Dnsmasq Configuration to a Single IP - linux

I am using DNSMasq as a service on my network. The machine that has DNSMasq installed has two network cards. (the IP addresses are 192.168.1.5 and 192.168.1.6).
The issue I have run into is that I have a pod container running PiHole on the the same machine. When I reboot, PiHole fails to start because DNSMasq is using the ports required. PiHole is set to specifically use 192.168.1.6 (ports 80, 443, 52, 67). When I run # lsof - :67, I see that DNSMasq is listening to port 67 on both IP addresses when I have it specifically set to listen to only 192.168.1.5.
Is there another way to restrict DNSMasq to a single IP address (not loopback or localhost) and make it ignore a specific IP address (in this case, 192.168.1.6 is not touched by DNSMasq)?
Here is my /etc/dnsmasq.d/default.conf
no-resolv
no-poll
server=1.1.1.1
server=8.8.8.8
listen-address=192.168.1.5
interface=eno2
bind-interfaces

Related

Connecting to host from inside a docker container on linux requires opening firewall port

Background: I'm trying to have XDebug connect to my IDE from within a docker container (my php app is running inside a container on my development machine). On my Macbook, it has no issue doing this. However, on linux, I discovered that from within the container, the port I was using (9000) was not visibile on the host gateway (Using sudo nmap -sT -p- 172.20.0.1 where 172.20.0.1 is my host gateway in docker).
I was able to fix this issue by opening port 9000 on my development machine (sudo ufw allow 9000/tcp). Once I did this, the container could see port 9000 on the host gateway.
My Question: Is this completely necessary? I don't love the idea of opening up a firewall port just so a docker container, running on my machine, can connect to it. Is there a more secure alternative to this?
From what you've told us, opening the port does sound necessary. If a firewall blocks a port, all traffic over that port is blocked and you won't be able to use the application on the container from the host machine.
What you can do to make this more secure is to specify a specific interface to open the port for as specified here:
ufw allow in on docker0 port 9000 proto tcp
Obviously replace docker0 with the docker interface on your machine. You can find this by looking at the output of ip address show or by following the steps here if the interface name is not obvious.

dnsmasq forwards queries to 2 servers instead of 1

I'm having a small issue with dnsmsasq on debian-jessie, it seems to forward incoming DNS queries to 2 ports instead of 1.
Background:
Runs on a machine whose LAN IP is 192.168.0.10. Sits behind a home router. The home router is configured to forward DNS traffic to 192.168.0.10. That part works, I do see incoming traffic from the LAN onto this machine.
dnsmasq configuration:
>cat /etc/dnsmasq.conf | grep -v ^# | grep -v ^\s*$
domain-needed
bogus-priv
server=127.0.0.1#5053
cache-size=10000
My resolv.conf tells local processes to send DNS queries to dnsmasq
>cat /etc/resolv.conf
# Generated by resolvconf
nameserver 127.0.0.1
And dnsmasq, if it can't answer from its cache, then forwards incoming DNS traffic to another service running locally and listening on port 5053 via the server=127.0.0.1#5053 config. That service is something I build myself and it does not forward DNS queries to 8.8.8.8
This works but not the way I intended. DNS queries get answered properly. As expected, port 5053 shows traffic and even provides answers (though slower than GoogleDNS)
>tcpdump -l -n -i any '(port 5053) and (port 53)'
13:57:53.817522 IP 127.0.0.1.47207 > 127.0.0.1.53: 7494+ [1au] A? www.example.com. (44) # dnsmasq receives a query from `dig www.example.com` running locally
13:57:53.818609 IP 127.0.0.1.5258 > 127.0.0.1.5053: UDP, length 44 # dnsmasq forwards to local DNS Server listening on 5053
13:57:53.818970 IP 192.168.0.10.5258 > 8.8.8.8.53: 50849+ [1au] A? www.example.com. (44) # dnsmasq forwards to 8.8.8.8 on port 53 (Google DNS)
13:57:53.862170 IP 8.8.8.8.53 > 192.168.0.10.5258: 50849$ 1/0/1 A 93.184.216.34 (60) # dnsmasq receives answer from 8.8.8.8
13:57:53.862559 IP 127.0.0.1.53 > 127.0.0.1.47207: 7494 1/0/1 A 93.184.216.34 (60) # dnsmasq forwards answer to dig running locally
13:57:53.980238 IP 127.0.0.1.5053 > 127.0.0.1.5258: UDP, length 49 # dnsmasq receives answer from local DNS Server
So it appears dnsmasq tee's DNS queries to both
127.0.0.1 on port 5053, and almost immediately after also forwards to
8.8.8.8 on port 53
Why, what's wrong with my dnsmasq configuration, I expected traffic only on port 5053?
And where is that 8.8.8.8 coming from. Yes I know that's Google DNS, but where is dnsmasq or linux getting that IP from and which config file can I edit to change that?
>grep -r 8\.8\.8\.8 /etc/*.conf
returns nothing.

Linux port blocked - This site can't be reached, refused to connect

I set my linux as an access point, and then run simple web-server that print "hello world" at port 3000.
and connect it with my smart phone successfully.
in linux terminal, http://localhost:3000 works well.
But in smart phone,
If I access to http://172.24.1.105:3000, can't connect to it. (172.24... is ap's ip)
the chrome's error message is
This site can't be reached. 172.24.1.105 refused to connect
I searched Google (https://serverfault.com/questions/725262/what-causes-the-connection-refused-message) and I suspicious linux's firewall.
pi#raspberrypi:~/prj/ap_server $ sudo tcpdump -n icmp
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
... when I access to port 3000,
15:07:13.102750 IP 192.168.0.3 > 168.126.63.2: ICMP 192.168.0.3 udp port 42531 unreachable, length 386
the log is above. so I couldn't reach ap's webserver.
so I wonder two things...
1. How can I disable to its port block?
2. in tcpdump log, I access to port 3000 actually, why the log print port 42531?
Plus)
even I type sudo service iptables stop, the problem is not solved
sudo netstat -ntlp | grep 3000 logs:
**tcp6 0 0 :::3000 :::* LISTEN 1999/nodejs**
+I followed this tutorial-> https://frillip.com/using-your-raspberry-pi-3-as-a-wifi-access-point-with-hostapd/ .
and there is ipv4 setting.
If you want to run it on your mobile it will work on Live IP (externel) address
if it is working fine on local address (localhost) and not on live IP then
enable routing from your router
and allow that specific port it will work fine.
I found the issue.
my dhcp set was
interface=wlan0 # Use interface wlan0
listen-address=172.24.1.1 # Explicitly specify the address to listen on
bind-interfaces # Bind to the interface to make sure we aren't sending things elsewhere
server=8.8.8.8 # Forward DNS requests to Google DNS
domain-needed # Don't forward short names
bogus-priv # Never forward addresses in the non-routed address spaces.
dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24.1.150 with a 12 hour lease time
like above.
I tried to connect the external ip(172.24.1.105) that I can see on mobile continuously but got failed. but when I tried with 172.24.1.1, then success.
I don't know why. maybe there is accurate ip address and something in mobile is temporal.
See similar topic at Node JS not listening to port 1337 on server
Your web server is not listening remote address.

GRE Tunnel routing issue in Linux CentOS

I am creating GRE Tunnel between two Linux (CentOS6) servers using below steps.
On the master server:
chkconfig iptables off
service iptables stop
sysctl -w net.ipv4.conf.default.rp_filter=0
modprobe ip_gre
ip tunnel add tun1 mode gre remote 98.123.87.97 local 106.61.58.98 ttl 255
ip addr add 10.0.1.0/24 dev tun1
ip link set dev tun1 up
ip addr add 98.123.87.95/27 dev eth0
On the slave server:
chkconfig iptables off
service iptables stop
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.proxy_arp=1
sysctl -w net.ipv4.conf.all.proxy_arp=1
sysctl -w net.ipv4.conf.eth0.rp_filter=0
sysctl -w net.ipv4.conf.default.rp_filter=0
modprobe ip_gre
ip tunnel add tunx mode gre remote 106.61.58.98 local 98.123.87.97 ttl 255
ip addr add 10.0.2.0/24 dev tun0
ip link set tunx up
ip route add 98.123.87.95/27 dev tun0
I need to add slave server's IP into the on my master server, I am getting the ping response form tunnelled IPs (Slave Server's IP) and when I am trying to SSH the tunnelled IP (Slave IP) I am reaching to Masters(this is what I want).
Problem is when I am trying to send outgoing traffic like DNS query by Tunnelled IP(Slave IP) I am getting time out request.
I guess this is routing issue of one of my server. Any idea what should i do to get through my outgoing traffic by tunnelled IPs?
Thanks,
Are you really adding 10.0.1.0/24 address? This is a network address, looks like mistake.
Also, you shuold add default route(or route to dns servers or whatever you want) on client machine through your tunnel with gateway=another_end_of_tunnel.
Don't forget to add static route to your machine if you don't want to loose connection, before adding default route!

Linux Debian SSH connection to another machine has delay after network settings change

Hi StackOverflow members,
I have an issue with ssh connection on my Debian 7 system to a remote OpenSSH server located on the same network. It looks like there is some network configuration problem but I cann't find where it lays. This two debian machines are connect with a switch that is NOT connected to a router. So the two machines have no internet connection.
A-Debian 7
IP: 192.168.1.2
MASK: 255.255.255.0
GW: 192.168.1.1
B-Debian 7
IP: 192.168.1.3
MASK: 255.255.255.0
GW: 192.168.1.1
With that configuration the ssh command prompts my for a password in less then a second. But the with the following network configuration I get the password prompt after a 10+ second delay:
A-Debian 7
IP: 10.10.1.83
MASK: 255.255.255.128
GW: 10.10.1.1
B-Debian 7
IP: 10.10.1.82
MASK: 255.255.255.128
GW: 10.10.1.1
The ssh connection from the server A -> B runs with both configs on custom 1111 port.
The B machine has also a Web server running on port 8080 that has no delays with both net configurations.
Thank you in advance for any clues or tips how to solve that problem.
SOLVED: Removing of the gateway parameter "GW: 10.10.1.1" in the network settings has solved the problem.
The usual culprits here are IPv6 and DNS lookups.
SSH might try to connect via IPv6, first, but the timeout is too low for that. You can see whether IPv6 is enabled with
cat /proc/sys/net/ipv6/conf/eth0/disable_ipv6
To disable:
echo 1 > /proc/sys/net/ipv6/conf/eth0/disable_ipv6
The second culprit is DNS; my guess is that DNS lookups don't work correctly with the second configuration. Try host www.google.com to test this theory.
If that also has a delay, you need to fix your DNS setup.
If that's not it, check the rest of your networking parameters: Gateway, cables, etc.
Start to ping the other host. Is that fast & reliable?
Next, try remote login (ssh, telnet). Note that you can give telnet a port to connect to, so if you have DB server running, you can still use telnet to connect to the server. It will print an error but it allows you to test the TCP/IP connection without any extra error sources.

Resources