Local IPs not resolved

Hello,

This is my first topic and thanks in advance to all will help me.

I need help to go in deep to a problem where i found different topic on the forum but i have a specific difference.

My router is a Fritz 4040 and is to me clear the problem of the domain fritz.box , now my small ubuntu server with pi-hole is offline , if I'll put the server online I'm not able to ping local IPs.

I followed the suggested configuration for Fritz routers for IP4 and IP6 and all has worked fine till this month.

My concern is the following this string that i found in a log or query the pi-hole DB ( sorry at the moment i do not remember)

*dnsmasq[2902]: cached vultrusercontent.com is 127.0.0.1*

Seems something similar to DNS rebind attack ,or I'm wrong

I created the Debug log and I checked many log and conf files on the server without founding a clear reason why the problem persist.

Can you help me to analyse the problem i would like to find the the reason of the problem before format and reinstall form scratch pi-hole.

Thanks
Ciao

** edit> orthographic corrections

Pinging IP addresses removes DNS from the process. Are you really using the ping command and local, non-routeable IP addresses? I ask because I think your muttersprache may not be English and I want to make sure you explicitly mean ping and not another command or process.

I was curious so I also did a dig on this domain and it also returns 127.0.0.1

Doing a dig +trace vultrusercontent.com shows that domain resolves going through the Root > TLD > ns1.vultr.com / ns2.vultr.com > 127.0.0.1 so the name servers at vultr.com are telling you its your local host. Seems wierd to me but perhaps someone has a better explainationl I don't think its nefarious.

1 Like

A Records

Name TTL Data
vultrusercontent.com 252 127.0.0.1

AAAA Records

No records present.

CNAME Records

No records present.

MX Records

Name TTL Data Address Preferences
vultrusercontent.com 900 208.167.225.253 mail.vultrusercontent.com. 10

NS Records

Name TTL Data
vultrusercontent.com 900 ns1.vultr.com.
vultrusercontent.com 900 ns2.vultr.com.

PTR Records

No records present.

SRV Records

No records present.

SOA Records

Name TTL Mname Rname
vultrusercontent.com 900 ns1.vultr.com. dnsadm.choopa.com.

TXT Records

Name TTL Data
vultrusercontent.com "300" "v=spf1 -all"

CAA Records

No records present.

DS Records

No records present.

DNSKEY Records

No records present.

It seems Vutlr.com are using that domain as a means to enable access to a same instance by domain names, as demonstrated by Vultr's NTP server setup guide:

click for NTP guide extract
  1. Add a line to allow requests from the desired network interface, such as a VPC network address.
 allow 10.0.0.0/24

(...)

  1. Verify the NTP synchronization status.
 $ chronyc tracking

Output:

 Reference ID    : 4622FB9A (10.0.0.1.vultrusercontent.com)
 Stratum         : 5
 Ref time (UTC)  : Fri Apr 08 00:18:17 2022
 System time     : 0.000303299 seconds fast of NTP time
 Last offset     : +0.000142631 seconds
 RMS offset      : 0.000152918 seconds
 Frequency       : 6.807 ppm slow
 Residual freq   : +0.007 ppm
 Skew            : 0.219 ppm
 Root delay      : 0.048402909 seconds
 Root dispersion : 0.011339894 seconds
 Update interval : 64.1 seconds
 Leap status     : Normal

Above 10.0.0.1.vultrusercontent.com would resolve to 127.0.0.1 (as probably any subdomain of vultrusercontent.com would), pointing back to the machine itself.

On first glance, above NTP guide extract from Vultr's website looks more like a benevolent usage of that domain than a malicious intrusion attempt.

What client did make that request?

Are you using vultr.com cloud infrastructure services, or perhaps accessing a site that's hosted by them?

Hi All,

First of all thanks for the reply.

DanSchaper : right I'm Italian and English is not my mother language , for IP I mean the node name of LAN device.

Test done with pi-hole offline:

Esecuzione di Ping tristano.fritz.box [192.168.2.61] con 32 byte di dati:
Risposta da 192.168.2.61: byte=32 durata<1ms TTL=64
.......
C:>nslookup tristano
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  fd78:1958:81bd:5f8c:xxxxxxxxxxxxxxxxxxxxxxxxx

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Tempo scaduto per la richiesta a UnKnown

Ping to PI-HOLE server

C:>ping pedragon
Esecuzione di Ping pedragon.fritz.box [192.168.2.8] con 32 byte di dati:
Risposta da 192.168.2.6: Host di destinazione non raggiungibile.

Statistiche Ping per 192.168.2.8:
    Pacchetti: Trasmessi = 4, Ricevuti = 4,
    Persi = 0 (0% persi),

Than I started the pi-hole server

C:\Windows\System32>ping tristano

Esecuzione di Ping tristano.fritz.box [192.168.2.61] con 32 byte di dati:
Risposta da 192.168.2.61: byte=32 durata<1ms TTL=64

After few minutes


C:>ping tristano

Esecuzione di Ping tristano.fritz.box [45.76.93.104] con 32 byte di dati:
Risposta da 45.76.93.104: byte=32 durata=16ms TTL=55
Richiesta scaduta.
Risposta da 45.76.93.104: byte=32 durata=106ms TTL=55
Risposta da 45.76.93.104: byte=32 durata=113ms TTL=55
C:>nslookup tristano
Server:  pi.hole
Address:  fd78:1958:81bd:5f8c:8aae:----------  

Risposta da un server non autorevole:
Nome:    tristano.fritz.box
Addresses:  2001:19f0:6c00:1b0e:5400:------------
          45.76.93.104

Problem seems to be on IP6 class

Currently router configuration on DNS session

IP6 DNS Disabled

Internet DNS server

Before the problem IP6 DNS was active , and all IP configurations were pointed to PI-hole server

Pi-hole DNS setting (previously IP6 was checked)

Bucking_Horn:

If I'm accessing to site hosted on vultr.com cloud infrastructure is not consciously

I'm not able to find the IP that is accessing to the site

_______@pedragon:~$ pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "select domain,  client, count(domain) from queries where domain like '%ultr%' group by domain;"
ultrapunchneedle.com|192.168.2.24|5
www.cineultra.eu|192.168.2.14|5

CallMeCurious:

Dig command

______@pedragon:~$ sudo dig +trace vultrusercontent.com
[sudo] password for :

; <<>> DiG 9.16.48-Ubuntu <<>> +trace vultrusercontent.com
;; global options: +cmd
fritz.box.              9       IN      SOA     fritz.box. admin.fritz.box. 1711048060 21600 1800 43200 10
;; Received 68 bytes from 192.168.2.1#53(192.168.2.1) in 0 ms

For my low knowledge on networks matter still remain a mystery what is happening.

Tomorrow I'll try to setup the same DMS server of PI-hole on Fritz router to see what happens.

Edit : I forget to put the reason because I'm thinking on vultrusercontent.com

C:>tracert tristano

Traccia instradamento verso tristano.fritz.box [45.76.93.104]
su un massimo di 30 punti di passaggio:

  1    <1 ms    <1 ms    <1 ms  fritz.box [192.168.2.1]
  2     3 ms     2 ms     2 ms  10g-gemelli.pretorio.uni.net [194.183.16.97]
  3     3 ms     2 ms     2 ms  81.29.182.237
  4    11 ms    11 ms    11 ms  as57463.226.180.netix.net [185.1.226.180]
  5    11 ms    12 ms    12 ms  decix.fkt.vultr.com [80.81.196.21]
  6    15 ms    12 ms    11 ms  10.75.2.42
  7    11 ms    11 ms    11 ms  10.75.2.6
  8     *        *        *     Richiesta scaduta.
  9    21 ms    11 ms    11 ms  45.76.93.104.vultrusercontent.com [45.76.93.104]

Traccia completata.

Thanks
Ciao
Luca

Hello to all,

Sorry for the up, I was wondering if anyone could please help me.
Welcome also the courtesy to highlight where I'm wrong.

Thanks in advance
Luca

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

Hello,

I hope I did it correctly

[✓] Your debug token is: https://tricorder.pi-hole.net/9jbaNLa7/

Thanks for the help
Luca

Your debug log shows your router's DHCP server to distribute your router as local DNS server:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   
   * Received 548 bytes from enp9s0:192.168.2.1
     Offered IP address: 192.168.2.8
     DHCP options:
      Message type: DHCPOFFER (2)
      router: 192.168.2.1
      dns-server: 192.168.2.1

That could still involve Pi-hole if you had configured your router to use Pi-hole as its only upstream (i.e. Internet > Dati di accesso > Server DNS), but you would not be able to attribute DNS requests to individual clients in such a configuration.

And as your debug log shows that you've enabled Pi-hole's Conditional Forwarding:
That wouldn't provide any benefits in that configuration, as DNS requests would have passed through your router already before reaching Pi-hole - on the contrary, you'd have closed a partial DNS loop, probably explaining your observed time-outs.

As FritzBox routers support distributing your Pi-hole machine's IPv4 as local DNS server via DHCP, it would be preferred to use that option, and leave the FB's upstreams with their defaults.

As for IPv6, note that FritzBox routers can be configured to not propagate a local DNS resolver at all, forcing all your IPv4 and dual-stack clients to use only IPv4 for their DNS requests:

a. Untick Also announce DNSv6 server via router advertisement (RFC 5006).
b. Tick Disable DHCPv6 server in the FRITZ!Box for the home network and
b.1. choose There are no other DHCPv6 servers for the home network.

This will have clients construct their IPv6 addresses via auto-configuration (SLAAC) exclusively, and will leave them with just an IPv4 address for DNS.
Pi-hole would still happily answer any allowed request for an AAAA record with a set of IPv6 addresses, so dual-stack clients would retain their full IPv6 resolution capabilities.

Hi Bucking_Horn,

This is absolutely right , reason is because when I discovered the problem I shutdown Pi-hole and challenged the setup of the fritz box as wrote in my previous post under the white Fritz OS images.

The original configuration was based and similar on This Pi-Hole documention for IP4 and IP6.

What I am unable to explain is why, despite the current configuration, how do I turn on the pi-hole server, the PCs still start pointing to IP outside the LAN using Pi-hole as DNS server.

Am I understanding correctly from nslookup command ? ( see previous post for sequence)

I understand that strange situations are not highlighted in the logs , I'll will follow your suggestions.

Thank you for your valuable support.
Luca