192.168.1.11 is the gateway of my network.
To set the macVlanGateway:
config setprop docker macVlanGateway 192.168.1.11
Apply the settings:
signal-event nethserver-docker-update
192.168.1.11 is the gateway of my network.
To set the macVlanGateway:
config setprop docker macVlanGateway 192.168.1.11
Apply the settings:
signal-event nethserver-docker-update
Right, I have discovered 2 things:
signal-event nethserver-docker-update
dig @192.168.1.8 www.clickbestbrands.com
; <<>> DiG 9.18.0 <<>> @192.168.1.8 www.clickbestbrands.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Still havenât quite figured out that one yetâŠ
Do the following Docker Logs mean anything to anyone as I canât spot anything obvious?
Apr 6 20:47:37 fileserver dockerd: time="2022-04-06T20:47:37.693116359+01:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Apr 6 20:47:37 fileserver dockerd: time="2022-04-06T20:47:37.857803044+01:00" level=warning msg="macvlan driver does not support port exposures"
Apr 6 20:47:37 fileserver dockerd: time="2022-04-06T20:47:37.899406144+01:00" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]"
Apr 6 20:47:37 fileserver dockerd: time="2022-04-06T20:47:37.899470847+01:00" level=info msg="IPv6 enabled; Adding default IPv6 external servers: [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]"
Apr 6 20:47:37 fileserver dockerd: time="2022-04-06T20:47:37.939779169+01:00" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]"
Apr 6 20:47:37 fileserver dockerd: time="2022-04-06T20:47:37.939863337+01:00" level=info msg="IPv6 enabled; Adding default IPv6 external servers: [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]"
Apr 6 20:47:38 fileserver containerd: time="2022-04-06T20:47:38.042093938+01:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/01c94a6af7e4a472b66026c8483382b85e81cb3460c2c2ed3720d3ad5aff0251/shim.sock" debug=false pid=2866
Apr 6 20:47:38 fileserver containerd: time="2022-04-06T20:47:38.067318440+01:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/8af78c7def510ea99de7866af7aa732b08b6582f0b6dbb841f415471ec4dad3b/shim.sock" debug=false pid=2873
Apr 6 20:47:39 fileserver dockerd: time="2022-04-06T20:47:39.324202845+01:00" level=info msg="Loading containers: done."
Apr 6 20:47:39 fileserver dockerd: time="2022-04-06T20:47:39.422772190+01:00" level=info msg="Docker daemon" commit=afacb8b graphdriver(s)=overlay2 version=19.03.8
Apr 6 20:47:39 fileserver dockerd: time="2022-04-06T20:47:39.422972369+01:00" level=info msg="Daemon has completed initialization"
Apr 6 20:47:39 fileserver dockerd: time="2022-04-06T20:47:39.474168317+01:00" level=info msg="API listen on /var/run/docker.sock"
Apr 6 20:47:45 fileserver containerd: time="2022-04-06T20:47:45.483996476+01:00" level=info msg="shim reaped" id=8af78c7def510ea99de7866af7aa732b08b6582f0b6dbb841f415471ec4dad3b
Apr 6 20:47:45 fileserver dockerd: time="2022-04-06T20:47:45.493398922+01:00" level=info msg="ignoring event" module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Apr 6 20:47:45 fileserver dockerd: time="2022-04-06T20:47:45.649169880+01:00" level=warning msg="macvlan driver does not support port exposures"
Apr 6 20:47:45 fileserver dockerd: time="2022-04-06T20:47:45.669945815+01:00" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]"
Apr 6 20:47:45 fileserver dockerd: time="2022-04-06T20:47:45.670021013+01:00" level=info msg="IPv6 enabled; Adding default IPv6 external servers: [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]"
Apr 6 20:47:45 fileserver containerd: time="2022-04-06T20:47:45.755407900+01:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/8af78c7def510ea99de7866af7aa732b08b6582f0b6dbb841f415471ec4dad3b/shim.sock" debug=false pid=5743
Apr 6 20:47:48 fileserver containerd: time="2022-04-06T20:47:48.657961332+01:00" level=info msg="shim reaped" id=01c94a6af7e4a472b66026c8483382b85e81cb3460c2c2ed3720d3ad5aff0251
Apr 6 20:47:48 fileserver dockerd: time="2022-04-06T20:47:48.667703575+01:00" level=info msg="ignoring event" module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Apr 6 20:47:48 fileserver dockerd: time="2022-04-06T20:47:48.885159061+01:00" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]"
Apr 6 20:47:48 fileserver dockerd: time="2022-04-06T20:47:48.885226940+01:00" level=info msg="IPv6 enabled; Adding default IPv6 external servers: [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]"
Apr 6 20:47:48 fileserver containerd: time="2022-04-06T20:47:48.972487342+01:00" level=info msg="shim containerd-shim started" address="/containerd-shim/moby/01c94a6af7e4a472b66026c8483382b85e81cb3460c2c2ed3720d3ad5aff0251/shim.sock" debug=false pid=6843
I did get the following in the PiHole Logs, although not sure if any of it gives any clues at all:
2022-04-06 19:47:49.008 485M] Using log file /var/log/pihole-FTL.log
[2022-04-06 19:47:49.008 485M] ########## FTL started on pi.hole! ##########
[2022-04-06 19:47:49.008 485M] FTL branch: master
[2022-04-06 19:47:49.008 485M] FTL version: v5.14
[2022-04-06 19:47:49.008 485M] FTL commit: 52e6b95
[2022-04-06 19:47:49.008 485M] FTL date: 2022-02-12 19:58:34 +0000
[2022-04-06 19:47:49.008 485M] FTL user: pihole
[2022-04-06 19:47:49.008 485M] Compiled for x86_64 (compiled on CI) using gcc (Debian 6.3.0-18+deb9u1) 6.3.0 20170516
[2022-04-06 19:47:49.008 485M] Creating mutex
[2022-04-06 19:47:49.008 485M] Creating mutex
[2022-04-06 19:47:49.009 485M] Starting config file parsing (/etc/pihole/pihole-FTL.conf)
[2022-04-06 19:47:49.009 485M] SOCKET_LISTENING: only local
[2022-04-06 19:47:49.009 485M] AAAA_QUERY_ANALYSIS: Show AAAA queries
[2022-04-06 19:47:49.009 485M] MAXDBDAYS: max age for stored queries is 365 days
[2022-04-06 19:47:49.009 485M] RESOLVE_IPV6: Resolve IPv6 addresses
[2022-04-06 19:47:49.010 485M] RESOLVE_IPV4: Resolve IPv4 addresses
[2022-04-06 19:47:49.010 485M] DBINTERVAL: saving to DB file every minute
[2022-04-06 19:47:49.010 485M] DBFILE: Using /etc/pihole/pihole-FTL.db
[2022-04-06 19:47:49.010 485M] MAXLOGAGE: Importing up to 24.0 hours of log data
[2022-04-06 19:47:49.010 485M] PRIVACYLEVEL: Set to 0
[2022-04-06 19:47:49.010 485M] IGNORE_LOCALHOST: Show queries from localhost
[2022-04-06 19:47:49.010 485M] BLOCKINGMODE: Null IPs for blocked domains
[2022-04-06 19:47:49.010 485M] ANALYZE_ONLY_A_AND_AAAA: Disabled. Analyzing all queries
[2022-04-06 19:47:49.010 485M] DBIMPORT: Importing history from database
[2022-04-06 19:47:49.010 485M] PIDFILE: Using /run/pihole-FTL.pid
[2022-04-06 19:47:49.010 485M] PORTFILE: Using /run/pihole-FTL.port
[2022-04-06 19:47:49.010 485M] SOCKETFILE: Using /run/pihole/FTL.sock
[2022-04-06 19:47:49.010 485M] SETUPVARSFILE: Using /etc/pihole/setupVars.conf
[2022-04-06 19:47:49.010 485M] MACVENDORDB: Using /etc/pihole/macvendor.db
[2022-04-06 19:47:49.010 485M] GRAVITYDB: Using /etc/pihole/gravity.db
[2022-04-06 19:47:49.011 485M] PARSE_ARP_CACHE: Active
[2022-04-06 19:47:49.011 485M] CNAME_DEEP_INSPECT: Active
[2022-04-06 19:47:49.011 485M] DELAY_STARTUP: No delay requested.
[2022-04-06 19:47:49.011 485M] BLOCK_ESNI: Enabled, blocking _esni.{blocked domain}
[2022-04-06 19:47:49.011 485M] NICE: Cannot change niceness to -10 (permission denied)
[2022-04-06 19:47:49.011 485M] MAXNETAGE: Removing IP addresses and host names from network table after 365 days
[2022-04-06 19:47:49.011 485M] NAMES_FROM_NETDB: Enabled, trying to get names from network database
[2022-04-06 19:47:49.011 485M] EDNS0_ECS: Overwrite client from ECS information
[2022-04-06 19:47:49.011 485M] REFRESH_HOSTNAMES: Periodically refreshing IPv4 names
[2022-04-06 19:47:49.011 485M] RATE_LIMIT: Rate-limiting client making more than 1000 queries in 60 seconds
[2022-04-06 19:47:49.011 485M] LOCAL_IPV4: Automatic interface-dependent detection of address
[2022-04-06 19:47:49.011 485M] LOCAL_IPV6: Automatic interface-dependent detection of address
[2022-04-06 19:47:49.011 485M] BLOCK_IPV4: Automatic interface-dependent detection of address
[2022-04-06 19:47:49.011 485M] BLOCK_IPV6: Automatic interface-dependent detection of address
[2022-04-06 19:47:49.011 485M] REPLY_ADDR4: Using IPv4 address 0.0.0.0 instead of automatically determined IP address
[2022-04-06 19:47:49.011 485M] SHOW_DNSSEC: Enabled, showing automatically generated DNSSEC queries
[2022-04-06 19:47:49.011 485M] MOZILLA_CANARY: Enabled
[2022-04-06 19:47:49.011 485M] PIHOLE_PTR: internal PTR generation enabled (pi.hole)
[2022-04-06 19:47:49.012 485M] ADDR2LINE: Enabled
[2022-04-06 19:47:49.012 485M] REPLY_WHEN_BUSY: Permit queries when the database is busy
[2022-04-06 19:47:49.012 485M] BLOCK_TTL: 2 seconds
[2022-04-06 19:47:49.012 485M] BLOCK_ICLOUD_PR: Enabled
[2022-04-06 19:47:49.012 485M] CHECK_LOAD: Enabled
[2022-04-06 19:47:49.Stopping pihole-FTL
Starting pihole-FTL (no-daemon) as pihole
[2022-04-06 19:50:12.991 1443M] Using log file /var/log/pihole-FTL.log
[2022-04-06 19:50:12.991 1443M] ########## FTL started on pi.hole! ##########
[2022-04-06 19:50:12.991 1443M] FTL branch: master
[2022-04-06 19:50:12.991 1443M] FTL version: v5.14
[2022-04-06 19:50:12.991 1443M] FTL commit: 52e6b95
[2022-04-06 19:50:12.991 1443M] FTL date: 2022-02-12 19:58:34 +0000
[2022-04-06 19:50:12.991 1443M] FTL user: pihole
[2022-04-06 19:50:12.991 1443M] Compiled for x86_64 (compiled on CI) using gcc (Debian 6.3.0-18+deb9u1) 6.3.0 20170516
[2022-04-06 19:50:12.992 1443M] Creating mutex
[2022-04-06 19:50:12.992 1443M] Creating mutex
[2022-04-06 19:50:12.993 1443M] Starting config file parsing (/etc/pihole/pihole-FTL.conf)
[2022-04-06 19:50:12.993 1443M] SOCKET_LISTENING: only local
[2022-04-06 19:50:12.993 1443M] AAAA_QUERY_ANALYSIS: Show AAAA queries
[2022-04-06 19:50:12.994 1443M] MAXDBDAYS: max age for stored queries is 365 days
[2022-04-06 19:50:12.994 1443M] RESOLVE_IPV6: Resolve IPv6 addresses
[2022-04-06 19:50:12.994 1443M] RESOLVE_IPV4: Resolve IPv4 addresses
[2022-04-06 19:50:12.994 1443M] DBINTERVAL: saving to DB file every minute
[2022-04-06 19:50:12.994 1443M] DBFILE: Using /etc/pihole/pihole-FTL.db
[2022-04-06 19:50:12.994 1443M] MAXLOGAGE: Importing up to 24.0 hours of log data
[2022-04-06 19:50:12.994 1443M] PRIVACYLEVEL: Set to 0
[2022-04-06 19:50:12.994 1443M] IGNORE_LOCALHOST: Show queries from localhost
[2022-04-06 19:50:12.994 1443M] BLOCKINGMODE: Null IPs for blocked domains
[2022-04-06 19:50:12.994 1443M] ANALYZE_ONLY_A_AND_AAAA: Disabled. Analyzing all queries
[2022-04-06 19:50:12.994 1443M] DBIMPORT: Importing history from database
[2022-04-06 19:50:12.995 1443M] PIDFILE: Using /run/pihole-FTL.pid
[2022-04-06 19:50:12.995 1443M] PORTFILE: Using /run/pihole-FTL.port
[2022-04-06 19:50:12.995 1443M] SOCKETFILE: Using /run/pihole/FTL.sock
[2022-04-06 19:50:12.995 1443M] SETUPVARSFILE: Using /etc/pihole/setupVars.conf
[2022-04-06 19:50:12.995 1443M] MACVENDORDB: Using /etc/pihole/macvendor.db
[2022-04-06 19:50:12.995 1443M] GRAVITYDB: Using /etc/pihole/gravity.db
[2022-04-06 19:50:12.995 1443M] PARSE_ARP_CACHE: Active
[2022-04-06 19:50:12.995 1443M] CNAME_DEEP_INSPECT: Active
[2022-04-06 19:50:12.995 1443M] DELAY_STARTUP: No delay requested.
[2022-04-06 19:50:12.996 1443M] BLOCK_ESNI: Enabled, blocking _esni.{blocked domain}
[2022-04-06 19:50:12.996 1443M] NICE: Cannot change niceness to -10 (permission denied)
[2022-04-06 19:50:12.996 1443M] MAXNETAGE: Removing IP addresses and host names from network table after 365 days
[2022-04-06 19:50:12.996 1443M] NAMES_FROM_NETDB: Enabled, trying to get names from network database
[2022-04-06 19:50:12.996 1443M] EDNS0_ECS: Overwrite client from ECS information
[2022-04-06 19:50:12.996 1443M] REFRESH_HOSTNAMES: Periodically refreshing IPv4 names
[2022-04-06 19:50:12.996 1443M] RATE_LIMIT: Rate-limiting client making more than 1000 queries in 60 seconds
[2022-04-06 19:50:12.996 1443M] LOCAL_IPV4: Automatic interface-dependent detection of address
[2022-04-06 19:50:12.996 1443M] LOCAL_IPV6: Automatic interface-dependent detection of address
[2022-04-06 19:50:12.996 1443M] BLOCK_IPV4: Automatic interface-dependent detection of address
[2022-04-06 19:50:12.996 1443M] BLOCK_IPV6: Automatic interface-dependent detection of address
[2022-04-06 19:50:12.997 1443M] REPLY_ADDR4: Using IPv4 address 0.0.0.0 instead of automatically determined IP address
[2022-04-06 19:50:12.997 1443M] SHOW_DNSSEC: Enabled, showing automatically generated DNSSEC queries
[2022-04-06 19:50:12.997 1443M] MOZILLA_CANARY: Enabled
[2022-04-06 19:50:12.997 1443M] PIHOLE_PTR: internal PTR generation enabled (pi.hole)
[2022-04-06 19:50:12.997 1443M] ADDR2LINE: Enabled
[2022-04-06 19:50:12.997 1443M] REPLY_WHEN_BUSY: Permit queries when the database is busy
[2022-04-06 19:50:12.997 1443M] BLOCK_TTL: 2 seconds
[2022-04-06 19:50:12.997 1443M] BLOCK_ICLOUD_PR: Enabled
The logs look good. No ports are needed so we can ignore the warning.
Did you enable the docker repository and update to the latest version? I tested without updating docker.
EDIT:
Which docker version do you use?
rpm -q docker-ce
I havenât explicitly updated docker. Is that recommended>
docker-ce-19.03.8-3.el7.x86_64
docker 19.03 is over a year old so I think itâs a good idea to update. Maybe it solves the issuesâŠ
EDIT:
No, thereâs an error. 192.168.1.8/27 is not a network, itâs an IP in the range. The networks in this case are 192.168.1.0/27, 192.168.1.32/27, 192.168.1.64/27, etc.
It depends on which IPs are already used but I recommend to use an IP range not used by other devices in your network to not overlap.
Subnet calculator helps a lot.
This is my working config now:
The network is 192.168.1.64/27, so the usable IP range goes from 65 to 94, 95 is broadcast and 96 the next network.
I used the first IP in the range which is 192.168.1.65 as piholeMacVlanIP
[root@testserver2 ~]# config show docker
docker=service
DirectLvmDevice=
IpAddress=172.28.0.1
Network=172.28.0.0/16
bridgeAeria=
enableRepository=enabled
macVlanGateway=192.168.1.11
macVlanLocalNetwork=192.168.1.0/24
macVlanNetwork=192.168.1.64/27
macVlanNic=br0
status=enabled
[root@testserver2 ~]# config show pihole
pihole=configuration
DNS1=8.8.8.8
DNS2=8.8.4.4
PhpMemoryLimit=512M
mac=00:60:2f:97:04:bb
password=admin
piholeAquaIP=172.28.45.1
piholeMacVlanIP=192.168.1.65
piholeNetwork=macvlan
timezone=UTC
Oh freaking heck! How did I mistype that and not see it!.. Well spotted and I;ve corrected that
I have also updated docker and it appears to be more stable, but the PiHole Admin interface does disappear temporarily if I am adding/removing software.
So that it one possible issue solved.
Still trying to sort out performing dig commands against PiHole and see why they are failing - but that is a job for tomorrow
I hoped the network issues are solved with correct macvlan.
The container needed to be removed and recreated to apply the changed IP address.
I tried to reproduce the error but still no luck.
This morning I turned the server on, deleted and recreated the container and confirmed that I could access the PiHole Admin.
After a couple of minutes I once again receive a 404 for the PiHole Admin.
The config is as follows:
[root@fileserver ~]# config show pihole
pihole=configuration
DNS1=8.8.8.8
DNS2=8.8.4.4
PhpMemoryLimit=1024M
mac=00:60:2f:c9:2c:8d
password=*************
piholeAquaIP=172.28.45.1
piholeMacVlanIP=192.168.1.8
piholeNetwork=macvlan
timezone=BST
[root@fileserver ~]# config show docker
docker=service
DirectLvmDevice=
IpAddress=172.28.0.1
Network=172.28.0.0/16
bridgeAeria=
enableRepository=enabled
macVlanGateway=192.168.1.11
macVlanLocalNetwork=192.168.1.0/24
macVlanNetwork=192.168.1.8/24
macVlanNic=br0
status=enabled
The Docker and PiHole logs do now indicate anything wrong.
When the PiHole Admin was accessible, I couldnât perform dig commands against it.
Really unsure what is going on here, there is obviously something small which I am missing and canât see
yes update docker please
Iâve updated docker and the issue remains the same
I think the problem is still that you use a macvlan network that results in a range that overlaps for example with your gateway.
Please use a macvlan range outside of used IPs in your local network.
You are using 192.168.1.8/24 as macvlan network, thatâs wrong.
The correct network address would be 192.168.1.0/24 but this will completely overlap with your LAN. Try to use a small range of unused IPs, see manual.
Let me give that a try
Okay, so done a bit of reconfiguring and this is what I have gone with:
# config show docker
docker=service
DirectLvmDevice=
IpAddress=172.28.0.1
Network=172.28.0.0/16
bridgeAeria=
enableRepository=enabled
macVlanGateway=192.168.1.11
macVlanLocalNetwork=192.168.1.0/24
macVlanNetwork=192.168.1.20/27
macVlanNic=br0
status=enabled
[root@fileserver ~]# config show pihole
pihole=configuration
DNS1=8.8.8.8
DNS2=8.8.4.4
PhpMemoryLimit=1024M
mac=00:60:2f:c9:2c:8d
password=JamieEricAndrew
piholeAquaIP=172.28.45.1
piholeMacVlanIP=192.168.1.30
piholeNetwork=macvlan
timezone=BST
There arenât any other IP Addresses used within the /27 range (DHCP makes sure of that part) and the issue still happens.
So which begs the question, what would happen if I choose a completely different range for macVlanNetwork such as 192.168.2.0/27 while keeping the range for the rest of my lan as 192.168.1.0/24?
Is br0 to automagically sort out the routing for that?
Iâm sorry but thatâs wrong. You need to enter a valid network address.
Please use 192.168.1.248/30 as macvlannetwork and 192.168.1.249 as piholemacvlanip.
You need to remove/recreate the container to make it work.
I assume that the IPs from 192.168.1.248 to 192.168.1.251 are not used by other devices in your LAN.
pihole should now be reachable via 192.168.1.249.
It wonât work because it needs to be the same network to be reachable for the clients.
So the good news is that the PiHole Admin appears to be more stable and consistently stays up which is a good thing.
When I try to perform a dig on my laptop, I get the following results:
jnesbitt î° ~ î° 9 î° dig @192.168.1.249 cnn.com
; <<>> DiG 9.18.0 <<>> @192.168.1.249 cnn.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
When I ssh into the NethServer and run the same command, I get the same results.
The funny thing is, I can ping the PiHole IP just fine and I can also connect to the Shared Folders fine as well
Does your firewall block DNS queries? Maybe IPS, Threat shield or Fail2ban are blocking the query?
You could login to the pihole container by
pihole bash
and check if it listens on port 53 (DNS) and if dig works:
[root@testserver2 ~]# pihole bash
root@pi:/# ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:53 0.0.0.0:*
udp UNCONN 0 0 127.0.0.11:43600 0.0.0.0:*
udp UNCONN 0 0 [::]:53 [::]:*
tcp LISTEN 0 5 127.0.0.1:4711 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.11:34445 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 32 0.0.0.0:53 0.0.0.0:*
tcp LISTEN 0 32 [::]:53 [::]:*
root@pi:/# dig cnn.com
; <<>> DiG 9.16.27-Debian <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57697
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cnn.com. IN A
;; ANSWER SECTION:
cnn.com. 54 IN A 151.101.193.67
cnn.com. 54 IN A 151.101.65.67
cnn.com. 54 IN A 151.101.129.67
cnn.com. 54 IN A 151.101.1.67
;; Query time: 17 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Thu Apr 07 21:42:02 UTC 2022
;; MSG SIZE rcvd: 100
ran the âââpihole bashâââ and got the following results.
[root@fileserver ~]# pihole bash
root@pi:/# ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:49947 0.0.0.0:*
udp UNCONN 0 0 127.0.0.11:56476 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:53 0.0.0.0:*
udp UNCONN 0 0 [::]:53 [::]:*
tcp LISTEN 0 32 0.0.0.0:53 0.0.0.0:*
tcp LISTEN 0 5 127.0.0.1:4711 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.11:35856 0.0.0.0:*
tcp LISTEN 0 32 [::]:53 [::]:*
root@pi:/# dig cnn.com
; <<>> DiG 9.16.27-Debian <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7218
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cnn.com. IN A
;; ANSWER SECTION:
cnn.com. 27 IN A 151.101.129.67
cnn.com. 27 IN A 151.101.193.67
cnn.com. 27 IN A 151.101.65.67
cnn.com. 27 IN A 151.101.1.67
;; Query time: 23 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Fri Apr 08 12:27:15 BST 2022
;; MSG SIZE rcvd: 100
So from that aspect everything is looking good.
Not using IPS or Threat Shield or Fail2Ban. Far as I know no firewall, although I just discovered that Shorewall is running, but I havenât configured it at all. Is there a config I should apply to Shorewall just in case?
I also noticed that under Services in Cockpit, that the Docker service does not have anu 'access defined for it. Would that have any impact on this?
No, it should be auto-configured. Did you already check shorewall logs? (/var/log/firewall.log
)
Do you use your NethServer as gateway? (at least 2 network interfaces)
I tested using only 1 interface, maybe it just occurs in gateway mode.
You may test to stop the firewall and check if the DNS query is working:
shorewall clear
Enable firewall again:
signal-event firewall-adjust
You could test if the port is open from NethServer or a client using nmap:
[root@testserver2 ~]# nmap 192.168.1.65
Starting Nmap 6.40 ( http://nmap.org ) at 2022-04-08 20:10 UTC
Nmap scan report for pi.hole (192.168.1.65)
Host is up (0.000021s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
No, itâs the default setting and shouldnât be an issue.