DNS Fails if Firewall is enabled

Support
, ,
1

My YunoHost server

Hardware: Older amd64 PC. Yunohost is installed on bare metal
YunoHost version: 4.3.6.3
I have access to my server : Through SSH, through the webadmin and I have direct access via keyboard / screen
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : No

Description of my issue

Hello everyone! I’m facing a problem but I’ll give you a timeline of events to make sure I don’t miss any important details that might help:

  1. I was using yunohost and no problems occured for months

  2. I did an update of my system and apps (I do this every few days so I can’t tell when exactly)

  3. I didn’t have time to check on it and after about a week apps stopped working

  4. I can’t remember if my server was turned off or the apps simply didn’t respond and I rebooted it but a reboot happened.

  5. It didn’t turn on so I checked what was going on and I noticed weird NCQ DMA related problems along the lines of Unable to read next inode

  6. I ran e2fsck to solve the problem, and it worked like a charm

  7. The admin dashboard is super slow now and updates don’t work.

So I started looking into what was going on and narrowed down to this post on the forum. If I understand correctly, this problem was not solved in the end and now I’m facing the exact same situation.

If the firewall is turned on, DNS resolution does not work. If I turn it off poof it does.

Examples and … stuff:

Contents of my /etc/resolv.conf

cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

Stopping firewall and running dig

yunohost firewall stop
dig google.com

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25073
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             104     IN      A       142.251.16.139
google.com.             104     IN      A       142.251.16.101
google.com.             104     IN      A       142.251.16.113
google.com.             104     IN      A       142.251.16.100
google.com.             104     IN      A       142.251.16.138
google.com.             104     IN      A       142.251.16.102

;; Query time: 21 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 06 18:14:48 CEST 2022
;; MSG SIZE  rcvd: 135

Reloading firewall and dig-ing again

firewall reload
Warning: Some firewall rule commands have failed. More info in log. # What?
opened_ports: 
  - 22
  - 53
  - 80
  - 443
  - 5353
  - 8097
  - 22000

dig google.com

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

Pinging 8.8.8.8

ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=2.57 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=2.32 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=2.39 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 2.321/2.427/2.569/0.111 ms

My iptables-save output

iptables-save
# Generated by xtables-save v1.8.2 on Wed Jul  6 18:21:51 2022
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22000 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 8097 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
COMMIT
# Completed on Wed Jul  6 18:21:51 2022

Ideas

As far as I understood - and bear with me cause I’m not an expert with hardware related stuff - I had a disk corruption and that’s why I needed e2fsck to fix messed up blocks, inodes and etc.

Could this result into this weird problem? It’s entirely reproducible, I can stop the firewall, do updates, have everything work perfectly, but as soon as I enable it everything goes haywire.

There are also “Failed firewall commands” but I have no idea how to check them. Those could result in behavior like this I assume so I guess I should start there?

Anyways if you check all of this out, thank you for you time and patience! You guys are awesome! :slight_smile:

1 Like
2

What is the status of dnsmasq before and after starting the firewall ?

systemctl status dnsmasq

Could you check your dig request in ipv4 and in ipv6 ?

ping 2a00:5881:8100:1000::3
dig A google.com @2a00:5881:8100:1000::3
ping 89.234.141.66
dig A google.com @89.234.141.66

I guess yes if something change a file in your disk. Watch the content of /etc/resolv.dnsmasq.conf and /etc/dnsmasq.conf .

3

The status of dnsmasq after the firewall has been started:

● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2022-07-06 18:02:43 CEST; 2 days ago
  Process: 1120 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
  Process: 1124 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 1141 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
 Main PID: 1140 (dnsmasq)
    Tasks: 1 (limit: 3552)
   Memory: 2.6M
   CGroup: /system.slice/dnsmasq.service
           └─1140 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

And before:

● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2022-07-06 18:02:43 CEST; 2 days ago
  Process: 1120 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
  Process: 1124 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 1141 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
 Main PID: 1140 (dnsmasq)
    Tasks: 1 (limit: 3552)
   Memory: 2.6M
   CGroup: /system.slice/dnsmasq.service
           └─1140 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

To be fair, I didn’t notice the Journal has been rotated since unit was started. Log output is incomplete or unavailable. message before. Is it possible it wasn’t there?

Anyways, my pings. I first tried it with an active firewall:

ping 2a00:5881:8100:1000::3

PING 2a00:5881:8100:1000::3(2a00:5881:8100:1000::3) 56 data bytes
64 bytes from 2a00:5881:8100:1000::3: icmp_seq=1 ttl=53 time=57.0 ms
64 bytes from 2a00:5881:8100:1000::3: icmp_seq=2 ttl=53 time=57.0 ms
^C
--- 2a00:5881:8100:1000::3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 56.967/57.001/57.035/0.034 ms

dig A google.com @2a00:5881:8100:1000::3

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> A google.com @2a00:5881:8100:1000::3
;; global options: +cmd
;; connection timed out; no servers could be reached

ping 89.234.141.66

PING 89.234.141.66 (89.234.141.66) 56(84) bytes of data.
64 bytes from 89.234.141.66: icmp_seq=1 ttl=54 time=23.0 ms
64 bytes from 89.234.141.66: icmp_seq=2 ttl=54 time=22.8 ms
64 bytes from 89.234.141.66: icmp_seq=3 ttl=54 time=22.9 ms
^C
--- 89.234.141.66 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 22.844/22.920/23.043/0.195 ms

dig A google.com @89.234.141.66

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> A google.com @89.234.141.66
;; global options: +cmd
;; connection timed out; no servers could be reached

With an inactive firewall, the digs succeed:

dig A google.com @2a00:5881:8100:1000::3


; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> A google.com @2a00:5881:8100:1000::3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14146
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             3555    IN      A       216.58.209.206

;; Query time: 57 msec
;; SERVER: 2a00:5881:8100:1000::3#53(2a00:5881:8100:1000::3)
;; WHEN: Sat Jul 09 14:52:43 CEST 2022
;; MSG SIZE  rcvd: 55


dig A google.com @89.234.141.66

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> A google.com @89.234.141.66
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2704
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             3544    IN      A       216.58.209.206

;; Query time: 23 msec
;; SERVER: 89.234.141.66#53(89.234.141.66)
;; WHEN: Sat Jul 09 14:52:54 CEST 2022
;; MSG SIZE  rcvd: 55

And finally, the two files. First /etc/resolv.dnsmasq.conf:

nameserver 195.160.173.53
nameserver 89.233.43.71
nameserver 2a0c:e300::101
nameserver 91.239.100.100
nameserver 2001:67c:28a4::
nameserver 185.233.100.100
nameserver 2001:1608:10:25::1c04:b12f
nameserver 185.233.100.101
nameserver 2a01:3a0:53:53::
nameserver 194.150.168.168
nameserver 84.200.69.80
nameserver 2001:1608:10:25::9249:d69b
nameserver 2a00:5881:8100:1000::3
nameserver 84.200.70.40
nameserver 2001:910:800::40
nameserver 89.234.141.66
nameserver 2001:910:800::12
nameserver 2a0c:e300::100
nameserver 80.67.169.40
nameserver 80.67.169.12

Then /etc/dnsmasq.conf

domain-needed
expand-hosts
localise-queries



interface=lo

resolv-file=/etc/resolv.dnsmasq.conf

Tbh, I can’t tell if anythings misconfigured in there :joy: Thank you for your time!

4

I totally do not know why your DNS request fails when you have the firewall active!

Can you do again iptables-save before and after the firewall is up ?
May be your system use ufw in a way i don’t know ?

5

iptables-save with a disabled firewall:

iptables-save
# Generated by xtables-save v1.8.2 on Sun Jul 10 10:05:12 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sun Jul 10 10:05:12 2022

And an active one:

# Generated by xtables-save v1.8.2 on Sun Jul 10 10:05:48 2022
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22000 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 8097 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
COMMIT
# Completed on Sun Jul 10 10:05:48 2022

As far as I can tell ufw is not installed (?). I get the -bash: ufw: command not found error when I try to get the status.

On a more personal note: Do you think it would be time for a reinstall? I was able to make a backup of my instance, so nothing would be lost on me :slight_smile:

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.