DNS not working in my Yunohost inside a LXC container

Benjamin · August 22, 2017, 9:53am

Hello,

I installed a Yunohost instance inside a LXC container with a debian template
Everything was working fluently, but I have the impression that since the update to Yunohost 2.6, it’s not anymore possible to resolve DNS inside the container (ping 8.8.8.8 is working, not ping google.fr).

I made many trials to solve this, so maybe my situation is particular, at the moment, when I start the container, i got in /etc/resolv.conf :
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND – YOUR CHANGES WILL BE OVERWRITTEN
and nothing more … If I add nameserver 127.0.0.1 or 8.8.8.8, it doesn’t work neither

dnsmasq gives :
systemctl status dnsmasq
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled)
Drop-In: /run/systemd/generator/dnsmasq.service.d
└─50-dnsmasq-$named.conf, 50-insserv.conf-$named.conf
Active: active (running) since Tue 2017-08-22 10:39:09 BST; 1min 5s ago
Process: 305 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
Process: 283 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
Process: 256 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
Main PID: 297 (dnsmasq)
CGroup: /system.slice/dnsmasq.service
└─297 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq…

Aug 22 10:39:08 transitional dnsmasq[297]: using nameserver 85.214.20.141#53
Aug 22 10:39:08 transitional dnsmasq[297]: using nameserver 91.239.100.100#53
Aug 22 10:39:08 transitional dnsmasq[297]: using nameserver 213.73.91.35#53
Aug 22 10:39:08 transitional dnsmasq[297]: using nameserver 89.234.141.66#53
Aug 22 10:39:08 transitional dnsmasq[297]: using nameserver 141.255.128.101#53
Aug 22 10:39:08 transitional dnsmasq[297]: using nameserver 84.200.69.80#53
Aug 22 10:39:08 transitional dnsmasq[297]: using nameserver 80.67.169.40#53
Aug 22 10:39:08 transitional dnsmasq[297]: using nameserver 89.233.43.71#53
Aug 22 10:39:08 transitional dnsmasq[297]: read /etc/hosts - 4 addresses
Aug 22 10:39:09 transitional systemd[1]: Started dnsmasq - A lightweight DHC....
Hint: Some lines were ellipsized, use -l to show in full.

About resolvconf :
systemctl status resolvconf -l
● resolvconf.service - Nameserver information manager
Loaded: loaded (/lib/systemd/system/resolvconf.service; enabled)
Active: active (exited) since Tue 2017-08-22 10:37:55 BST; 10min ago
Docs: man:resolvconf(8)
Process: 47 ExecStart=/sbin/resolvconf --enable-updates (code=exited, status=0/SUCCESS)
Process: 42 ExecStartPre=/bin/touch /run/resolvconf/postponed-update (code=exited, status=0/SUCCESS)
Process: 36 ExecStartPre=/bin/mkdir -p /run/resolvconf/interface (code=exited, status=0/SUCCESS)
Main PID: 47 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/resolvconf.service

I’ve read this : https://yunohost.org/#/dns_resolver_fr

So … I’m a bit lost, which service is supposed to give the DNS servers in yunohost 2.6 : dhcpd, dnsmasq, resolvconf ?

thanks for any advice
++
Benjamin

madmaxlamenace · August 22, 2017, 10:52am

Before you install yunohost. how do you configure your lxc container ?
Network etc.
And your host ?

Benjamin · August 22, 2017, 10:59am

Well, basic configuration : /var/lib/lxc/transitional/config

lxc.rootfs = /var/lib/lxc/transitional/rootfs
# container NAT
lxc.network.type = veth
lxc.network.hwaddr = 00:16:3e:3a:3c:d4
lxc.network.flags = up
lxc.network.link = lxc-nat-bridge
lxc.network.name = eth0
lxc.network.ipv4 = 10.0.3.2
lxc.network.ipv4.gateway = 10.0.3.1

# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf

# Container specific configuration
#lxc.mount = /var/lib/lxc/transitional/fstab
lxc.utsname = transitional
lxc.arch = amd64
lxc.autodev = 1
lxc.kmsg = 0
lxc.start.auto = 1

but indeed, I don’t know if the container should feed the dns servers or if I should rather let Yunohost take care of this … The other containers on this machine work ok / DNS

Thanks
b

Aleks · August 22, 2017, 12:41pm

Hi there,

yes, it’s a bit tricky. To summarize : your /etc/resolv.conf should point to 127.0.0.1, which is dnsmasq. Dnsmasq will then be able to answer any query about local domains (even if unregistered on upstream DNSs) and forward other queries to resolvers listed in /etc/resolv.dnsmasq.conf (those are ‘friendly’ / net-neutrality-respecting resolvers from the FFDN and others).

The program resolvconf is supposed to make your /etc/resolv.conf automatically point to 127.0.0.1, which at the moment is not the case. (I understand that you probably tried to add nameserver 127.0.0.1 to the file, but it will end up being rewritten by resolvconf pretty quickly…). So we should try to understand why resolvconf does not make it point to 127.0.0.1

(Hopefully that explanation was not too messy )

Benjamin · August 22, 2017, 2:38pm

Hi,

thanks for the explanation, at leat for me, it clarifies things a lot, I’ll will investigate / resolvconf to see why it is no more wrinting 127.0.0.1 in /etc/resolv.conf
in /etc/resolvconf/resolv.conf.d/original, there is :
# Values that should work during DDOS against MayFirst
nameserver 209.51.171.179
nameserver 216.66.15.28
nameserver 216.66.15.23
# See https://status.mayfirst.org/2015/58/
which may come from the host of the container

/etc/resolvconf/resolv.conf.d/base contains nothing but if I :
systemctl stop resolvconf and
systemctl start resolvconf

/etc/resolv.conf now contains nameserver 127.0.0.1
resolvconf has the status “active (exited)”, shouldn’it be “running” ?

dnsmasq is still running and give the same status as shown in the first post
but the resolution still doesn’t work

I go on digging

++
b

Aleks · August 22, 2017, 2:43pm

I have something similar. I think yes, this comes from your container host, DHCP or whatever… Supposedly that’s what was in /etc/resolv.conf before /etc/resolvconf took over.

sounds like a good thing

I have the same thing on my server, so that sounds okay

So that sounds alright… Except for the resolution not working What happens if you try, for instance, ping wikipedia.org or host wikipedia.org ?

Benjamin · August 22, 2017, 2:45pm

dig x.org @127.0.0.1

; <<>> DiG 9.9.5-9+deb8u12-Debian <<>> x.org @127.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached

host wikipedia.org
;; connection timed out; no servers could be reached

it is as if dnsmasq was not listening to 127.0.0.1 ?

Benjamin · August 22, 2017, 2:47pm

but …

netstat -paunt |grep dnsmasq
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 365/dnsmasq
tcp6 0 0 :::53 :::* LISTEN 365/dnsmasq
udp 0 0 0.0.0.0:49094 0.0.0.0:* 365/dnsmasq
udp 0 0 0.0.0.0:53 0.0.0.0:* 365/dnsmasq
udp 0 0 0.0.0.0:1867 0.0.0.0:* 365/dnsmasq
udp6 0 0 :::53 :::* 365/dnsmasq

Benjamin · August 22, 2017, 2:49pm

/etc/dnsmasq.conf :

domain-needed
expand-hosts

listen-address=127.0.0.1
resolv-file=/etc/resolv.dnsmasq.conf
cache-size=256

Aleks · August 22, 2017, 2:50pm

Are you able to dig using Google’s DNS for instance ?

dig +short @8.8.8.8 wikipedia.fr

(to be compared to :

dig +short @127.0.0.1 wikipedia.fr

(Or is it that dnsmasq listens on 0.0.0.0 but not on 127.0.0.1 ?)

Benjamin · August 22, 2017, 2:53pm

yes, it seems that dnsmaq listens to 0.0.0.0 and not 127.0.0.1

dig +short @8.8.8.8 wikipedia.fr
;; connection timed out; no servers could be reached

in /etc/default/dnsmasq :
# Whether or not to run the dnsmasq daemon; set to 0 to disable.
ENABLED=1

IGNORE_RESOLVCONF=yes

many thks for your help
++
b

Benjamin · August 22, 2017, 2:57pm

whereas :
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=60 time=1.24 ms
…

Benjamin · August 24, 2017, 12:59pm

Well, I reinstalled everything in a new container and the behavior is the same …

So : https://dev.yunohost.org/issues/997

++
b

Benjamin · March 4, 2019, 2:18am

I’m updating this topic as I’m facing the same issue (no more dns resolution inside an LXC container) with Yunohost v 3.4.2.4.

Script installation of Yunohost on a fresh debian 9 LXC container

At the beginning of the installation, dns resolution works inside the container, it stops working after the post installation.

How could I determine / debug the service (dnsmasq ?) supposed to resolv the dns ?

below some infos about the config :

systemctl status dnsmasq
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-03-04 01:59:55 UTC; 4min 34s ago
  Process: 265 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
  Process: 197 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 174 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
 Main PID: 250 (dnsmasq)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/dnsmasq.service
           └─250 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,19036,8,2,49aac11d7b6f6446702e54a1607371607a1a41855200f

Mar 04 01:59:44 transitional dnsmasq[250]: using nameserver 185.233.100.101#53
Mar 04 01:59:44 transitional dnsmasq[250]: using nameserver 80.67.169.40#53
Mar 04 01:59:44 transitional dnsmasq[250]: using nameserver 80.67.169.12#53
Mar 04 01:59:44 transitional dnsmasq[250]: using nameserver 195.160.173.53#53
Mar 04 01:59:44 transitional dnsmasq[250]: using nameserver 85.214.20.141#53
Mar 04 01:59:44 transitional dnsmasq[250]: using nameserver 84.200.69.80#53
Mar 04 01:59:44 transitional dnsmasq[250]: using nameserver 80.67.188.188#53
Mar 04 01:59:44 transitional dnsmasq[250]: using nameserver 89.233.43.71#53
Mar 04 01:59:44 transitional dnsmasq[250]: read /etc/hosts - 4 addresses
Mar 04 01:59:55 transitional systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.

cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1


cat /etc/dnsmasq.conf 
domain-needed
expand-hosts
listen-address=127.0.0.1
resolv-file=/etc/resolv.dnsmasq.conf
cache-size=256

cat /etc/hosts
127.0.0.1	localhost
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

netstat -atun|grep 53 |grep tcp
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN     
tcp6       0      0 :::53                   :::*                    LISTEN

Aleks · March 4, 2019, 2:20am

Well uh, for instance are you able to manually resolve stuff using dig and google’s resolver ? So for instance :

dig +short @8.8.8.8 wikipedia.org

You probably need to install dnsutils to have the command dig on your system

Benjamin · March 4, 2019, 12:49pm

Yes, sorry forgot to say that :

dig +short @8.8.8.8 wikipedia.org
;; connection timed out; no servers could be reached

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=123 time=0.785 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=123 time=0.864 ms

It is as if the dns request was not reaching dnsmasq server ?

thks
b

Aleks · March 4, 2019, 3:27pm

Uh yea, so do you happen to have configured anything like a firewall that would block outgoing traffic on port 53 (DNS) ?

Oooor do you have the VPNclient app installed maybe ?

Benjamin · March 4, 2019, 3:56pm

the normal yunohost firewall is active

I tried to stop it : yunohost firewall stop
but It didn’t change anything

It happens on a fresh yunohost install without any app installed

Is dns resolution done with TCP or UDP ? A problem with ipv6 ?

netstat -lpatun |grep 53 |grep dns
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      316/dnsmasq         
tcp6       0      0 :::53                   :::*                    LISTEN      316/dnsmasq         
udp        0      0 0.0.0.0:53              0.0.0.0:*                           316/dnsmasq         
udp6       0      0 :::53                   :::*                                316/dnsmasq

thks for your help
b

Aleks · March 4, 2019, 4:04pm

Stopping YunoHost’s firewall indeed won’t change anything, as it blocks incoming traffic and not outgoing one …

I understand that this happens on a fresh YunoHost install without any app installed, but I suspect that it has to do with the environment in which your machine lives … The dig command is pretty simple : it sends an (UDP) request adress to port 53 to the resolver (e.g. 8.8.8.8) and the resolver is supposed to answer…

You mentionned that your install is in a LXC container, but how is it configured network-wise ? Are there some sort of firewall …?

Benjamin · March 4, 2019, 5:53pm

well, I found the solution !

The server and containers are installed in a sympathic server organisation that has a special mecanism for dns resolution to prevent attack (I think). So the only working DNS servers are the one provided by this organisation.

If I change /etc/resolv.dnsmasq.conf with these DNS servers, it works !

So sorry to have bother you with this, the pb was not coming from Yunohost nor LXC but rather from the infrastructure config.

For the record, I noticed while listening to the DNS traffic on the host that the request was going out of the container but didn’t receive answer with the command
sudo tcpdump -X -i lxc-nat-bridge dst port 53 |grep x.org
Then I noticed that DNS resolution was not working on the host with
dig @8.8.8.8 x.org
but working with the DNS I found in /etc/resolv.conf of the host

Many thanks for your help, I understand now much better DNS and how to debug its resolutions.

marked as solved

++
Benjamin