Hello,
instead of following regular bug report's template, i have rather question or misunderstanding on how DNS in general work. For better understanding what i am struggling with, let me introduce my homelab network.
On top there's Mikortik serving (amongst other roles) as edge router and DHCP server. There i have dhcp lease script saving each hostname to local DNS cache to solve ultimately problem of giving fancy names to my equipment but having to address them via IP rather than name.
To this mikrotik there's connected virtualized PiHole, for sake of simplicity let's assume that it's being plugged directly into Mikrotik and is receiving IPv4 172.16.32.30 address as every other device
On the same network i do have nextcloud server on bare metal. Server's identity is being set as cloud
, just regular crashed laptop with Debian, Nginx, nothing too fancy.
There's also Fujitsu's thin client, futroS720
, acting as reverse proxy on nginx. One of futro720
's roles is to add HTTPS layer to the traffic and to be single HTTP centre of my homelabbity. There are locally hosted static websites, reverse-proxied services like nextcloud and tons of other stuff.
So, in context of my case, futro720
has configured VHost nextcloud.tripos.ovh
, to be proxy-passed to my http instance of nextcloud on cloud
. This of course usually works flawlessly.
For name-based VHost hosting there has to be Host:
header set in http request, for this purpose CNAMEs does their job, pointing to single machine under different hostnames, or identities if you like. That's pihole's job, in webui -> Local DNS -> CNAME records i have setup nextcloud.tripos.ovh
being CNAME of futros720.tripos.ovh
.
Pihole itself is configured with conditional forwarding, so every querfy for something with .tripos.ovh
comes, it should be forwarded to my Mikrotik to be resolved there. Using webui -> Settigns -> DNS -> Conditional forwarding. And this works flawlessly all of the time. Pihole also has Unbound installation running on localhosts's 5335/udp as its upstream but i doubt it has to do anything with my case, just stating this out if it could be handy.
And this is where it's starts to get hard.
Pihole's FTL does "host" so to speak CNAME records, but isn't authoritative for A records for .tripos.ovh domain, as it's "origin" is on Mikrotik. Therefore, after restart of FTL or FTL's cache expiration, queries for nextcloud.tripos.ovh
returns only CNAME record.
lis6502@e595:~$ dig @172.16.32.30 nextcloud.tripos.ovh
; <<>> DiG 9.19.21-1-Debian <<>> @172.16.32.30 nextcloud.tripos.ovh
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59645
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nextcloud.tripos.ovh. IN A
;; ANSWER SECTION:
nextcloud.tripos.ovh. 0 IN CNAME futros720.tripos.ovh.
;; Query time: 23 msec
;; SERVER: 172.16.32.30#53(172.16.32.30) (UDP)
;; WHEN: Sat Mar 23 13:27:43 CET 2024
;; MSG SIZE rcvd: 83
This way, nor Firefox or Chrome, nor even my laptop's ping doesn't bother to "further resolve" futros720, but rather relies on A being empty, so
lis6502@e595:~$ ping nextcloud.tripos.ovh
ping: nextcloud.tripos.ovh: Name or service not known
lis6502@e595:~$ curl https://nextcloud.tripos.ovh
curl: (6) Could not resolve host: nextcloud.tripos.ovh
However, if i "help" FTL and ask for futros720.tripos.ovh
first, i believe it's getting cached and subsequent queries returns A+CNAME responses
lis6502@e595:~$ dig @172.16.32.30 futros720.tripos.ovh
; <<>> DiG 9.19.21-1-Debian <<>> @172.16.32.30 futros720.tripos.ovh
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39189
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;futros720.tripos.ovh. IN A
;; ANSWER SECTION:
futros720.tripos.ovh. 203 IN A 172.16.32.7
;; Query time: 3 msec
;; SERVER: 172.16.32.30#53(172.16.32.30) (UDP)
;; WHEN: Sat Mar 23 13:35:43 CET 2024
;; MSG SIZE rcvd: 65
lis6502@e595:~$ dig @172.16.32.30 nextcloud.tripos.ovh
; <<>> DiG 9.19.21-1-Debian <<>> @172.16.32.30 nextcloud.tripos.ovh
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23919
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nextcloud.tripos.ovh. IN A
;; ANSWER SECTION:
nextcloud.tripos.ovh. 0 IN CNAME futros720.tripos.ovh.
futros720.tripos.ovh. 199 IN A 172.16.32.7
;; Query time: 3 msec
;; SERVER: 172.16.32.30#53(172.16.32.30) (UDP)
;; WHEN: Sat Mar 23 13:35:47 CET 2024
;; MSG SIZE rcvd: 99
Then, browsers, ping, whatnot is able to reach nextcloud or any other reverse proxied webapp hosted on futro.
I know, this could be solved in at least three ways:
- use local cache on my clients (like systemd-resolved),
- use local /etc/hosts entries on my client devices for futros720( but why to use DNS then)
- setup ugly cronjob on pihole instance to query every 3 minutes for futros720.tripos.ovh to keep its address always in cache.
Instead i would like to tackle problem at its core and conceive solution on Pihole itself, without grotesque workarounds.
What i've tried so far was to setup forward zone on Unbound (while turning off conditional forwarding on Pihole of course), like
root@dns:~# cat /etc/unbound/unbound.conf.d/local-tripos-forwardzone.conf
forward-zone:
name: "tripos.ovh."
forward-addr: 172.16.32.1@53
but also without luck.