Need help to configure internal access

Hi there,
I am currently blocked since several days on this issue… i tried some things, but unfortunately not working! :sleepy:

My issue : i have a UK Sky router ER115 and apparently i cannot have a NAT loopback.
I have a domain (on changeIP.com) with a letsencrypt certificate, and access on external network is OK.
But i cannot use this domain to access within my local network.

I tried to add dnsmasq via the ncp-TLI, but it does not work…
Access via chromium send me “ERR_CONNECTION_REFUSED”

And I do not want (unless it is mandatory) to add another rpi to install a DNS server (like pihole).
Is this possible ?
Is somebody can help me to understand ?

Many thanks

I solved it in my case with a dnsmasq server, running on the nextcloud server. My router uses that dnsmasq as dns-server and suplies the network. The (local) IP-Address of my Server is stored in the dnsmasq

Split-horizon DNS is the best solution and the most efficient (traffic goes directly to NC instead of having to be received and re-sent at the router).

About the only other possibility is manual hosts entry, but doesn’t work on some devices and will cause a headache if they leave home.

Thanks for your help.
I ve already tested this…
Lets say:

In fact what i have right now as a config is

  • dnsmasq configured via ncp-tli
  • pointing to my router ip

If i stay like this, not working

If i add on my linux or win laptop hosts file :
192.168.0.20 test.mydomain.com
It is well working

But i have some doubts on this config… As stated by @KarlF12
AND
Still not working on android devices (as i do not know how to manually configure host)

May you provide more tech info of your solution and provide your dnsmasq.conf ?

Many thanks
Do you have an example of split horizon dns implementation ?
My router is very limited, so this solution could be complicated to configure i guess

Split-horizon DNS is a feature, not a separate server. It is a DNS configuration technique used to provide different DNS query results to different sets of clients based on their network location or source IP address. Dnsmasq does support split-horizon DNS configuration.

That’s what dnsmasq is for, so that the ‘hosts’ file is configured only for the queries from inside of the network.

Sure:

In my case I have two servers running on Ubuntu in a Network behind a Fritzbox Router.

The Local Network is

192.168.188.0/23

That represents a subnet with an IP address range of 192.168.188.0 to 192.168.189.255

The servers (with- or without) internet access (DMZ) is located In the range 192.168.189.0/24
My private network uses the 192.168.188.0/24 ip-range.

192.168.189.1 - nextcloud, mysql, redis-server, dnsmasq
192.168.189.101 - clamd, dnsmasq, unison-replica of the nextcloud on 192.168.189.1 to create consistant backups

As you see, I use 2 dnsmasq to be more redundant but it works with one as well.

Since ubuntu uses systemd.resolved, I use the following configuration, which is on both servers almost the same. Here the config on 192.168.189.101:

systemd.resolved

man systemd-resolved.service

We have to change the behaviour of systemd.resolved.

edit /etc/systemd/resolved.conf to make it look somhow like this:

# My favorite DNS servers:
DNS=80.80.80.80 9.9.9.9
DNSStubListener=no

Now remove /etc/resolv.conf, which is a symlink to /run/systemd/resolve/stub-resolv.conf and make a static /etc/resolv.conf:

echo "nameserver 127.0.0.1" > /etc/resolv.conf

This is to tell the host system to send its dns-queries to localhost, which now will be served by dnsmasq

dnsmasq

man dnsmasq

config files:

/etc/default/dnsmasq:

ENABLED=1
DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.conf.mine"
CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
IGNORE_RESOLVCONF=yes

/etc/dnsmasq.conf.mine:

domain-needed
bogus-priv
resolv-file = /run/systemd/resolve/resolv.conf
server = /188.168.192.in-addr.arpa/192.168.188.1
listen-address = 127.0.0.1
listen-address = 192.168.189.101
addn-hosts = /etc/dnsmasq.addn-hosts.local

/etc/dnsmasq.addn-hosts.local

192.168.188.1    fritzbox-7580.fritz.box fritzbox.fritz.box fritzbox fritz.box fritzbox-7580 home.box heimat.box
192.168.189.1    alias1 alias2 %MYNEXTCLOUDDOMAIN.TLD%
192.168.189.101  optiplex-380-0.fritz.box optiplex-380-0.fritzbox optiplex-380-0
255.255.255.255  broadcast

As you can see, the file /etc/dnsmasq.addn-hosts.local is now the “hosts” file for all queries coming from within the local network. All other queries will be served with the results from the dns servers configured in /etc/systemd/resolved.conf

Now you can do much more with dnsmasq. To redirect all queries from google websites to google dns, which is a bit faster, since it is their realm, add this lines to /etc/dnsmasq.conf.mine:

server = /ytimg.com/8.8.8.8
server = /ytimg.com/8.8.4.4
server = /youtube.com/8.8.8.8
server = /youtube.com/8.8.4.4
server = /googlevideo.com/8.8.8.8
server = /googlevideo.com/8.8.4.4
server = /ggpht.com/8.8.8.8
server = /ggpht.com/8.8.4.4
server = /gvt3.com/8.8.8.8
server = /gvt3.com/8.8.4.4
server = /gvt2.com/8.8.8.8
server = /gvt2.com/8.8.4.4
server = /gvt1.com/8.8.8.8
server = /gvt1.com/8.8.4.4
server = /doubleclick.net/8.8.8.8
server = /doubleclick.net/8.8.4.4
server = /googlesyndication.com/8.8.8.8
server = /googlesyndication.com/8.8.4.4
server = /googleapis.com/8.8.8.8
server = /googleapis.com/8.8.4.4
server = /google.com/8.8.8.8
server = /google.com/8.8.4.4
server = /google.de/8.8.8.8
server = /google.de/8.8.4.4
server = /google.nl/8.8.8.8
server = /google.nl/8.8.4.4
server = /google.ch/8.8.8.8
server = /google.ch/8.8.4.4

You can log all dns-queries dnsmasq makes to tail -f it live. Therefore create a logdir:

mkdir /var/log/dnsmasq
chown dnsmasq.adm /var/log/dnsmasq

apend this lines to /etc/dnsmasq.conf.mine

log-queries
log-facility = /var/log/dnsmasq/dnsmasq.log

In this case, you will have to setup a logrotate rule for that logfile:

/etc/logrotate.d/dnsmasq.log

size 100 M
daily
rotate 2
compress
missingok
notifempty

postrotate
service dnsmasq force-reload
endscript
}

Now you can watch dnsmasq live whyle doing its work:

tail -F /var/log/dnsmasq/dnsmasq.log

I have the same configuration on the server 192.168.189.1, with the only diference is in

/etc/dnsmasq.conf.mine

listen-address = 192.168.189.1

Finaly you have to configure your router to not automatically use the DNS server of the provider, but instead to use the DNS server(s) that you have set up (192.168.189.1 and 192.168.189.101 in my case) as the primary (and eventualy secondary) name servers.

I hope I could help

Even though I have created this post with the greatest possible care, I know with certainty that I (as usual) made at least small mistakes. If you find any inaccuracies please point them out to me, I will correct them immediately if possible or your comment will be the correction.

Happy hacking

1 Like

I understand that you have several SBC or machines right for this infra ?

Cause i have only one Rpi available (hosting ncp)

That is enough. You have to setup the dnsmasq like I decribed above on your Rpi. A second server is only for better redundancy, in the case, your Rpi is down.

Summary

Then unfortunately, my router does not provide me the possibility to modify DNS conf ! Thats why i am completely blocked…

Do you have any workaround for this ?

I finally found a solution to change DNS on the router!!!
I may try your wonderful hack @ernolf
Thanks again

1 Like

You are not making it easy to me, I had to figure out what your “router” can, and what not. There are no manuals in the web, i only found this youtube video which shows the options step by step.

Yes of course. Since there are always workarounds.

As the video showed me, you can disable the dhcp function of your router.

Now you only have to make dnsmasq your local DHCP-Server:

omit this line from my above example
server = /188.168.192.in-addr.arpa/192.168.188.1

add this lines to your /etc/dnsmasq.conf.mine:

dhcp-range=192.168.0.50,192.168.0.150,12h
dhcp-option=6,192.168.0.20
dhcp-option=option:router,192.168.0.1

The dhcp-range line specifies the range of IP addresses that dnsmasq will assign to DHCP clients, and the lease time for those addresses is set to 12 hours.

The dhcp-option:

  • The first line sets the DNS server to 192.168.0.20, which is the IP address of your dnsmasq server.
  • The second line sets the default gateway (router) to 192.168.0.1, which is the IP address of your router. With these options set, all clients connecting to the network via DHCP will receive the correct DNS and router settings.

Please note that the advice given here is based on the information provided and is intended as a general guide only. It may not be applicable to your specific setup or environment. Additionally, this advice was not thoroughly tested by me first and is a “shoot from the hip” suggestion. Therefore, it is important to test and fine-tune the configuration to ensure it works properly in your specific case.

Furthermore, please be aware that if you choose to use dnsmasq as your local DHCP and DNS server, the host running dnsmasq must be online at all times. If it goes down or experiences any issues, your network may experience problems until the dnsmasq server is brought back online.

1 Like

I finally found a solution to modify DNS route, but not sure it is working !
Do you have some linux commands to verify all the routes ?

So i tried to apply your solutions…
Again, let’s say:

  • 192.168.0.1 is the router ip
  • 192.168.0.20 is the ncp ip
  • 192.168.0.50 is a machine ip

So on the ncp rpi 192.168.0.20, i modified the following file as is :
Here is my /etc/systemd/resolved.conf:

DNS=9.9.9.9 #QUAD9 i guess!
DNSStubListener=no

Here is my /etc/resolv.conf:

nameserver 127.0.0.1

Then my /etc/default/dnsmasq:

ENABLED=1
DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.conf.mine"
CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
IGNORE_RESOLVCONF=yes

My /etc/dnsmasq.conf.mine:

domain-needed
bogus-priv
resolv-file = /run/systemd/resolve/resolv.conf
server = /188.168.192.in-addr.arpa/192.168.0.1
listen-address = 127.0.0.1
listen-address = 192.168.0.20
addn-hosts = /etc/dnsmasq.addn-hosts.local

log-queries
log-facility = /var/log/dnsmasq/dnsmasq.log

→ One question however on the line resolv-file = /run/systemd/resolve/resolv.conf: it should that dnsmasq.service is returning an error (systemctl status dnsmasq.service). So i guess we should point to /etc/resolv.conf instead, right ?

Then my /etc/dnsmasq.addn-hosts.local:

192.168.0.1     sky.box
192.168.0.20    %MYNEXTCLOUDDOMAIN.TLD%
255.255.255.255 broadcast

→ Here i was completely lost… I tried to do this thing, but should not work as my undestanding here is limite. May you help me ?
→ I guess %MYNEXTCLOUDDOMAIN.TLD% should be replaced by the domain name?

In the end, i did not try for the moment your solution with DHCP.
My understanding is those lines replace the DHCP server from the box ?
So all devices can have an IP@ ?

Maybe i have to test the routes to see if the solution that i’ve found is working, no?

Again, thanks a lot for your help

must be in you case

server=/0.168.192.in-addr.arpa/192.168.0.1

This line tells dnsmasq to forward reverse DNS queries for the 192.168.0.0/24 subnet to the DNS server at 192.168.0.1 (your router). To resolve the hostnames provided by dhcp, but since your router does not seam to have the posibility to give static names, you can omit that line.

No.

Try with /var/run/systemd/resolve/resolv.conf or better, look where it is located in your system.

Bingo!

Finaly do not forget to restart systemd-resolved.service when you have changed the configuration:

sudo systemctl restart systemd-resolved.service

/var/run/systemd/resolve/resolv.conf does not exist.
I only have those resolv.conf:
/run/NetworkManager/resolv.conf
/run/dnsmasq/resolv.conf
/run/resolvconf/resolv.conf

In /run/resolvconf/resolv.conf there is nothing.
:thinking:

Dear @marsjungle , I do not know your system. Does it run systemd?

You asked me to provide my solution. That is what I did.

I’m glad to help you with your questions, but please keep in mind that it’s important to try to solve problems on your own as well. It’s a valuable learning experience, and it helps build problem-solving skills. I encourage you to do some research and experimentation on your own, and if you get totaly stuck, feel free to ask for help again.

1 Like

Sorry to make you lost your time
Nothing is working. ive spent so many times experimenting

I think this router is a piece of sh**
I even cannot switch off the DHCP

It’s working when i add

192.168.0.20   my.domain.com

in /etc/hosts (or hosts on windows) on laptop machines.
But i do not know how to do this on android phones or tablet.
Anyway, thank you for your kind help.

Dont give up!

See it this way: It doesn’t work YET. The solution is certainly within reach.

Try to create your own static resolv.conf with this entries:

nameserver 80.80.80.80
nameserver 9.9.9.9
search .

and point your config to it

/etc/dnsmasq.conf.mine :

resolv-file = /path/to/you/static/resolv.conf

Give it a try.

You can implement split-horizon DNS with any DNS server (although perhaps not your router which may only be a DNS forwarder). Some of them have it has a built-in feature, but it can also be easily implemented by simply using your own server internally.

For example, your phone is on your WiFi. It gets your local DNS server via DHCP. Your DNS server gives it the LAN IP in response to query for your Nextcloud FQDN.

Your phone leaves your network. Now it uses some other DNS server that will ultimately give the public IP for the same FQDN.

That’s split-horizon DNS in a nutshell. It will always get the appropriate IP automatically.

No, the hosts file is an actual file in most operating systems that allows you to manually override name resolution for specific names. In that case dnsmasq would not be queried for that name at all.

2 Likes

then you’ve learned something new now, dnsmasq has a hosts file that applies to the network it serves, and in my explanation above that’s the file

/etc/dnsmasq.addn-hosts.local

man dnsmasq
and look for

-H, --addn-hosts=

yes, but then you have to change your hosts file day in day out…

I’ve already tested this.

I’ve done all possible things and in the end when i tail dnsmasq logs

Feb 19 17:58:57 dnsmasq[8910]: query[A] ip.changeip.com from 127.0.0.1
Feb 19 17:58:57 dnsmasq[8910]: forwarded ip.changeip.com to 80.80.80.80
Feb 19 17:58:57 dnsmasq[8910]: forwarded ip.changeip.com to 9.9.9.9
Feb 19 17:58:57 dnsmasq[8910]: reply ip.changeip.com is 204.16.169.55

so i missed something cause resquests are leaving my local network!

However
traceroute 192.168.0.20 from my laptop is

traceroute to 192.168.0.20 (192.168.0.20), 30 hops max, 60 byte packets
 1  Nextcloud (192.168.0.20)  5.801 ms  5.765 ms  5.758 ms

traceroute 192.168.0.1 from my laptop is

traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 60 byte packets
 1  SkyRouter.Home (192.168.0.1)  2.665 ms  7.101 ms  7.095 ms

unfortunately my skills in networking are very poor :sleepy: