#dnsmasq

Enable pi-hole along with hotspot #networkmanager #dns #hotspot #dnsmasq

https://askubuntu.com/q/1536165/612

What's the easiest way to set up (e.g. using a nice script or other program) a local #DNS on a range of platforms, and configure it to handle wildcard subdomains on #localhost?

A quick search shows #dnsmasq can be used on Linux and Windows at least, but I wonder if anyone has faced this problem before and made a neat cross-platform solution?

I want <anything>.localhost to resolve to localhost and be handled by a server which runs on the local device (ideally Win, Mac, Linux and Android).

ICYMI: Ali Imran Nagori looks at the automatic installation method rolled out with Ubuntu 22.04, which borrows some tools from the cloud configuration toolbox
https://www.linux-magazine.com/Issues/2024/288/Ubuntu-autoinstall-with-cloud-init
#Ubuntu #cloud #YAML #TFTP #OpenSource #dnsmasq #DNS #DHCP #FOSS

It's a minor issue that we had with Dnsmasq, but we've run into this issue and documented it, so you don't have to

"Dnsmasq does not start because port 53 is busy"

https://blog.zero-iee.com/en/posts/dnsmasq-startup-error-with-systemd-resolved/

#dnsmasq #linux #ubuntu #server #dhcp #dns #resolved #systemdResolved

Seamlessly access local services on LAN and Tailnet

As I am passionate about self-hosting, I have been setting up various services in my homelab, in addition to those on my cloud servers. I have also been using Tailscale to access my devices and services while not at home. So I have wanted to have a seamless way to access the services, irrespective of whether I am on my home local area network (LAN) or connected to it via Tailscale. Below are my requirements for such a setup.

All the devices/services should be accessible using a fully-qualified domain name (FQDN), under a domain that I own and control. This rules out the auto-generated Tailscale subdomains.
I have a LinuxServer.io SWAG reverse proxy in front of all the services in my homelab, and it provides TLS termination. So I would like to access the existing services using TLS at all times.
While I could set up a Tailscale subnet router that allows access to my LAN, I do not want to allow the devices on my Tailnet full access to my LAN. And I do not want to redo my home LAN setup to isolate things to be able to do this.
The FQDNs of the exposed services should resolve to a LAN IP address when I am in my home LAN and to a Tailnet-specific address when I am not at home and connected to my Tailnet.
It should be possible to expose more services using this setup in the future, even if they are not behind the SWAG reverse proxy.
The base domain that I want to use for this should not have any publicly accessible DNS records pointing to private IP addresses for this setup to work.
The resulting setup should integrate into my existing docker-compose configuration.

The Tailscale docker documentation illustrates a way to expose LAN services on a Tailnet, but the example on that page causes the service(s) to be accessibly only over the Tailnet. So it doesn’t work for me.

To start, I added a Tailscale docker container to my compose.yaml file using a configuration like

tailscale: image: tailscale/tailscale container_name: tailscale hostname: <tailnet device name> environment: - TS_ACCEPT_DNS=true - TS_AUTHKEY=<authkey or OAuth2 client secret> - TS_EXTRA_ARGS=--advertise-tags=tag:docker - TS_ROUTES=172.21.0.0/24 volumes: - ./config/tailscale/state:/var/lib/tailscale - /dev/net/tun:/dev/net/tun cap_add: - net_admin - sys_module networks: tailnet-subnet: ipv4_address: 172.21.0.11 restart: unless-stoppednetworks: tailnet-subnet: ipam: config: - subnet: 172.21.0.0/24

For this to work, I had to define a tag named docker and add it to my Tailscale ACLs. I also added an ACL to auto-approve the routes advertised by this container.

{ // other configuration"tagOwners": {"tag:docker": ["autogroup:admin"],}, "autoApprovers": {"routes": {"172.21.0.0/24": ["tag:docker"],},}, // other configuration}

With this, all the containers that get added to the tailnet-subnet network and have an IP address in the 172.21.0.0/24 subnet will be accessible over my Tailnet. So I updated the configuration of the swag container to add it to the tailnet-subnet network.

swag: image: lscr.io/linuxserver/swag container_name: swag cap_add: - NET_ADMIN environment: - var1=value1 - var2=value2 volumes: - ./config/swag:/config ports: - 443:443 - 80:80 networks: tailnet-subnet: ipv4_address: 172.21.0.12 default: restart: unless-stopped

In the above snippet, I added the tailnet-subnet network to the networks key and assigned it a static IP address in its subnet, 172.21.0.12. Since the default network was implicitly included before and adding a different network will remove the implicit inclusion, I have also explicitly added the default network.

With these configuration changes, the swag container was accessible at the 172.21.0.12 IP address over my Tailnet. But I still needed to set up DNS to access the services by domain name.

Tailscale provides a way to add a restricted nameserver for a specific domain using split DNS. So I needed a DNS server that resolved the domains of the services hosted on the swag container to its Tailnet subnet IP address, 172.21.0.12.

For this, I took inspiration from jpillora/dnsmasq and created a custom Dockerfile that set up a dnsmasq resolver.

FROM alpine:latestLABEL maintainer="email@domain.tld"RUN apk update \ && apk --no-cache add dnsmasqRUN mkdir -p /etc/default \ && echo -e "ENABLED=1\nIGNORE_RESOLVCONF=yes" > /etc/default/dnsmasqCOPY dnsmasq.conf /etc/dnsmasq.confEXPOSE 53/udpENTRYPOINT ["dnsmasq", "--no-daemon"]

Then I created a dnsmasq.conf configuration file that looks like the following snippet.

log-queriesno-resolvaddress=/domain1.fqdn/172.21.0.12address=/domain2.fqdn/172.21.0.12

Then I added the following snippet to my compose.yaml file to add the dnsmasq container.

dnsmasq: build: "./build/dnsmasq" container_name: dnsmasq restart: unless-stopped volumes: - ./config/dnsmasq/dnsmasq.conf:/etc/dnsmasq.conf networks: tailnet-subnet: ipv4_address: 172.21.0.3

Then I ran docker compose build to build the container, and docker compose up -d dnsmasq to start it. With that, I had a DNS resolver to resolve my domain names in the Tailnet.

You might notice error messages in the dnsmasq container’s logs that look like dnsmasq: config error is REFUSED (EDE: not ready). This happens because we have not defined any upstream servers that dnsmasq can use. But since we want this dnsmasq instance to resolve only our domain names, this is okay and the error can be ignored.

Then on my Tailscale admin dashboard, I added a custom nameserver for my domain name and configured 172.21.0.3, the IP address of the dnsmasq container, as the address of the server to use. Now, all the devices on my Tailnet could access the services on my swag container by domain name.

I have an existing DNS setup on my home LAN that resolves the same domain names to the LAN IP addresses. So now, with this setup for Tailscale, my devices can seamlessly access the private services on my LAN and Tailnet.

If I want to add a new service to this setup, it is as easy as adding the tailscale-subnet network to it, and adding the DNS records to dnsmasq docker container’s configuration file and the resolver in my home LAN.

#dnsmasq #Docker #dockerCompose #Tailnet #Tailscale

I'm trying to figure out why dnsmasq is being denied by AppArmor when trying to use it with libvirt stuff and not allowing Virt-Manager to show an IP address in the VM config but nothing shows up. Already tried disabling the dnsmasq profile.

#AppArmor #Linux #dnsmasq #virtualization #libvirt #VirtManager

edit:
Okay, apparently this is not possible

#dnsmasq #dns

Since I don't know how to turn this into a search engine query:
If I cofig dnsmasq to forward a specific TLD to a specific (authoritative) server, and this server returns a CNAME entry to another TLD for a query, it seems dnsmasq (or maybe, rather, the authoritative server?) will not automatically return the address of the CNAME - which results in browsers saying "no such domain"?

I.e.:
server=/fur/178.63.26.172
resolv-file=/tmp/resolv.conf.d/resolv.conf.auto

$ dig www.nic.fur +short
inet.v8.fellig.org.


vs

$ dig www.nic.fur +short @80.152.203.134
inet.v8.fellig.org.
49.12.203.237


Can I make dnsmasq automatically "follow-up" on the CNAME response itself?

Ich brauch mal kurz #followerpower

Wie finde ich die #UID von #dnsmasq unter #iodeOS heraus? Handy ist gerootet.

Ich will ausprobieren, ob folgendes bei mir auch beim Tethering hilft:
iptables -I afwall-wifi-tether 1 -p udp -m owner --uid-owner 1052 -m udp --sport 53 -j RETURN
iptables -I afwall-wifi-tether 1 -p tcp -m owner --uid-owner 1052 -m tcp --sport 53 -j RETURN

Edit: Die Befehle von omaer0 haben bei mir nichts bewirkt. Keine Ausgabe.

https://github.com/ukanth/afwall/issues/1219

#DNSMasq be like, "Hey, kids! You want some DHCP?" (DHCPOffer)

This costed me *hours*. If you ever have this problem with #FreeBSD pkg:
------------------
pkg: No SRV record found for the repo 'FreeBSD'
pkg: packagesite URL error for pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly/data.pkg -- pkg+:// implies SRV mirror type
-----------------
In other words, your computers fail to resolve "SRV" DNS records ... AND you are using #dnsmasq or #openwrt, then:

Check whether you have the option "filterwin2k" on. Switch it off. In the #openwrt router it is disguised as "Filter useless".

Just upgraded my router and I have #IPv6 enabled now. Before it was too confusing for me to figure out what to do for it to work, but since the last #DDWRT version I had, it's been simplified so I just needed to add #Quad9 and use the DHCPv6 with Prefix Delegation and shortly later #Charter gave me an IPv6 WAN address. If you have a WRT1200ACv1, the May 14, 2024 build has issues with #DNSmasq so you get no Internet but the May 13, 2024 (r56359) doesn't seem to yet.
1/2

#mikrotik #dnsmasq container…

/container add cmd="sh -c \"if [ ! -e /usr/sbin/dnsmasq ]; then apk add --no-cache dnsmasq; fi; exec dnsmasq -d -\ h -2 eth0 -a 10.0.1.3 -A /www.pixiv.net/10.0.0.1\"" comment=dnsmasq dns=10.0.1.1 interface=\ "container 2" logging=yes start-on-boot=yes

need to explicitly bind to ip it seems

Anyone know if it's possible to generate #DNS64 entries locally on #OpenWRT? The service I use (at 2606:4700:4700::64) seems to be misbehaving, but DNS is reported to be fully functional on the Cloudflare status page. It seems like #dnsmasq ought to have all the information it needs to generate an AAAA record corresponding to the A record, so I could just use standard #DNS upstream, but I can't figure out how to do it.

@Shamar I'm used to #dnsmasq, but there are probably others. I use it to serve my local network's #DHCP+#DNS coordinated services, meaning if a new client tells the DHCP server its hostname, DNS will abide to it and the rest of the machines will be able to reach it by name.

As for the system wide config, it depends a lot on which tool you're using to configure your network interfaces. It's most probably #NetwortManager, so check it's doc about setting a fixed DNS server.

Alongside my page on the Chyron, I've also documented how to network-install #WindowsXP from a #Linux system using #Samba, #tftpd and #dnsmasq

https://www.philpem.me.uk/computer/winxp_netinst

... and all because I couldn't get XP Setup to boot off of a USB stick I made with Rufus!

Several #DNSSEC related #vulnerabilities disclosed resulting in #resourceexhaustion and potential #denialofservice of DNS servers. If you're running DNS server(s) such as #bind or #unbound update as soon as possible. Apparently also #dnsmasq is affected. https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ #infosec #cybersecurity

#dnsmasq version 2.90 released with fixes for CVE-2023-50387 and CVE-2023-50868.

The issue is only a security vulnerability if #DNSSEC is enabled.

#SysAdmin #DNS
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html

@mike #DNSmasq on #OpenWRT (#TurrisOmnia) and #Bind9 to define my own public NS.

@ericphelps I used to use #dnsmasq for local caching way back in the pre-fibre days, when DNS lookups took a noticeable amount of time and my local network was more than one or two computers. https://en.wikipedia.org/wiki/Dnsmasq

So I realized that I need to focus on the logs, more than behavioral observation...

I restarted #dnsmasq having a terminal showing a tail of var/log/deamon.log and another one showing a tail of /var/log/syslog` and I catched this message:

Oct 23 06:10:16 dagobah dnsmasq[23309]: reading /run/dnsmasq/resolv.conf Oct 23 06:10:16 dagobah dnsmasq[23309]: using nameserver 192.168.0.1#53

server=149.112.112.112 server=9.9.9.9 server=1.0.0.1 server=1.1.1.1

Oct 23 06:21:54 dagobah dnsmasq[23939]: query[A] ladragonera.com from 192.168.0.40 Oct 23 06:21:54 dagobah dnsmasq[23939]: forwarded ladragonera.com to 1.1.1.1 Oct 23 06:21:55 dagobah dnsmasq[23939]: reply ladragonera.com is 89.245.8.125

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

about:networking#dns