
cache 30
}
So as expected, it isn’t malicious, but I’m very much against this behavior. If I have custom DNS servers defined, that means I want to stay in control of my DNS. The whole point of Home Assistant is to protect our privacy and not depend on the cloud, right?
On to digging into the multicast/kubernetes phoning home behavior. I’ll start a new thread if I find anything.