this post was submitted on 20 Jul 2023
26 points (90.6% liked)

Selfhosted

40030 readers
980 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
26
submitted 1 year ago* (last edited 1 year ago) by aesir to c/selfhosted
 

Hi,

What to do if the domain name of one of my webserver, that me and some lab members use for work related stuff, is no longer resolved by our university DNS? When I first noticed it, I could see no resolution at all while now the domain resolves to a wrong IP. The site can be normally reached on any other network so there is no problem on my side I think.

Should I just wait (now more than 24 hours) or should I try anything? I am entitled to complain to our IT even though the issue is only with this not-really-professional FreeDNS subdomain?

EDIT: apparently some automatism marked this domain as malicious (absolutely it is not, not willingly and not compromised) and somehow DNS resolves to CNAME sinkhole.paloaltonetworks.com.

top 32 comments
sorted by: hot top controversial new old
[–] [email protected] 13 points 1 year ago (1 children)

I would migrate the domain. Don't bother with flakey services. Cloudflare free tier can do some amazing things.

In the meantime set it in your host file to the correct IP to get by.

[–] aesir 7 points 1 year ago (1 children)

I see your point, but now I do not think it is FreeDNS fault. DNSChecker.org shows my domain name properly resolved worldwide, and so it has been for months. I also created a second subdomain just now, exactly as the non-working one, and was properly resolved within seconds at my work pc. So I do not blame FreeDNS, I think it is our internal DNS server that is messed up or even hijacked.

[–] [email protected] 1 points 1 year ago (1 children)

Try changing your DNS server in that case!

[–] aesir 1 points 1 year ago (2 children)

I tried to set it to 8.8.8.8 but I have still the same result. Can it be overridden at the router level? So far the only solution is to manually add the damn line to etc/hosts.

[–] [email protected] 3 points 1 year ago (2 children)

Probably not your problem but if 8.8.8.8 has some wrong DNS record cached you can flush the cache for one name at https://dns.google/cache and for 1.1.1.1 at https://one.one.one.one/purge-cache/

There are also commands on each of the major operating systems to flush local caches.

It is also possible that DHCP or IPv6 router advertisements reset your manual DNS setting of 8.8.8.8 depending on how you set it.

[–] marsara9 4 points 1 year ago (1 children)

Another thing that can be happening is that the router or firewall is redirecting all port 53 traffic to their internal DNS servers. (I do the same thing at home to prevent certain devices from ignoring my router's DNS settings cough Android cough)

One way you can check for this is to run "nslookup some.domain" from a terminal and see where the response comes from.

[–] aesir 1 points 1 year ago* (last edited 1 year ago) (1 children)

What does it mean?

nslookup my.domain.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    my.domain.com
Addresses:  ::1
          xx.x.xx.xxx (wrong IPV4 address from the other side of the world)

If I use 8.8.8.8 at home addresses is first of all "address" and is correct.

[–] marsara9 1 points 1 year ago* (last edited 1 year ago) (1 children)

That looks like 8.8.8.8 actually responded. The ::1 is ipv6's localhost which seems odd. As for the wong ipv4 I'm not sure.

I normally see something like requested 8.8.8.8 but 1.2.3.4 responded if the router was forcing traffic to their DNS servers.

You can also specify the DNS server to use when using nslookup like: nslookup www.google.com 1.1.1.1. And you can see if you get and different answers from there. But what you posted doesn't seem out of the ordinary other than the ::1.

Edit just for shits and giggles also try nslookup xx.xx.xx.xx where xx.xx.... is the wrong up from the other side of the world and see what domain it returns.

[–] aesir 1 points 1 year ago

Now it's pretty clear, I am mistaken for a malicious site (probably because many different computers in the lab started to exchange data with this obscure freedns subdomain) by this software from Palo Alto Networks https://www.gavstech.com/palo-alto-firewall-dns-sinkhole/ which rewrites the DNS response

[–] aesir 1 points 1 year ago* (last edited 1 year ago) (1 children)

Interesting, thanks. I think this is what it is happening. Feels like I can put whatever DNS server and still end up with an internal one.

[–] [email protected] 1 points 1 year ago

You can confirm this as follows. Grab a laptop and:

  • Confirm that on the university internet, 8.8.8.8 resolves the wrong domain.
  • Set up a hotspot from your mobile phone, connect the laptop there, then try again.

If the behaviour is different depending on your network, your uni must be redirecting DNS.

[–] [email protected] 1 points 1 year ago

Your host sets it's own DNS servers, if the router isn't on the list, they don't get pinged. Now they could try to man in the middle you, so you could try DNS over TLS, but it's probably not your issue.

You're DNS server settings likely never took hold. Like if you use a DHCP client, then override your DNS settings, that won't take effect until you request a new DHCP connection.

Some Linux distros will have local DNS servers that you always point to which are a pain to update as well. Not sure about Windows and MAC.

good luck man!

[–] MaxVerstappen 6 points 1 year ago (1 children)

Sounds like your university is using a Palo Alto Next Gen Firewall which is intercepting DNS requests and responding with the sinkhole FQDN for anything they deem malicious or suspicious. You can try to override this with DNS over HTTPS but they may also be blocking that. Standard security stuff. You can also probably try to open an IT ticket and request that they whitelist the domain.

[–] aesir 1 points 1 year ago (1 children)

So it seems. Do you think this was from the detected user activity? A colleague reported it was using it and it stopped working from one second to the next. Maybe some of his traffic looked suspicious? I am opening a ticket in any case today.

[–] MaxVerstappen 3 points 1 year ago

That is possible as well. Those firewalls are capable of packet inspection. If you are using personal devices it won't be able to see much if you are using encryption in transit but if you are using University provided machines there is a good chance they can inspect all the data you are sending and receiving.

[–] ChrislyBear 5 points 1 year ago (2 children)

Why are you using a crappy uni DNS? Why not 1.1.1.1 or OpenDNS or even Google's 8.8.8.8?

[–] [email protected] 8 points 1 year ago

That doesn't help when you run the server and other people have to access your website.

[–] aesir 2 points 1 year ago (1 children)

Well, the main point is I would need to manually change this for tens of pcs and its not my job, moreover other people should to the same on theirs. Nevertheless, I just tried 8.8.8.8 on a couple of PCs and I have the same issue! It appears that my DNS setting is irrelevant as it is overwritten down the chain, the only way I can reach the site is put the line in etc/hosts. Could it be?

[–] ChrislyBear 3 points 1 year ago (1 children)

Yes, your uni might intercept communication on port 53 and reroute it to their DNS servers. It's possible.

[–] [email protected] 2 points 1 year ago

In that case just use a DNS that listens on a different port

[–] HjFUN 3 points 1 year ago (1 children)

This may come down to details of their policies and how they interact and support each department. If it’s for your official work, and I’d say start with a ticket and if they resist then push it up the flag pole and don’t stop. (Assuming you’re not one,) Your PI ought to fight like hell to make sure their employees can do their jobs, and the chair fight to make sure their researchers can run their labs, and the dean much the same, but throwing heavier punches each step up. Really shouldn’t get to that point, but if you can’t do your job, rattle the cages until you can.

[–] aesir 2 points 1 year ago (1 children)

I already had contacts with our IT. I originally asked if they could host this service for us as it seemed the normal thing to do. They do not support anything custom (i.e. anything which is not a wordpress site) and just to give me a fourth level subdomain they wanted signatures from half the administration above me. That's why I'm rogue with selfhosting also work stuff. But I think I can still complain just because their DNS gives back random IPs. This could even be hijacking, no?

[–] [email protected] 2 points 1 year ago (1 children)

I would probably send along the output of dig your.domain @uni-ip and dig your.domain @8.8.8.8 and dig your.domain @1.1.1.1 and dig your.domain @your-domains-authoritative-dns-server if you have that or some similar DNS client tool installed that allows direct requests to specific servers. If you don't know the authoritative DNS servers for your domain, those are the ones in the NS records.

[–] aesir 2 points 1 year ago (1 children)

Nice, I am routed to sinkhole.paloaltonetworks.com I am a malicious domain apparently.

[–] MaxVerstappen 1 points 1 year ago

Are you hosting a service that is not under your organizations official domain or something? It is common security practice to block newly created domains which may be why your domain is blacklisted if you only recently stood it up.

[–] [email protected] 1 points 1 year ago (1 children)

Do you have a static IP? If not, have you tried some kind of dynamic DNS like DuckDNS?

[–] aesir 2 points 1 year ago (1 children)

The IP is static, and is resolved properly everywhere outside my university network

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

An the issue is only inside the network? I’d complain to IT about that, yeah. Maybe they are overriding the DNS record with their own DNS server or something.

Can you set your own DNS servers on your client devices? Does cloudflare or quad9 resolve it?

[–] aesir 1 points 1 year ago

I think this is exactly the case, they have some issues with the DNS server and, as some other comments indicate it is possible, they reset my settings for DNS servers at router level. So nor cloudflare or others can help, only the line in etc/hosts works

[–] [email protected] -2 points 1 year ago

Cloudflare tunnel is the easy solution here. It'll cost you a couple bucks a year for a domain name but you'll have no more DNS issues.