Resolving DNS, DHCP, IP issues

sternkrabbe · October 19, 2021, 3:59pm

NethServer Version: 7.9
Module: your_module

topology:
192.168.32.1: ROUTER = gateway with dhcp server, promotes 192.168.32.7 and 1.1.1.1 as DNS, also provides itself a miniature DNS service (<10 items as local DNS fallback)
192.168.32.6: nethserver instance, ovpn configured
192.168.32.7: nethserver nsdc controller
192.168.32.x: clients

From the beginning I encountered a small DNS glitch in my NS instance: an error stating that one or more DNS servers don’t answer. (addresses like 1.1.1.1, 9.9.9.9, 4.4.4.4, 8.8.8.8 …) I didn’t bother about this too much. Everything seemed to work somehow.

Lately I sometimes get a connection to my NS instance, when trying to connect to the router by IP in a browser. Thus, not the config screen of the router appears, but the website of the NS. This happens sometimes, at maybe 50 percent chance, not always. Which is weird. (I never could access local devices via ovpn tunnel, except xx.6 and xx.7, although I tried to set up a route and trusted network. Don’t know if this is relevant.)

But, most important: I cannot resolve any external domains, when propagating xx.7 as first DNS via the routers dhcp. Local DNS at xx.7 can’t resolve them for sure, but it stopped forwarding the request to another DNS. (Clients receive both DNS with the dhcp lease.)

So I have three questions:

Why do I have trouble with DNS servers of high availability?
Why does my NS instance deliver content when I ask for the router?
Why does my nsdc DNS not forward requests for external sites?

Where to look? - I am not a pro, just an enthusiastic end user, so verbosity is appreciated.

michelandre · October 19, 2021, 4:20pm

Hi @sternkrabbe,

First make sure there is only 1 DHCP server - you need only 1 DHCP per IP segment (192.168.32.0/24)
ROUTER 192.168.32.1 should promote itself as primary DNS and 1.1.1.1 as secondary DNS.
If it promotes 192.168.32.7 as DNS, then 192.168.32.7 will have itself as DNS => endless loop ???

Michel-André

sternkrabbe · October 20, 2021, 1:24pm

Hi Michel-André,

ad 1:
There are two candidates for DHCP service in the subnet, the router and thte NS. I activated DHCP in the router, and I think it’s inactive in NS. There’s no main DHCP switch in cockpit and it is not listed under “services”. The DHCP Tab itself shows no IP reservations, so I assume it is inactive.

One funny thing happens when searching the network in the NS DHCP Tab:

x.x.32.1 MAC of router neth.server.gsr
x.x.32.7 MAC of nsdc (unknown, locally administered)
x.x.32.16 MAC of router Draytek (router manufacturer, this is a VPN connection to the router)
and a few others.

The description of the first entry is wrong, I don’t know where it comes from. And and entry for x.6 (which is neth.server.gsr) is missing. In the router DNS, neth.server.gsr resolves to x.6, not to x.1

ad 2:
Since I use the nsdc as ADC I need to promote it as DNS for my clients. I also was thinking about some kind of a request loop. I would expect either the nsdc DNS to forward requests to another DNS (maybe one of those I can enter in NS cockpit) or the clients to try the second DNS if the first (nsdc DNS) cannot resolve it. But little I know about these things.

thx, Tobias

sternkrabbe · October 20, 2021, 2:55pm

at the moment, in NS terminal window:

[root@neth ~]# nslookup nethserver.org
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find nethserver.org.server.gsr: REFUSED

[root@neth ~]# ping 8.8.8.8
connect: Das Netzwerk ist nicht erreichbar
[root@neth ~]# nslookup neth.server.gsr
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   neth.server.gsr
Address: 192.168.32.6
** server can't find neth.server.gsr.server.gsr: REFUSED

michelandre · October 20, 2021, 3:16pm

Hi @sternkrabbe,

Install the Old Server Manager then go to https://server-ip:980. It’s easier to find someting than in Cockpit.

At the console, to find out the default gateway, try:

# route

Michel-André

sternkrabbe · October 20, 2021, 5:03pm

HI!

results of route:

[root@neth ~]# route
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
10.147.239.0    0.0.0.0         255.255.255.0   U     0      0        0 tunbackovpn
192.168.1.0     10.147.239.2    255.255.255.0   UG    0      0        0 tunbackovpn
192.168.32.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.32.0    0.0.0.0         255.255.255.0   U     0      0        0 tungsrovpn
192.168.33.0    0.0.0.0         255.255.255.0   U     0      0        0 tunrw

The default gateway seems missing?
The old dashboard shows 192.168.32.1 as gateway for green. It also tells me, that DHCP is not checked on green (the only interface).
The old interface has a different view on the gateways as well (diagnostics-network route):

10.147.239.0/24 dev tunbackovpn proto kernel scope link src 10.147.239.1 
192.168.1.0/24 via 10.147.239.2 dev tunbackovpn 
192.168.32.0/24 dev br0 proto kernel scope link src 192.168.32.6 
192.168.32.0/24 dev tungsrovpn proto kernel scope link src 192.168.32.1 
192.168.33.0/24 dev tunrw proto kernel scope link src 192.168.33.1

sternkrabbe · October 22, 2021, 11:49am

some success:

I added a route to green interface:
target: 0.0.0.0/0
router: 192.168.32.1
metrik: (nothing)

Now routing displays a default route again, and connects to the outside world. However the router IP still has a reverse revolving to neth.server.gsr, the name of the NS instance. (The wrong name is displayed as router). How can I find the culprit?

sternkrabbe · October 27, 2021, 3:29pm

It may be obvious to you, but I still have no idea about the necessary steps for a right configuration. E.g. the router ip still is answered by the NS webinterface. The second last entry here seems odd:

[root@neth ~]# route
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
default         router.gsr      0.0.0.0         UG    0      0        0 br0
10.147.239.0    0.0.0.0         255.255.255.0   U     0      0        0 tunbackovpn
192.168.1.0     10.147.239.2    255.255.255.0   UG    0      0        0 tunbackovpn
192.168.32.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.32.0    0.0.0.0         255.255.255.0   U     0      0        0 tungsrovpn
router.gsr      0.0.0.0         255.255.255.255 UH    0      0        0 br0
192.168.33.0    0.0.0.0         255.255.255.0   U     0      0        0 tunrw

michelandre · October 27, 2021, 10:09pm

Hi @sternkrabbe,

Post a drawing of your network.

Michel-André

sternkrabbe · October 28, 2021, 8:22am

Network topolgy is as simple and straight forward as I wrote in posting #1. Everything is connected to a SOHO router. Drawing it would not display additional information. If you need to know anything, I will do my best to provide it.

In desparation, I yesterday ruined the configuration. Now I cannot connect to my NS instance anymore (http/ssh/smb/ping). However I can still ping to nsdc container from a LAN client.

I can physically access the NS server and log in. Services are up and running (tested systemctl status of httpd and smbd).

I will post my last cli commands and the outputs of route and ifconfig in next post, first I need to sort out the desk to work on. I will need to retype everything.

I am very grafeful, if I could reestablish connectivity to the machine.

sternkrabbe · October 28, 2021, 9:07am

output of ifconfig at the moment:

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.32.6    netmask 255.255.255.0    broadcast 192.168.32.255
inet6 ...
ether (MAC) txqueuelen 1000 (Ethernet)
RX packets 64976656    bytes 13308934325 (12.3 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 254323581    bytes 162071058002 (150.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

... other interfaces ...

tungsrovpn: flags=4305<UP,POINTTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.32.1    netmask 255.255.255.0 destination 192.168.32.1
...
RX errors 0 dropped 0 overruns 0 frame 0
...
TX errors 0 dropped 0 overruns 0 carrier 0 collision 0

output of route at the moment:

Destination    Gateway      Genmask        Flags   Iface
default        router.gsr   0.0.0.0         UG     br0
...
192.168.32.0   0.0.0.0      255.255.255.0    U     tungsrovpn
router.gsr     0.0.0.0      255.255.255.255  UH    br0

sternkrabbe · October 28, 2021, 9:22am

I hope, those outputs are helpful. It’ inconvenient to retype it from monitor.

Some more oberservations:

LAN client can ping nsdc container at xx.7
LAN client cannot ping ns instance at xx.6 (request timeout)
ns instance can ping nethserver.org
ns instance can ping router.gsr (xx.1) - not sure WHO answers!
ns instance connot ping nsdc container at xx.7: no feedback, message after crtl+c: x packets transmitted, 100% packet loss
ns instance cannot ping any other client in LAN 192.168.32.0/24 - same as nsdc container
I can access ns webinterface and applications from outside LAN (from the internet), but cockpit is blocked, of course

I think, I need to add a route to LAN via the router. This was exactly what I wanted to do when I messed it up.

Shane_Treweek · October 28, 2021, 9:51am

On the x.6 machine in network is there a valid gateway set also your previous issues could (not definately though) be something simple like DNS being cached somewhere hence possibly returning an old ip

sternkrabbe · October 28, 2021, 10:15am

the output for route shows the setup on x.6 machine.

I assume there is no valid gateway, but I don’t know how to set it.

I understand the last entry of “route” as: route requests for router.gsr (192.168.32.1) to 0.0.0.0 (local machine). This entry was automatically generated by the system, not by me.

sternkrabbe · October 28, 2021, 11:23am

After a brutal reboot the situation seems to be much better. I need to evaluate.

Andy_Wismer · October 28, 2021, 11:36am

@sternkrabbe

Hi

As german-speaker, you know the old expression (Not only valid for Windows…):

Reboot tut immer gut!

Simplified english translation:
A reboot does a whole load of good!

My 2 cents
Andy

PS: Even for Linux, a reboot does start the host with all designated services in the right order…

sternkrabbe · October 28, 2021, 11:43am

well, it should not aply to a linux system…

I really still need to evaluate the situation, and if there are questions/problems left.

sternkrabbe · October 28, 2021, 2:04pm

overall, it seems I am back to some of my previous problems:

Bad:

error message: DNS servers are not responding
no ping to DNS servers 1.1.1.1, 9.9.9.9 from NS
no nslookup/ping whatsoever to outside world from NS
no connection to web interface and applications from outside

Good:

On the LAN client the IP x.1 now is correctly served by the router again.
ping to LAN client from NS is ok
ping from LAN client to NS and nscd is ok

Shane_Treweek · October 28, 2021, 3:14pm

Still sounds like there’s no gateway set so it doesn’t know where to send the ping as from what I understand 0.0.0.0 means any IP as in the same as *

in cockpit under system and network is anything set for gateway now (next to GW as per below image)

If not click configure then next and next and set the gateway to correct one I’m assuming for you it would be 192.168.32.1

sternkrabbe · October 28, 2021, 3:23pm

Hi!

yes, cockpit shows the correct gateway there: 192.168.32.1, which is the router device.

This is actual routing info from cockpit:

Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.32.1    0.0.0.0         UG    0      0        0 br0
10.147.239.0    0.0.0.0         255.255.255.0   U     0      0        0 tunbackovpn
192.168.1.0     10.147.239.2    255.255.255.0   UG    0      0        0 tunbackovpn
192.168.32.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.32.0    0.0.0.0         255.255.255.0   U     0      0        0 tungsrovpn
192.168.32.1    0.0.0.0         255.255.255.255 UH    0      0        0 br0
192.168.33.0    0.0.0.0         255.255.255.0   U     0      0        0 tunrw

Item #1 was manually added in cockpit gui.