Need help with dnsmasq config

[FlexMcMurphy]

Hello,

I am running NextCloudPi (NCP) on a Pi3 that is connected by ethernet cable to my home router. I have forwarded the ports. I have installed an SSL cert from Letsencrypt so can use https. I can access the NCP website from outside my home network using https://my.domain.com and all is well.

When I am at home I want to use the same url -- https://my.domain.com but because my router doesn't do NAT Loopback I can't access the site.

There are several workarounds I could use when inside my LAN:
1. Use the local ip address of my Pi... this way I get ugly SSL errors because the bare IP address doesn't match the (sub)domains registered with the SSL cert.
2. Add the local ip address of my Pi to the hosts file on my Windows 7 laptop... yes this works
3. Install a dns server such as: dnsmasq

I decided to install dnsmasq.

Now when I try http://my.domain.com from Chrome inside my LAN I get this error: net::err_CERT_AUTHORITY_INVALID. Clicking on “Proceed to my.domain.com unsafe” at the bottom brings me to my routers homepage with its external ip address displayed in the url address bar.

But I can access this site from outside my LAN without SSL errors so port forwarding is working and I'm thinking this error must be due to my router not doing NAT Loopback and the solution must lie in my dnsmasq config.

Here is my /etc/dnsmasq.conf:

Code: Select all

interface=eth0
no-dhcp-interface=eth0
domain-needed              # Never forward plain names (without a dot or domain part)
bogus-priv                 # Never forward addresses in the non-routed address spaces.
no-poll                    # Don’t poll for changes in /etc/resolv.conf
no-resolv                  # Don’t use /etc/resolv.conf or any other file
cache-size=500
listen-address=127.0.0.1
server=192.168.1.254       # local ip address of my router
address=/my.domain.com/192.168.1.124                             # This is optional if we add it to /etc/hosts

The local IP address of my Pi is: 192.168.1.124
The local IP address of my router is: 192.168.1.254
I went in to the web admin of my router and changed its primary DNS to the local IP address of my Pi. Apparently this makes local dns lookup easier somehow?

Lots of other config files can control dnsmasq like:

/etc/resolv.conf
/etc/hosts
/etc/default/dnsmasq
/var/run/dnsmasq/resolv.conf

… but my understanding is none of those files matter because of [no-resolv] in dnsmasq.conf. Maybe I’m wrong here?

After every change to /etc/dnsmasq.conf I do a /etc/init.d/dnsmasq restart
I use >> dnsmasq --test and look in /var/log/syslog to see if dnsmasq is working which it seems to be:

For >> dnsmasq --test

Code: Select all

root@nextcloudpi:/home/pi# dnsmasq --test
dnsmasq: syntax check OK.

dnsmasq writes to daemon.log. Here is what is in my daemon.log…


The log shows dnsmasq listening on port 53 (correct) to the nameserver which is the local ip of my router… my understanding is this is set up correctly because I have set the local ip of my pi3 to be the primary dns on that router… maybe I am wrong here?
Here is the output of >> netstat -tupln



dnsmasq is listening on Port 53 (tcp and tcp6)

This set up, or various versions of it, was working for me but for reasons unknown to me it stops working.

Sorry for this LONG post but if I give all my information maybe I can get the solution faster? Anyone using dnsmasq in a simple way like me could you post your /etc/dnsmasq.conf file please?

Thank you,

Flex

[SurferTim]

I have dnsmasq on wlan0. The ip address is 192.168.4.1/24. My /etc/dnsmasq.conf file

Code: Select all

interface=wlan0
dhcp-range=192.168.4.8,192.168.4.250,255.255.255.0,12h

I also have a RPi3 with dnsmasq on eth0. The ip is 192.168.6.1/24. My /etc/dnsmasq.conf file

Code: Select all

interface=eth0
dhcp-range=192.168.6.20,192.168.6.100,255.255.255.0,12h

[FlexMcMurphy]

Thanks for your response.

Unfortunately I'm struggling to understand the underlying dnsmasq concepts... how dns works.

My router doesn't let me access a website on my Pi using my.domain.com if I type that into Chrome when I am inside my LAN It resolves to the public ip address of my router so first of all I get a NET::ERR_CERT_AUTHORITY_INVALID error message in Google Chrome then if I by-pass that I get brought to my routers homepage. So dnsmasq isn't set up correctly.

If I'm outside my LAN ... my.domain.com does give me the NextCloudPi website that is on my Pi.

So I don't think the problem is port forwarding but NAT Loopback that my router cannot do.

Your dnsmasq.conf snippets were not helpful to me because I don't think I need dnsmasq to do dhcp for me I can leave that to my router. I have set the primary DNS server of my router to be the local ip address of my Pi on which dnsmasq (and the NextCloudPi webserver) is running. I'm hoping this will make my router, provide the IP of my dnsmasq server to my clients as their DNS resolver. Therefore I could access my.domain.com from within my LAN.

What other settings do you have in your dnsmasq.conf ? Any other advice?

Thank you,

Flex

[sora03]

Based on your post I can understand that you have a nextcloud server running on a Pi witht the IP: 192.168.1.124 that is forwarded to the internet using your router (192.168.1.254). YOu can access the nextcloud without ssl errors because the domain name matches in the url. But you cannot access the same domain in the LAN? You are trying to visit the Pi's IP address to use nextcloud but you get SSL errors (that is expected since you are using IP address not domain name.) Do not port forward your dns port as this will be used in a DNS Amplification attacks. You can add to the /etc/hosts your domain name and your Pi's IP address so it will not connect to the internet if you visit mydomain in your LAN.

so you want to visit the site my.domain in LAN? since the router already forwarded the port you should be able to visit it at home with the internet. I do not know if you need the dnsmasq to do this as I am also hosting a cloud of my own on my router. (this may be the router probleM)

$ sudo nano /etc/hosts
#this will redirect requests from mydomain to your Pi's IP in LAN
192.168.1.124 mydomain.com

[FlexMcMurphy]

Cheers for your response!

Yes, you seem to understand my situation. I tried adding my domain name (it's not actually my.domain.com) to the /etc/hosts file:

Code: Select all

127.0.0.1	localhost
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

127.0.1.1 nextcloudpi
192.168.1.124 nextcloudpi
192.168.1.124 my.domain.com

And now /etc/dnsmasq is like this:

Code: Select all

interface=eth0		# eth0 is the ethernet interface
domain-needed		# Never forward plain names (without a dot or domain part)
bogus-priv		# Never forward addresses in the non-routed address spaces.
no-poll			# Don't poll for changes in /etc/resolv.conf
no-resolv		# Don't use /etc/resolv.conf or any other file
#no-hosts		# Don't use /etc/hosts

cache-size=500 

server=192.168.1.254
listen-address=127.0.0.1
listen-address=192.168.1.124

# These are optional if we add them to /etc/hosts
address=/my.domain.com/192.168.1.124

The strange thing is it DID work at first. then I experimented a bit to try to understand more by rebooting the router, the Pi and my laptop and still it was working… then I stopped dnsmasq service just to check if adding the line [192.168.1.124 my.domain.com] to /etc/hosts was enough… it wasn’t. Then when I restarted dnsmasq I got the same error in Chrome.



I have seen this before where dnsmasq works and then stops working even though I didn't make any config changes... 99% of the time it just doesn't work.

Any further suggestions much appreciated !

Flex

[sora03]

Cheers for your response!

Yes, you seem to understand my situation. I tried adding my domain name (it's not actually my.domain.com) to the /etc/hosts file:

Code: Select all

127.0.0.1	localhost
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

127.0.1.1 nextcloudpi
192.168.1.124 nextcloudpi
192.168.1.124 my.domain.com

And now /etc/dnsmasq is like this:

Code: Select all

interface=eth0		# eth0 is the ethernet interface
domain-needed		# Never forward plain names (without a dot or domain part)
bogus-priv		# Never forward addresses in the non-routed address spaces.
no-poll			# Don't poll for changes in /etc/resolv.conf
no-resolv		# Don't use /etc/resolv.conf or any other file
#no-hosts		# Don't use /etc/hosts

cache-size=500 

server=192.168.1.254
listen-address=127.0.0.1
listen-address=192.168.1.124

# These are optional if we add them to /etc/hosts
address=/my.domain.com/192.168.1.124

The strange thing is it DID work at first. then I experimented a bit to try to understand more by rebooting the router, the Pi and my laptop and still it was working… then I stopped dnsmasq service just to check if adding the line [192.168.1.124 my.domain.com] to /etc/hosts was enough… it wasn’t. Then when I restarted dnsmasq I got the same error in Chrome.



I have seen this before where dnsmasq works and then stops working even though I didn't make any config changes... 99% of the time it just doesn't work.

Any further suggestions much appreciated !

Flex

I do not know if you really need dnsmasq to make your site accessible within your LAN. can you try a traceroute mydomain from your LAN? paste the output here but redact sensitive details
The problem might be your router's port forward settings. I used dnsmasq for my Pihole (set my router dns as the Pi's but at the same time I am hosting a cloud (seafile and using a dynamic dns service and I can access my site from within my LAN and outside without any problems.

did you set your Pi as the router's dns? try to set your router to a different dns like opendns.

[FlexMcMurphy]

Hello sora03!

I have tried adding the IP address of the pi along with the domain name I'm using to /etc/hosts but that doesn't make the domain name resolve to the local IP of the pi when I try from within my LAN. If I try from outside the LAN it works fine.

For this reason, and because I have read on other forums, I'm assuming that my router doesn't do NAT loopback so I need a local dns server. Actually I know there are other ways to achieve what I need like bonjour services then accessing with: hostname.local and also by adding the domain name and IP to my windows host file but I've spent so much time on dnsmasq now I really want to make it work!

I was thinking if port forwarding might be the issue but it works when I access from outside the LAN so it must be set up correctly.

I also had pi-hole running on my Pi connected to this same router a few months ago.. if pi-hole uses dnsmasq under the hood then that would suggest it should work with my router & there is something wrong with the config.

Yes I set the primary DNS of the router to the IP address of the pi. There were two places I could do that including at the level of dhcp. Then in dnsmasq.conf I am using the router IP: 192.168.1.254, as the server.

I did >>nslookup [my.domain.com] from an ssh session to the pi and it resolved to the local IP if the pi.. this is what I want because the website us on that pi. However when I did nslookup from a Windows command prompt on my laptop, that is also on the same network, there was a delay and then it resolved to the external IP of my router. Not sure what any of that means.

I'll post the result of traceroute later today.

Cheers,

Flex

[FlexMcMurphy]

Just to recap:

• I have a Windows 7 laptop running on the same network as the Pi.

• dnsmasq and a webserver running NextCloudPi (personal cloud server) are running on the Pi whose ip address is: 192.168.1.124

• When I type my.domain.com into the browser running on my laptop on my LAN I see the routers admin webpage because I am forwarded to the external IP address of my router (192.168.1.254) when the dns request should be intercepted by dnsmasq and resolved to the local ip addr of my Pi (192.168.1.124).

I ran the traceroute command...

From an SSH Putty session to my Pi:

traceroute from ssh session to Pi.jpg (46.54 KiB) Viewed 14418 times

From a Windows Command prompt on the Win 7 laptop:

Code: Select all

C:\Users\Me>tracert my.domain.com
Tracing route to domain.com [External IP address of my router]
over a maximum of 30 hops:

  1     7 ms     *        2 ms  External-IP-address-of-my-router-dynamic.agg2.ome.mvw-sla.foxconn.net [External IP address of my router] 

Trace complete.

Accessing my.domain.com from the laptop on my LAN doesn't resolve to the local ip address of the Pi but shouldn't it if dnsmasq was working?

Cheers,

Flex

[sora03]

Just to recap:

• I have a Windows 7 laptop running on the same network as the Pi.

• dnsmasq and a webserver running NextCloudPi (personal cloud server) are running on the Pi whose ip address is: 192.168.1.124

• When I type my.domain.com into the browser running on my laptop on my LAN I see the routers admin webpage because I am forwarded to the external IP address of my router (192.168.1.254) when the dns request should be intercepted by dnsmasq and resolved to the local ip addr of my Pi (192.168.1.124).

I ran the traceroute command...

From an SSH Putty session to my Pi:
traceroute from ssh session to Pi.jpg

From a Windows Command prompt on the Win 7 laptop:

Code: Select all

C:\Users\Me>tracert my.domain.com
Tracing route to domain.com [External IP address of my router]
over a maximum of 30 hops:

  1     7 ms     *        2 ms  External-IP-address-of-my-router-dynamic.agg2.ome.mvw-sla.foxconn.net [External IP address of my router] 

Trace complete.

Accessing my.domain.com from the laptop on my LAN doesn't resolve to the local ip address of the Pi but shouldn't it if dnsmasq was working?

Cheers,

Flex

but you can access nextcloudpi outside of your network (eg. in a different internet connection)

what the DNS configuration of your router and your PC? it should be set to the pi's IP and are you using any firewall in Pi and router?

can you try tracerouting outside of your LAN?

[FlexMcMurphy]

Hello again,

I think I have found the solution. I am using my Windows 7 laptop to access the website using my.domain.com.

Here is >> ipconfig /all

ipconfig BEFORE changing IPv6 Addressing type from DHCP to SLAAC - V2.jpg (97.84 KiB) Viewed 14246 times

It shows that an IPv6 DNS server is listed above the IPv4 DNS server which is the IP address of my Pi running dnsmasq.

Seemingly Windows 7 prioritises IPv6 communication over IPv4. So I guess that my Win 7 client was always going to my routers IPv6 DNS server instead of my dnsmasq server (192.168.1.124).

Here is some more information about IPv4 vs IPv6 priority in Windows 7 https://superuser.com/questions/436574/ ... le_rich_qa

There is also a work around for it... I tried the work around to force windows to give priority to IPv4 over IPv6 (a registry change followed by a reboot) but found that my.domain.com still resolved to the external IP address of my router and not the local IP address of the PI.

I disabled IPv6 completely in my router and this solved the problem because the windows client now only had the dnsmasq (IPv4) DNS server to talk to!

But I didn't like the idea of disabling IPv6 in my router so after a bit more research I found this link:, Only DNS server over DHCPv6: http://lists.thekelleys.org.uk/pipermai ... 09854.html and decided to try enabling IPv6 SLAAC addressing type in my router....... this solved the problem.. now ipconfig from my Windows machine gives:

ipconfig - All When IPv6 preferred over IPv4 - But IPv6 Addressing type changed from DHCP to SLAAC - V3.jpg (96.37 KiB) Viewed 14246 times

Notice how there is now only one Gateway (via IPv4) but the two DNS servers remain (IPv6 and IPv4).
According to Google, with SLAAC IPv6 addressing : “The router is acting as a stateless DHCP server. Its only role is to provide DNS server and domain name information to clients on this segment.” I don’t really understand what that means but I suspect this setup keeps me compatible with IPv6 whilst also working with dnsmasq.

I'm not sure why I need to use SLAAC addressing in my use case but others probably don't need to. I'm also not sure why the IPv6 DNS server is listed above my IPv4 dnsmasq server in the ipconfig /all output yet communication must be happening with the dnsmasq server and not the IPv6 DNS server.

But anyway, I hope this helps someone. Feel free to ask me any questions!

Flex

[sora03]

Hello again,

I think I have found the solution. I am using my Windows 7 laptop to access the website using my.domain.com.

Here is >> ipconfig /all
ipconfig BEFORE changing IPv6 Addressing type from DHCP to SLAAC.jpg


It shows that an IPv6 DNS server is listed above the IPv4 DNS server which is the IP address of my Pi running dnsmasq.

Seemingly Windows 7 prioritises IPv6 communication over IPv4. So I guess that my Win 7 client was always going to my routers IPv6 DNS server instead of my dnsmasq server (192.168.1.124).

Here is some more information about IPv4 vs IPv6 priority in Windows 7 https://superuser.com/questions/436574/ ... le_rich_qa

There is also a work around for it... I tried the work around to force windows to give priority to IPv4 over IPv6 (a registry change followed by a reboot) but found that my.domain.com still resolved to the external IP address of my router and not the local IP address of the PI.

I disabled IPv6 completely in my router and this solved the problem because the windows client now only had the dnsmasq (IPv4) DNS server to talk to!

But I didn't like the idea of disabling IPv6 in my router so after a bit more research I found this link:, Only DNS server over DHCPv6: http://lists.thekelleys.org.uk/pipermai ... 09854.html and decided to try enabling IPv6 SLAAC addressing type in my router....... this solved the problem.. now ipconfig from my Windows machine gives:
ipconfig - All When IPv6 preferred over IPv4 - But IPv6 Addressing type changed from DHCP to SLAAC - V2.jpg


Notice how there is now only one Gateway (via IPv4) but the two DNS servers remain (IPv6 and IPv4).
According to Google, with SLAAC IPv6 addressing : “The router is acting as a stateless DHCP server. Its only role is to provide DNS server and domain name information to clients on this segment.” I don’t really understand what that means but I suspect this setup keeps me compatible with IPv6 whilst also working with dnsmasq.

I'm not sure why I need to use SLAAC addressing in my use case but others probably don't need to. I'm also not sure why the IPv6 DNS server is listed above my IPv4 dnsmasq server in the ipconfig /all output yet communication must be happening with the dnsmasq server and not the IPv6 DNS server.

But anyway, I hope this helps someone. Feel free to ask me any questions!

Flex

I am not familiar with windows I stopped using it for about five years now it is too virus prone so I switched to Linux. Anyway, I also disabled my router's IPv6 because Pi-hole cannot block the ads. (pihole uses dnsmasq BTW) Does this solved your problem? dnsmasq also has ipv6 but I never tested it. You should redact your mac (physical addres in the screenshots). Did you try to change your router's dns address to the Pi so the request will be redirected to the Pi from your pc to router.

[FlexMcMurphy]

Hello,

Yes... I did change the Primary (IPv4) DNS of the router to be the local IP address of the Pi that is running dnsmasq.

Yes... switching off Ipv6 in the router solved the problem because then the Windows 7 "client" was not able to see the IPv6 DNS server in the router. I think it wasn't working because Windows 7 prefers to communicate over IPv6 and so requests originating from my Win 7 laptop were being routed by the router through a IPv6 DNS server every time and therefore never getting to my Pi which I had specified in the router as the Primary (IPv4) DNS server.

At least that is my understanding. If someone else can correct me that would be great, I still want to learn about this and to know if my solution is the best way method.

My solution:
I turned IPv6 back on in the router and changed the IPv6 addressing type from DHCP to SLAAC. Now accessing my.domain.com on my LAN resolves correctly to the local ip address of the Pi (also on my LAN) and not the external ip address of my router.

Flex