Need a restriction on FTL binding

Feature Requests
1

My versions:

  • Core v6.3
  • FTL v6.4.1
  • Web interface v6.4

My PiHole is running on a raspberry pi 2 without container.

My network have two network interface:

  • vlan@eth0 : ULA IPv6 prefix, no IPv4
  • eth0 : global IPv6 prefix, private IPv4

With IPv6, you can mix slaac and manual configuration. This allow to have a dedicated IP address for DNS listening in the form: ::53 . This is what we can call a service address.

In my case, the raspberry by have both a global service address and an ULA service address so it have a total of 7 IP addresses.

FTL interface setting does not allow to select interfaces and addresses to bind to

Listening on all addresses of all interfaces is not considered as a good practice for a while.

As id do with bind or ssh or any other network service, i want to restrict FTL bind to a specific list of addresses.

Issue with network interfaces

Even when telling to bind to eth0 only, FTL bind to the vlan network interface : this should not be the case. So this is a bug for me.

Issue with network addresses

Link local: FTL should never bind to either IPv4 or IPv6 link local addresses because resolution is then the mDNS business with .local names.

When several IP addresses are present, FTL should allow to select the addresses it should bind to : In my case, only DNS service addresses.

My dream: make FTP no longer bind to the IPv4 address because DHCP will be shutdown soon.

2

But IPv6 connections are perfectly fine with having their DNS resolved via IPv4 so it would safe you a lot of hassle at this point ?! :wink:

But if you want to continue your original plan I think you need to look into manual DNSmasqd configuration options and perhaps some kind of ā€œIgnore Interface Xā€ feature if possible.
IIRC there use to be oneā€¦ Not sure anymoreā€¦

3

Youā€™re perfectly right. DNS works with both protocols, serving A and AAAA record whatever the protocol used to contact the server.

The point is there to switch off IPv4 in most of my network so i donā€™t want to see anymore bind with IPv4 for this unique reason.

4

You are aware of the fact that there are still many websites and services out there that donā€™t have IPv6 connectivity ?

TL;DR of what i am trying to say : Turning IPv4 off has consequences which you have to be aware of :slight_smile:

5

That's wrong, mDNS does not bind to the loopback address or link-local addresses, nor any unicast address at all.
Since DNS and mDNS are separate protocols, there is no conflict here.
DNS is unicast to port 53, while mDNS uses port 5353 on multicast addresses.

And DNS may well return a name for loopback addresses, just as mDNS may return an IPv6 GUA for some hostname.local.

Assuming you meant to write FTL instead of FTP :wink: , this would be possible already.

As a tailored fork of dnsmasq, pihole-FTL would allow you to exercise exact control of its binding and listening behaviour as detailed by dnsmasq documentation, see specifically its interface, listen-address and bind-interfaces options (among others).

To apply them, you'd need to configure Pi-hole to not manage interface listening behaviour at all, by switching dns.listeningMode to NONE, under All settings Ā» DNS server .
You could then add your desired custom configuration to Pi-hole.

For just a few lines, you could use misc.dnsmasq_lines under All settings Ā» Miscellaneous.

If instead you want to manage your own custom dnsmasq file under /etc/dnsmasq.d/, you could alternatively enable misc.etc_dnsmasq_d.

All settings is available in Expert mode only.

A side note on shutting down DHCP for your network:
You should be aware that NDP/SLAAC does not register hostnames with DNS, i.e. in an IPv6-only network, without DHCP based hostname registration, you would see only IPv6 addresses as Client in Pi-hole's Query Log (or generic public domains, perhaps).

1 Like
6

Iā€™m aware of the bad behavior of actors like github and many others that refuse to admit IPv6 is the only future of Internet. History will not wait them.

To cope with that situation, i have NAT64 and DNS64 in place with tayga and bind9.

DNS64 will not work with hard written IPv4 addresses, but it is ok for me as the only softwares that do that are malwares or very bad programmed softwares that should not be allowed to use my network.

Unfortunately, only bind9 can do DNS64 so itā€™s important for me the have FTL bind only on some addresses of my choice.

7

Thank you for your answer. I will follow your instructions to get the wanted behavior.

That's wrong, mDNS does not bind to the loopback address.
Since DNS and mDNS are separate protocols, there is no conflict here.
DNS is unicast to port 53, while mDNS uses port 5353 on multicast addresses.

And DNS may well return a name for loopback addresses, just as mDNS may return an IPv6 GUA for some hostname.local.

Youā€™re right, mDNS and DNS are separate protocols that does nor use the same ports and they can work on the sames addresses. But, itā€™s not a good practice to have daemons binding on all addresses of all network interfaces.

Reducing attack surface is important. For me mDNS is only usefull for link local traffic and should bind only to link-local address and DNS should never bind to link local addresses.

8

Most all packages bind to all OOTB:

$ sudo netstat -nltup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      630/dovecot
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3069/apache2
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      1051/master
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      1679/pure-ftpd (SER
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      600/sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1051/master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3069/apache2
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      630/dovecot
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      630/dovecot
[..]

Why should OOTB Pi-hole do it differently?
If you want to lock down shop, you can do so as explained already by Bucking_Horn.
Same as for the daemons listed above.

9

Many bad practices comes from the call for ease of use from users but it is still bad to do so.

None of my services is listening on all OOTB. Any service that can not restrict binds is defective for me.

Reducing services number and listening addresses is a good practice, like shutting down telnet and restricting ssh to ssh key only login.

Security is more and more important as the number of attacks is growing. Security is never an option

10

I agree about tightening security but for a home setup like most of us, the OOTB binding to all is secure enough.
And as noted before, you can tighten security as much as you like.

You cant always please everyone especially with some of the edge cases.
No one size fits all :wink:

11

I understand this is a Feature Request and we try our best to implement new features, but feature requests alone are not enough to result in a new development.

To be considered for development, a feature request needs at least:

  • enough people voting for the request (Currently your feature request has no votes).
  • the development team must decide whether a feature is valuable to the project and how it affects ALL users.
  • developers willing to use their own free time to develop this new feature (and maintain it in the future).

I'm not saying your feature request won't be developed, but this feature will be used only by a very few advanced users, with very specific configuration.

FTL uses an embedded dnsmasq, so maybe using some advanced dnsmasq options will be the best way to do it, like suggested by Bucking_Horn.

Having 7 IPs is an advanced configuration.
Most users will never need a setting to do what you need.

dnsmasq has settings to exclude interfaces.

You will need to search and try some variations, but maybe you can add a few lines to Pi-hole misc.dnsmasq_lines option.

Did you try to add something like except-interface=vlan to misc.dnsmasq_lines?

12

Have you tried binding OpenSSH Server to just eth0 for example and then testing what happens when you unplug the cable of eth0 and plug it back in ?

HINT : It might lead to not having a way to connect to your Pi-Hole anymore unless you reboot itā€¦

Which brings me to another thing :
I kind of miss having the option to reboot the system from the Pi-Hole webGUI :cry:
Now I have to plug-in a keyboard and CTRL+ALT+DEL the systemā€¦

Considering buying one of those small keyboards that just have those three buttons on them :winking_face_with_tongue: :rofl:

13

I have the solution for you :

echo 'net.ipv6.ip_nonlocal_bind = 1' | tee /etc/sysctl.d/99-nonlocal_bind_ipv6.conf

You can do the same for IPv4

This allow daemons to bind to addresses before these addresses have been attributed to the kernel.

Iā€™m using it on all my services because systemd start all of them to early, even if i ask to wait for network-online.

So, even for ssh, i do limit binding and it allow me to have 2 or 3 ssh running of the same machine but with different configurations (allow password or not, chroot or notā€¦).

1 Like
14

Thank you for the very good job done with this tool.

I think you suggestions and those of Buchink_Horn will be enough to get the wanted behavior.

I agree that this is not a common demand and that it does not make sense to add it to the web GUI. As an advance feature, if adding options in dnsmasq options works, it is perfect for me. I donā€™t ask for more.

I ā€˜ll try soon and get you informed.

15

You'll need below two directives:

$ man dnsmasq
[..]
       -a, --listen-address=<ipaddr>
              Listen  on  the  given  IP address(es). Both --interface and
              --listen-address options may be given, in which case the set
              of  both  interfaces  and addresses is used. Note that if no
              --interface option is given, but --listen-address  is,  dnsā€
              masq  will  not  automatically listen on the loopback interā€
              face. To achieve this, its IP address,  127.0.0.1,  must  be
              explicitly given as a --listen-address option.

       -z, --bind-interfaces
              On  systems which support it, dnsmasq binds the wildcard adā€
              dress, even when it is listening on only some interfaces. It
              then  discards requests that it shouldn't reply to. This has
              the advantage of working even when interfaces  come  and  go
              and  change  address.  This  option forces dnsmasq to really
              bind only the interfaces it is listening on. About the  only
              time  when this is useful is when running another nameserver
              (or another instance of dnsmasq) on the same  machine.  Setā€
              ting  this option also enables multiple instances of dnsmasq
              which provide DHCP service to run in the same machine.

Or below one as an alternative to bind-interfaces:

$ man dnsmasq
[..]
       --bind-dynamic
              Enable a network mode which is a hybrid  between  --bind-inā€
              terfaces and the default. Dnsmasq binds the address of indiā€
              vidual interfaces, allowing multiple dnsmasq instances,  but
              if new interfaces or addresses appear, it automatically lisā€
              tens on those (subject to any access-control configuration).
              This  makes  dynamically created interfaces work in the same
              way as the default. Implementing this option  requires  non-
              standard  networking  APIs  and  it  is only available under
              Linux. On other platforms it falls-back to --bind-interfaces
              mode.

Full man page below:

16

Because of that I have started using the networking component of SystemD instead of NetworkManager but your solution might solve those few occasions when things still go wrong and I am forced to do another reboot!

Thnx! :grimacing::+1::+1:

17

Iā€™ve created a file named 10-listen.confin /etc/dnsmasq.d/ with the two lines below:

listen-address=<IPv6 global listen address>,<IPv6 ULA listen address>,<IPv4 legacy listen address>
bind-interfaces

And it works like a charm.

Thank you

2 Likes
18

Dont need to.
Can drop those two directives directly into webGUI below:

image
image1164Ɨ511 25.8 KB

Or via shell:

sudo pihole-FTL --config misc.dnsmasq_lines '["listen-address=<IP_ADDRESSES>","bind-interfaces"]'

EDIT: Oh for the web part you have below settings to play with:

$ sudo pihole-FTL --config webserver.
[..]
webserver.port = 80o,443os,[::]:80o,[::]:443os
[..]
webserver.advancedOpts = []

And below ones for the NTP service:

$ sudo pihole-FTL --config ntp.
[..]
ntp.ipv4.address =
[..]
ntp.ipv6.address =

Description in the webGUI (expert) settings and in the docs below:

1 Like
19

A post was split to a new topic: Custom dnsmasq configuration breaks DNS

20

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.