Hardware: OpenVZ VPS (vps-hdd-4) from http://dyjix.eu running debian 9 YunoHost version: 3.6.4.6 I have access to my server : Through SSH and through the webadmin Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
Description of my issue
Whenever the yunohost firewall is launched my server fails to resolve domain names.
Here is a quick example:
With the firewall on: ping 1.1.1.1
Returns:
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=56 time=6.80 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=56 time=6.83 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=56 time=6.78 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=56 time=6.77 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=56 time=6.78 ms
ping google.fr
Returns:
ping: google.fr: Temporary failure in name resolution
root@jaekr:~#
After yunohost firewall stop: ping 1.1.1.1
Returns:
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=56 time=6.84 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=56 time=6.79 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=56 time=6.78 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=56 time=6.78 ms
ping google.fr
Returns:
PING google.fr (216.58.206.227) 56(84) bytes of data.
64 bytes from par10s34-in-f3.1e100.net (216.58.206.227): icmp_seq=1 ttl=47 time=16.6 ms
64 bytes from par10s34-in-f3.1e100.net (216.58.206.227): icmp_seq=2 ttl=47 time=16.7 ms
64 bytes from par10s34-in-f3.1e100.net (216.58.206.227): icmp_seq=3 ttl=47 time=16.7 ms
64 bytes from par10s34-in-f3.1e100.net (216.58.206.227): icmp_seq=4 ttl=47 time=16.6 ms
64 bytes from par10s34-in-f3.1e100.net (216.58.206.227): icmp_seq=5 ttl=47 time=16.7 ms
I tried to disable and stop the yunohost-firewall service through systemD without success.
I also tried to set my DNS servers on 1.1.1.1 without success as well.
This problem gets really annoying especially when you need to install synapse or just update the system.
root@jaekr:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
root@jaekr:~#
root@jaekr:~# systemctl status dnsmasq
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-10-01 14:36:49 CEST; 34min ago
Main PID: 24079 (dnsmasq)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/dnsmasq.service
└─24079 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95c0b0d7c65d08458e8804
Oct 01 14:36:49 jaekr.dev dnsmasq[24079]: using nameserver 80.67.188.188#53
Oct 01 14:36:49 jaekr.dev dnsmasq[24079]: using nameserver 85.214.20.141#53
Oct 01 14:36:49 jaekr.dev dnsmasq[24079]: using nameserver 91.239.100.100#53
Oct 01 14:36:49 jaekr.dev dnsmasq[24079]: using nameserver 2a0c:e300::101#53
Oct 01 14:36:49 jaekr.dev dnsmasq[24079]: using nameserver 2001:910:800::12#53
Oct 01 14:36:49 jaekr.dev dnsmasq[24079]: using nameserver 80.67.169.12#53
Oct 01 14:36:49 jaekr.dev dnsmasq[24079]: using nameserver 2001:67c:28a4::#53
Oct 01 14:36:49 jaekr.dev dnsmasq[24079]: using nameserver 89.234.141.66#53
Oct 01 14:36:49 jaekr.dev dnsmasq[24079]: read /etc/hosts - 5 addresses
Oct 01 14:36:49 jaekr.dev systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
root@jaekr:~#
Watching this one! I had a similar issue after a postinstall on Hetzner VPS and tracked it down to the “enable upnp” code in the post install. After some chat on IRC, it doesn’t appear to be related but my firewall was also doing the same thing as here.
You should check the ip of your DNS resolver are not listed in the iptables fail2ban rules.
YunoHost restarts the firewall on some operations , so you can’t disable it i think (unless by creating a post hook on it). But if you disable your firewall you will be under a lot of attacks, i am not sure it’s really reasonable, if you choose to do that you should check all admin and user password are very good (like passphrase instead of password)!
I think you should find the iptables rules that create the issue, and fix it by creating a specific hook. We can help you to do that.
An other way very hackish to stop the firewall or manage it manually could be to modify /etc/init.d/yunohost-firewall to replace call of yunohost firewall reload by /bin/true …
PING ftp.debian.org (130.89.148.12) 56(84) bytes of data.
64 bytes from klecker-ftp.debian.org (130.89.148.12): icmp_seq=1 ttl=50 time=21.4 ms
64 bytes from klecker-ftp.debian.org (130.89.148.12): icmp_seq=2 ttl=50 time=21.3 ms
64 bytes from klecker-ftp.debian.org (130.89.148.12): icmp_seq=3 ttl=50 time=21.3 ms
Fail2ban ok; Firewall ok:
ping: ftp.debian.org: Temporary failure in name resolution
Fail2ban off; Firewall ok:
ping: ftp.debian.org: Temporary failure in name resolution
All the ping requests were done to ftp.debian.org and fail2ban has been stopped with systemctl stop fail2ban and confirmed stopped with systemctl status fail2ban:
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Thu 2019-10-03 17:23:42 CEST; 1min 58s ago
Docs: man:fail2ban(1)
Process: 8777 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 5277 ExecReload=/usr/bin/fail2ban-client reload (code=exited, status=0/SUCCESS)
Main PID: 10105 (code=killed, signal=TERM)
Oct 03 10:03:08 jaekr.dev systemd[1]: Reloaded Fail2Ban Service.
Oct 03 10:05:55 jaekr.dev systemd[1]: Reloading Fail2Ban Service.
Oct 03 10:06:50 jaekr.dev systemd[1]: Reloaded Fail2Ban Service.
Oct 03 10:08:52 jaekr.dev systemd[1]: Reloading Fail2Ban Service.
Oct 03 10:09:25 jaekr.dev systemd[1]: Reloaded Fail2Ban Service.
Oct 03 17:21:11 jaekr.dev systemd[1]: Reloading Fail2Ban Service.
Oct 03 17:22:04 jaekr.dev systemd[1]: Reloaded Fail2Ban Service.
Oct 03 17:23:02 jaekr.dev systemd[1]: Stopping Fail2Ban Service...
Oct 03 17:23:42 jaekr.dev fail2ban-client[8777]: Shutdown successful
Oct 03 17:23:42 jaekr.dev systemd[1]: Stopped Fail2Ban Service.
P.S, I know how to speak french but I’ll keep this in english so someone with the same problem will be able to understand how to fix it (if we find a way).