Hi people. I am running pihole under podman and its dedicated system account on my NAS. Now, from the NAS, I get a connection refused on ip.of.the.nas:53 but everywhere else in my network, pihole works perfectly. To run pihole as a rootless container, i made it listen on 1053 and I have a firewall redirection from 53 to 1053 for both udp and tcp. Any pointer to where (and how) I can debug this ?

Edit: Small precision about my current setup : ISP router (so I can’t really do anything on it) and NAS running opensuse leap

  • JASN_DE@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    2 months ago

    The request from the other machines go through the firewall and are being redirected, the requests from the NAS are basically trying to connect to localhost, so no redirection here as the requests aren’t leaving the machine.

    • BluescreenOfDeath@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      I agree.

      So the solution, OP, is to set the DNS settings on your NAS to your router’s internal IP so the firewall can redirect the traffic to your new port.

      • IsoKiero@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        As it’s only single device I’d suggest configuring DNS server for that to <ip-of-nas>:1053. Port forwarding rule on the nas firewall most likely applies only to ‘incoming’ traffic to the nas and as locally generated DNS request isn’t ‘incoming’ (you can think it as ‘incoming’ traffic is everything coming via ethernet cable into the nas) then the port redirection doesn’t trigger as you’re expecting.

        • BluescreenOfDeath@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          2 months ago

          An inbound only DNS forwarding rule would be pointless. All DNS queries should be originating from within the network.

          EDIT

          I think I see what you’re getting at. Assuming that the firewall is running on the NAS vs on the router.

          The OP doesn’t specify, but I would assume the firewall rule would be on the router, as that makes the most sense to force all DNS requests on the network to go through the pihole.

          • mat@jlai.luOP
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            I am still using my ISP’s router, so the firewall rule is on the NAS (for now it is almost a do it all server), otherwise I would run the pihole on the router I think

          • IsoKiero@sopuli.xyz
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            If the firewall was running on a router then you’d need to DNAT back to the same network from which they originated and that is (in general) quite a PITA to get running properly. My understanding is that the firewall doing port forwarding is running on the NAS. And we don’t have much information on what that ‘NAS’ even is, I tend to think devices like qnap or synology when talking on NAS-boxes, but that might as well be a full linux-system just running CIFS/NFS/whatever.

            OP could obviously use his router as a DNS server for the network and set upstream DNS server for the router to pihole, but that’s a whole different scenario.

            • mat@jlai.luOP
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              2 months ago

              For now my NAS it not really running anything (I want to have proper DNS/IDM before starting any other service and for storage I think I may go with owncloud ocis or nextcloud)

              • IsoKiero@sopuli.xyz
                link
                fedilink
                English
                arrow-up
                1
                ·
                2 months ago

                NAS stands for ‘Network Attached Storage’ and there’s dedicated hardware for that task from multiple brands. It’s a somewhat spesific thing and from what I understand you have a multi-purpose server running on your network. For discussion it’s better to use the established terminology to avoid confusion on what’s what. Your generic server can of course act like a NAS, but a 100€ Synlogy NAS can’t (for the most part) act as a generic server.

                Similarly there’s a dedicated hardware for routers and they are not the same than generic servers which can run whatever. Dedicated routers do some things way better/faster than generic server, and there’s pretty much always a trade-off between the two. You can of course install hardware to your server to be as good as or even better than any consumer grade router and run a pfsense on virtual machine on top of it, but that’s going to be at least more expensive than dedicated hardware.

                So, your server is running pihole in a container on the same network address/hardware than the rest of your server, and I suppose you already gathered from other messages that the firewall component on it treats traffic coming from outside the server itself differently than traffic originating from the server itself. For this spesific case I’d say it’s just simpler to configure the server to use DNS server as localhost:1053 than trying to work out firewall forwarding rules for it, if possible. If not, and you absolutely insist that your pihole runs on a unprivileged port and that your server also has to use pihole as DNS sever, then you need to dig out a firewall config for outgoing traffic which redirects the destination port. Or you could set up a dns proxy on the server which uses pihole as upstream and serves addresses to localhost only or one of the other multiple ways to achieve what you’re after, but each of those have some kind of trade-off and there’s too many to go trough in a single post.

  • oranki@piefed.social
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 months ago

    Have you considered lowering the unprivileged port limit instead?

    sudo sysctl -w net.ipv4.ip_unprivileged_port_start=53 | sudo tee -a /etc/sysctl.conf  
    

    Then remove the firewall rule and bind to port 53.

    Edit: typo