this post was submitted on 19 Sep 2023
9 points (84.6% liked)

Selfhosted

39939 readers
404 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey everyone, I wanted to ask for some help regarding my DNS setup and for routing requests to my selfhosted services.

Currently I use Pi-Hole as a DNS server with my routers default DNS server as the upstream server. This allowed me to define local DNS entries using Pi-hole and route my requests to these domains directly to my local services. For example I bought a domain a while ago and in preparation for setting it up, I had it entered as a local DNS entry pointing directly to my servers IP address.

Earlier today I finally got around to setting up a cloudflare tunnel to expose one of my services to the outside world using the domain I bought. Ever since I did that, all requests to that domain seem to exit my home network, go through cloudflares network and then return through the tunnel, even though I have a local DNS entry for that domain name.

What I would prefer is for the request to be routed directly to my server instead, since I am in the same network already. Since my DNS server is the Pi-Hole, I figured this should happen automatically.

Is there an issue with my Pi-Hole setup? If there is any information missing I'll be happy to provide it. I wasn't sure what information I could safely post here.

Solution

I think I managed to fix the problem. After enabling the option Never forward reverse lookups for private IP ranges in Pi-Hole and clearing my DNS cache again, nslookup only returns local IP addresses instead of the IPv6 address of two cloudflare servers.

top 16 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 1 year ago (1 children)

even though I have a local DNS entry for that domain name.

Easy to diagnose, what does nslookup return for the hostname?

[–] [email protected] 1 points 1 year ago (1 children)

It returned the local IPv4 address of the server and two IPv6 addresses belonging apparently belonging to a cloudflare server in california.

I think I managed to fix the issue though. I have updated my post to include my solution

[–] [email protected] 1 points 1 year ago

Ah that makes sense, if your server has an IPv6 address you could add another A record in Pihole for that. But it sounds like clearing the cache and stuff solved it.

[–] [email protected] 1 points 1 year ago (1 children)

I have the (more or less) same setup. Your DNS entries on your pihole instance should point to the local ip of your server (192.168.x.x).

If thats the case check the dns settings of your router. Under DHCP settings there should be a input field for your dns server. This has to be the local IP of your pihole.

One thing you could do to start diagnosing the Problem is running this command: nslookup servicename.yourdomain.tld. This should return your local IP and not a public one.

How do you determine that the requests are leaving your Network?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

When I use tracert I can see the package going through a server in Frankfurt which is definetely outside of my local network. The final IP address that tracert shows me is from a cloudflare server in california (2606:4700:3033::ac43:b10f) according to this site: https://whatismyipaddress.com/ip-lookup

Using nslookup for my domain I get 3 addresses. The first two are cloudflare addresses in the US. The final one is my servers local IP address.

[–] [email protected] 1 points 1 year ago (2 children)

Pihole seems to upstream your requests although there is a local entry for that domain in your settings. Maybe it has something to do with using IPv6? Maybe your device prefers the cloudflare IPv6 over your local IPv4 address.

Or Maybe your device queries your pihole as well as your Router to get the IP. Check your current dns server on your device: ipconfig /all (Windows)

[–] [email protected] 1 points 1 year ago

I think I fixed the issue by enabling the Never forward reverse lookups for private IP ranges option in Pi-Hole. After that I flushed my dns cache again and called tracert for my domain name. I only get one hop directly to my server now. nslookup also shows only local addresses now.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Looking at the output of that command I get the following for my ethernet network interface

DNS-Server  . . . . . . . . . . . : fd98:1919:5915:0:3053:4134:bdc9:295d
                                          192.168.1.60
                                           fd98:1919:5915:0:3053:4134:bdc9:295d

Using nslookup on that IPv4 address tells me that all of those addresses are pointing to my pi-hole

nslookup 192.168.1.60

Server: pi.hole
Address: fd98:1919:5915:0:3053:4134:bdc9:295d

Name: pi.hole
Address: 192.168.1.60

I've added another local DNS entry on my Pi-Hole which points the domain I use to the same server but this time uses its IPv6 address. That doesn't seem to help though or it takes some time to update. I flushed the DNS cache on my machine after adding this entry though.

[–] NeoNachtwaechter 1 points 1 year ago* (last edited 1 year ago) (1 children)

Is there a NAT involved?

In my config, the requests asking for my own servers from the internal network get answered the local address 192.something, and so they cannot get routed 'outside'.

When asking from the outside, I do not answer it, so they get the public address from a public DNS.

[–] [email protected] 1 points 1 year ago

I didn't set anything like that up. Is that something that might be enabled by default on my router? If so, how do I check it?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Some things that stand out to me:

  1. You're using your router's default DNS as the upstream server. Try specifying an upstream DNS in the settings instead.

  2. Try Pihole + Unbound

  3. Could you provide an anonymized example of how you set up the local DNS entry? E.g. Domain: sub.domain.com IP: 192.168.X.Y

[–] [email protected] 1 points 1 year ago

Thanks for your reply. I think I managed to solve this issue and have updated my post to reflect this. Apparently I had a setting disabled in Pi-Hole which caused my DNS requests to be forwarded upstream for some reason, even though there existed a local DNS entry.

[–] [email protected] 0 points 1 year ago (1 children)

Split DNS is a huge source of headaches. Be really sure that this is the route you want to go. It can easily lead to really weird situations and hard to diagnose errors.

[–] [email protected] 1 points 1 year ago (1 children)

Do you have a better alternative you can recommend? My upload rate isn't all that good so I would like to avoid having more traffic than necessary leaving my network if the target is within my network anyway.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (1 children)

I’m going to get stoned for suggesting this in this community, but if your upstream is poor you should consider hosting it outside. Of course this depends on many things.

The most obvious solution is to have an alias for both ways to actress the service, and configure the service accordingly. It needs a bit of care to set up reverse proxies and certificates and everything but it makes it clear whether you want to connect to the inside or the outside version. Obviously this means that it won’t switch automatically when your connection changes, but that is a feature.

Another option is to keep doing what you’re doing and just is the tunnel.

The final way is just to keep it inside and use something like zero tier or tailscale.

[–] [email protected] 1 points 1 year ago

Outside hosting isn't really something I want to consider. I didn't mention this in my post but this setup is for my media server which needs a lot of storage space. I don't know about the pricing for a VPS but I am pretty sure it isn't as cheap as I would want it. Also uploading my media to a VPS with my upload rate would take a lot of time whenever I want to add something new.

Using two hostnames for accessing the same service isn't really an option either unfortunately. The specific part I'm trying to set up is a navidrome server for music. The app I use to access the server is called Symfonium and can only add one address per media server. I could get around that by adding multiple media sources but that would result in all of my media appearing twice in searches.