"Special" treatment of port 53 does not work in all cases
-
I tried installing AdGuard Home to give it a try. However, I noticed that I wasn't getting any responses to DNS queries I was throwing at the Cloudron machine. I connected in through ssh, and checked netstat -anlp, and saw that port 53 was only bound on one of the two interfaces that machine has.
I went digging, and found that src/docker.js treats port 53 in a special manner (see getLowerUpIp). This doesn't work for my specific case, where I have two interfaces, and one of those interfaces is for a special internal-only purpose and doesn't really have any external network access.
I'm not sure how this could best be resolved. I guess the easy solution might be to bind to all external interfaces, rather than just the first?
-
I tried installing AdGuard Home to give it a try. However, I noticed that I wasn't getting any responses to DNS queries I was throwing at the Cloudron machine. I connected in through ssh, and checked netstat -anlp, and saw that port 53 was only bound on one of the two interfaces that machine has.
I went digging, and found that src/docker.js treats port 53 in a special manner (see getLowerUpIp). This doesn't work for my specific case, where I have two interfaces, and one of those interfaces is for a special internal-only purpose and doesn't really have any external network access.
I'm not sure how this could best be resolved. I guess the easy solution might be to bind to all external interfaces, rather than just the first?
@robin would it work for you if I made it bind to all the IPv4 interfaces (other than loopback)?
We have to figure a way to filter out all the internal docker interfaces and bridges.
You can quickly check this like below on your server:
$ node Welcome to Node.js v14.15.4. Type ".help" for more information. > os.networkInterfaces() -
I tried installing AdGuard Home to give it a try. However, I noticed that I wasn't getting any responses to DNS queries I was throwing at the Cloudron machine. I connected in through ssh, and checked netstat -anlp, and saw that port 53 was only bound on one of the two interfaces that machine has.
I went digging, and found that src/docker.js treats port 53 in a special manner (see getLowerUpIp). This doesn't work for my specific case, where I have two interfaces, and one of those interfaces is for a special internal-only purpose and doesn't really have any external network access.
I'm not sure how this could best be resolved. I guess the easy solution might be to bind to all external interfaces, rather than just the first?
@robin Ideally, I would want to bind to 0.0.0.0 but we can't because there is an internal DNS server on port 53. The code then needs a way to bind explicitly to the "external" interfaces of the server.
Looks like we can:
ls -l /sys/class/net/ | grep -v virtualand this lists potential interfacesip link show- this shows even the virtual interfaces. not sure how i can filter them out . there isip link show typebut cannot find a suitable type option to use
-
@robin would it work for you if I made it bind to all the IPv4 interfaces (other than loopback)?
We have to figure a way to filter out all the internal docker interfaces and bridges.
You can quickly check this like below on your server:
$ node Welcome to Node.js v14.15.4. Type ".help" for more information. > os.networkInterfaces()@girish Yeah, binding to all interfaces would work for me. And I think it's reasonable enough to assume that Cloudron can "own" any interfaces it is given access to, just like a 0.0.0.0 bind would normally, so that seems fine...
Some searching finds me this, which looks potentially useful:
The one liner given there (with jq) does indeed report only the two physical interfaces I have:
# ip -details -json link show | jq -r ' > .[] | > if .linkinfo.info_kind // .link_type == "loopback" then > empty > else > .ifname > end > ' enp1s0 enp2s0 -
@girish Yeah, binding to all interfaces would work for me. And I think it's reasonable enough to assume that Cloudron can "own" any interfaces it is given access to, just like a 0.0.0.0 bind would normally, so that seems fine...
Some searching finds me this, which looks potentially useful:
The one liner given there (with jq) does indeed report only the two physical interfaces I have:
# ip -details -json link show | jq -r ' > .[] | > if .linkinfo.info_kind // .link_type == "loopback" then > empty > else > .ifname > end > ' enp1s0 enp2s0 -
@robin thanks, I have fixed it here -https://git.cloudron.io/cloudron/box/-/commit/1e665b63234ba7cfdfd6d16679a2261418c7449c . It will be in the next release.
