this post was submitted on 17 Oct 2024
20 points (88.5% liked)

Selfhosted

40439 readers
658 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hi people. I am running pihole under podman and its dedicated system account on my NAS. Now, from the NAS, I get a connection refused on ip.of.the.nas:53 but everywhere else in my network, pihole works perfectly. To run pihole as a rootless container, i made it listen on 1053 and I have a firewall redirection from 53 to 1053 for both udp and tcp. Any pointer to where (and how) I can debug this ?

Edit: Small precision about my current setup : ISP router (so I can't really do anything on it) and NAS running opensuse leap

top 13 comments
sorted by: hot top controversial new old
[–] JASN_DE 4 points 1 month ago (2 children)

The request from the other machines go through the firewall and are being redirected, the requests from the NAS are basically trying to connect to localhost, so no redirection here as the requests aren't leaving the machine.

[–] BluescreenOfDeath 2 points 1 month ago (1 children)

I agree.

So the solution, OP, is to set the DNS settings on your NAS to your router's internal IP so the firewall can redirect the traffic to your new port.

[–] [email protected] 1 points 1 month ago (1 children)

As it's only single device I'd suggest configuring DNS server for that to :1053. Port forwarding rule on the nas firewall most likely applies only to 'incoming' traffic to the nas and as locally generated DNS request isn't 'incoming' (you can think it as 'incoming' traffic is everything coming via ethernet cable into the nas) then the port redirection doesn't trigger as you're expecting.

[–] BluescreenOfDeath 2 points 1 month ago* (last edited 1 month ago) (2 children)

An inbound only DNS forwarding rule would be pointless. All DNS queries should be originating from within the network.

EDIT

I think I see what you're getting at. Assuming that the firewall is running on the NAS vs on the router.

The OP doesn't specify, but I would assume the firewall rule would be on the router, as that makes the most sense to force all DNS requests on the network to go through the pihole.

[–] [email protected] 1 points 1 month ago

I am still using my ISP's router, so the firewall rule is on the NAS (for now it is almost a do it all server), otherwise I would run the pihole on the router I think

[–] [email protected] 1 points 1 month ago (1 children)

If the firewall was running on a router then you'd need to DNAT back to the same network from which they originated and that is (in general) quite a PITA to get running properly. My understanding is that the firewall doing port forwarding is running on the NAS. And we don't have much information on what that 'NAS' even is, I tend to think devices like qnap or synology when talking on NAS-boxes, but that might as well be a full linux-system just running CIFS/NFS/whatever.

OP could obviously use his router as a DNS server for the network and set upstream DNS server for the router to pihole, but that's a whole different scenario.

[–] [email protected] 0 points 1 month ago (1 children)

For now my NAS it not really running anything (I want to have proper DNS/IDM before starting any other service and for storage I think I may go with owncloud ocis or nextcloud)

[–] [email protected] 1 points 1 month ago

NAS stands for 'Network Attached Storage' and there's dedicated hardware for that task from multiple brands. It's a somewhat spesific thing and from what I understand you have a multi-purpose server running on your network. For discussion it's better to use the established terminology to avoid confusion on what's what. Your generic server can of course act like a NAS, but a 100€ Synlogy NAS can't (for the most part) act as a generic server.

Similarly there's a dedicated hardware for routers and they are not the same than generic servers which can run whatever. Dedicated routers do some things way better/faster than generic server, and there's pretty much always a trade-off between the two. You can of course install hardware to your server to be as good as or even better than any consumer grade router and run a pfsense on virtual machine on top of it, but that's going to be at least more expensive than dedicated hardware.

So, your server is running pihole in a container on the same network address/hardware than the rest of your server, and I suppose you already gathered from other messages that the firewall component on it treats traffic coming from outside the server itself differently than traffic originating from the server itself. For this spesific case I'd say it's just simpler to configure the server to use DNS server as localhost:1053 than trying to work out firewall forwarding rules for it, if possible. If not, and you absolutely insist that your pihole runs on a unprivileged port and that your server also has to use pihole as DNS sever, then you need to dig out a firewall config for outgoing traffic which redirects the destination port. Or you could set up a dns proxy on the server which uses pihole as upstream and serves addresses to localhost only or one of the other multiple ways to achieve what you're after, but each of those have some kind of trade-off and there's too many to go trough in a single post.

[–] [email protected] 2 points 1 month ago

Thank you for the reply. It is exactly this

[–] InnerScientist 1 points 1 month ago (1 children)

Just set the DNS server to localhost:1053 for the nas?

[–] [email protected] 1 points 1 month ago (1 children)

Do you have any idea on how to do it ? Knowing that I am on opensuse

[–] InnerScientist 2 points 1 month ago* (last edited 1 month ago)

Well, on linux I'd use systemd's resolved which would listen on localhost:53 (it would also point resolv.conf there) and then set resolved's uplink server to your custom port. I don't have the exact config in mind but it seems to support custom uplink ports("expects IPv4 or IPv6 address specifications of DNS servers [...] optionally take a port number separated with ":"[...]")

Edit: found this: https://en.opensuse.org/Network_Management_With_Systemd

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

Have you considered lowering the unprivileged port limit instead?

sudo sysctl -w net.ipv4.ip_unprivileged_port_start=53 | sudo tee -a /etc/sysctl.conf  

Then remove the firewall rule and bind to port 53.

Edit: typo