Hairpinning and reverse dns ipv6

Support
, , ,
1

My YunoHost server

Hardware: Old laptop or computer
YunoHost version: 11.2.10.3
I have access to my server : through the webadmin or direct access via keyboard / screen
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

Hello,

I’m new in this field of computer fiddling but I need to get my own server running, with my own email address as well as my own website. Yunohost was suggested to me as the answer to my hopes!
I’ve been tweaking Yunohost around, bought my own domain, configured my router, asked my internet provider to change the reverse DNS to my own domain (it was quite efficient since I’m with FDN! Heads up to them!), but I’m still having some trouble understanding what hairpinning is and how to enable it…
My router is a TP-link TD-W9970. I’ve configured the NAT so that all the necessary ports for yunohost and the apps I’ve installed are open, under ipv4. And I’ve enable ipv6 and added a firewall to which I’ve entered all the same ports to the ipv6 firewall exceptions. I’m guessing I’ve done all that correctly because I was able to access my portal, as well as the website from my phone under a LTE connection.

So as I was mentioning, I’m quite new to all of this and I have several questions:

  • Can someone confirm that I’ve configured my router correctly and that all is secure on my side?
  • How do I enable hairpinning? It’s the only warning left in the web section of the yunohost diagnosis window… Can I configure it on my router? If not how do I manage it…?
  • I also don’t have any reverse DNS for ipv6 (diagnosis window). I’ve tried setting it off as suggested in the details, but when I do that, the smtp server is definitely unreachable, even with ipv4… I’ve turned it back on…

I hope that I’m clear enough with my problems. If not I’ll be happy to explain differently!

Thanks for the help anyone can provide!!!

Leïla

Warning and error from the diagnosis log:

[WARNING] Your local network does not seem to have hairpinning enabled.

  • This is probably because of your ISP box / router. As a result, people from outside your local network will be able to access your server as expected, but not people from inside the local network (like you, probably?) when using the domain name or global IP. You may be able to improve the situation by having a look at Local network access to your server | Yunohost Documentation

[ERROR] No reverse DNS is defined in IPv6. Some emails may fail to get delivered or be flagged as spam.

  • You should first try to configure reverse DNS with maindomain.tld in your internet router interface or your hosting provider interface. (Some hosting providers may require you to send them a support ticket for this).
  • Some providers won’t let you configure your reverse DNS (or their feature might be broken…). If your reverse DNS is correctly configured for IPv4, you can try disabling the use of IPv6 when sending emails by running ‘yunohost settings set email.smtp.smtp_allow_ipv6 -v off’. Note: this last solution means that you won’t be able to send or receive emails from the few IPv6-only servers out there.
2

Nice to read your progress, congratulations on your setup :slight_smile:

Clear and to the point, I think! As far as I can tell, you set everything up correctly and securely.

Let me get into this issue first.

It helps to have the right kind of hairpin as a mental image. Of all the images on the Wikipedia-hairpin-lemma, I imagine it like the one called ‘bobby pin’, or the one from the Tang dynasty, but certainly not the Ming dynasty types.

With that out of the way: without ‘hairpinning’, if you visit your website from your local network, the requesting traffic would go out of your router (at least to the WAN-interface, perhaps further), before being pointed back to your home via the external IP.

_With_hairpinning enabled, the router recognizes that the IP address belonging to ‘mywebsi.te’ is actually at home, and it will send you to your Yunohost directly.

There is another thing related to hairpinning, which prevents both cases above from working. It is called “DNS rebind attack protection”, or something else with “DNS rebind” in it. Without going into the details of why, the result of this protection is that your router would prevent you from visiting a website that has a local IP address (in case of IPv4 starting with 10, 192.168, or half of the 172-range).

I used to have an AVM FritzBox, that had this protection, and also an option to give domains for which it was not supposed to block access.

For TP-Link I could not find such a feature. Someone on Reddit suggests a solution for Pihole with DNS in the local network, but that is not exactly your problem. The TP-link forums have some frustrated users asking for a setting to turn off DNS-rebind-protection; I found a workaround by MeisterLLD: change DNS to your ISP’s DNS.

It also seems there are quite a few TP-link routers, with slightly different features and options.

Depending on the situation and on whether you get any further with the router configuration, I think the options are:

  • In the TP Link router, find the option to disable DNS rebind protection. Now you should be able to visit your website
  • If the router has no such option:
    • You could alter the hosts file on your computer, to associate the local IP of your Yunohost with your domain name. Now the router is not involved anymore, but Yunohost still can recognize the domain you want to visit (you’ll have noticed you can visit by IP, but it will give you the white management interface instead of the black user interface). If you do this on your laptop, the downside would be that it can only find your website when you are at home or connected to home via a VPN.
    • If money and electrowaste is not an issue, you could get another router.
    • If time spent on howto’s and learning something new is not an issue, you could probably run OpenWRT on your TP-link. OpenWRT is an alternative operating system for your router, enabling many features that were originally not implemented by the vendor (TP-link, in this case), but possibly slightly more complex.

Maybe another forum member has experience with TP-link and can chime in with advice, or with another option.

I’ll see whether I can think of a cause for your other problem.

Sorry for the long-winded reply. I hope it is as clear as your own post!

3

I only just learned about FDN a few weeks back, it seems a cool provider! Did you ask them to set up reverse DNS for IPv4 as well as for IPv6? Were you able to manually verify that reverse DNS is set up correctly for both addresses?

You can use a troubleshooting site such as dnschecker.org or use nslookup ip:ad:dr:es::s from your command line. We even have an app for such things in the catalog, SPFToolbax

Pay attention that your public IPv4 address is the same for all devices in your home network, but they all have their own IPv6 address! As such, if you used a site such as “whatismyip.com”, and sent the result to FDN, they will have set the correct reverse DNS in IPv4, but it is pointing to your laptop instead of your Yunohost for IPv6.

That would imply something else is not working either: mail over IPv4 should stay available when IPv6 is not available. Does diagnosis complain about problems with mail in that case? Missing DNS entries, closed ports, something else?

4

Thanks so much for the long and clear answers!

I’ll start with the reverse DNS error with ipv6: it was all my fault, I had not given the correct ipv6 address… I’ve corrected my mistake this morning and with the quite efficient work from volunteers at FDN, that is now a resolved matter!

Concerning the hairpinning… Yeap, we’re talking about the same thing!

I’ve tried to get around a lot this morning… Tried the workaround by MeisterLLD as you suggested. That didn’t work. Could be that I got tired of clicking everywhere in the TP-link features and ended up restoring the settings as they were working yesterday…
Then, I figured I’d try to change the hosts file on my own laptop, with which I’m accessing to the yunohost local window on my browser. Did that and I didn’t quite catch the white or black management interface. Or you talking about the portal access window? Because that has always been black for me… My laptop stays at home so accessing outside with my laptop is not an issue.
But I still wanted to get the hairpinning problem working… So I followed your next suggestions!

Then, I figured that acquiring another router was right now not an option, money and electrowaste-wise. We’re going to get fiber access soon, so we’ll change the router at that point.

And your last option was quite pleasing! Setting up OpenWRT on my tp-link swell!!! Didn’t think of that! (I have LibreBoot on my laptop, am using Trisquel OS, have /e/OS on my smartphone, so I figured why not change the router as well!). Except that… Proprietary bullshit… My router’s not compatible… And so are all the other routers I have at home (3G/LTE TP-link router, C6220 Netgear router…) Soooooo, when I’ll have to switch to the fiber, I’ll be looking closely at what kind of material I’ll be acquiring!
By the way: any good suggestions?

And again, thank you for your help and long reply. It really helped me a lot!

5

Oh, and is there a way to disable the hairpinning warning in the diagnosis window?

6

Don’t be to harsh on yourself, I’m sure you’re not the first (or the last) to send a correction to FDN :smiley:

Hahahaha! I must have misread

for

I think you’ll feel just at home once you got a router reflashed. I don’t have suggestions other than having a look in the compatibility list you probably just opened. Maybe you could open another thread just for that, to get some replies from people actually using different routers.

For myself: I have good experiences with FritzBox, but switched from AVM to OPNsense after I missed some features in FritzBox. Now I can’t remember which features they were. It was a couple of years ago and their software must have evolved as well. Besides, I saw AVM on the compatibility list of OpenWRT so it would have a way out on specific models.

I’ll leave this one for someone else to answer!

7

I’d suggest that you open all high ports (ports 32768 through 65565) in your IPv6 firewall. This shouldn’t impact security much, but will make some applications (such as Galene) work much better.

I could be wrong, but I don’t think that hairpinning is implemented in TP-Link routers. However, since you’ve got IPv6, this should not be much of a problem (IPv6 communication will work even if IPv4 hairpinning is broken). Just make sure you put your IPv6 addresses in the DNS.

1 Like
8

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.