Unable to resolve DNS Name with local IP

Help Community Help
1

Please follow the below template, it will help us to help you!

Expected Behaviour:

Hetzner VPS:

  • Ubuntu 20.04
  • Hetzner VPS 1 Core 2GB RAM

Home Network:

  • RaspberryPi

Hi! I'll start with describing my current set-up.
Hetzner VPS:

  • Hosting a Wireguard Server with my clients connecting to it. The catch is, that one Client is using two IP Subnet ranges. 192.168.88.0/24 for the Wireguard connection and 192.168.0.0/24 for my home network. This is needed, so that all my clients can connect from anywhere in the world to my homenet and reach all devices within 192.168.0.0/24
  • Hosting PiHole with dnsmasq and listening on all local Interfaces

Raspberry Pi - Home network:

  • Using a docker container to connect via wireguard to my Hetzner VPS
  • Hosting various apps, all being SSL Secured through traefik.
  • Since everything is SSL secured, i have Cloudflare as a DNS with a wildcard certificate (Example: service.pi.mydomain.com)
  • This local RaspberryPi is also equipped with a PiHole installation which serves only clients in my home network, here are also local DNS Entries, pointing the various service.pi.mydomain.com entries to their respective IPs (traefik handles the reverse dns stuff)

Expected behaviour:
Being on my home network, i can just enter the DNS service.pi.mydomain.com and access all services which are hosted on my raspberrypi with valid SSL Certs.
The same should happen when i am connected to my Wireguard VPN. Entering the DNS and being rerouted to my home network.

When being at home:
*Client -> Pihole Local DNS -> Reroute to IP (ex. 192.168.0.45) -> Traefik -> Access to the service

When connected to Wireguard:
*Client -> DNS through Wireguard (192.168.88.1 -> Hetzner VPS dnsmasq) -> Reroute to IP (ex. 192.168.0.45) -> going through wg0 interface -> Home network traefik instance -> Access to the service

Actual Behaviour:

Once i am not home anymore, and i want to connect to those services through the wireguard connection, the DNS entry won't work. Doing a nslookup on the Hetzner VPS also doesn't bring up any results. Nothing is being found. And yes, the PiHole installation on the Hetzner VPS does have the local DNS entries.

When i use a local IP like 192.168.88.4 on the local DNS entry in the Hetzner VPS PiHole instance (service.pi.mydomain.com -> 192.168.88.4), the nslookup command finds the entry
Maybe a DNS-Rebind protection somewhere??

I have done some tcpdumps, listeing on port 53 (dnsmasq port) on my Hetzner VPS, when doing the request in the browser, i do not see any activity.
This kind of makes sense, since the error message from the browser pops up almost instantly "Site was not found"

I can connect to my services typing the IP and Port directly into the browser (while being connected to the VPN) so there must be a problem with DNS Resolution, since the direct connection can be made.

Debug Token:

No Debug Token yet. Maybe this can be solved without sharing sensitive information :slight_smile:

2

Note that neither Pi-hole nor DNS are involved in routing.
There's no rerouting happening - Pi-hole just answers DNS requests.

If a DNS request happens to be for an IP address, the requesting client trying to establish communication with that replied IP (e.g. 192.168.0.45) would only be able to do so if it has a route to that IP address.

From what you describe, either your client would not send packets to 192.168.0.45 through its Wireguard connection to your VPS (which covers adifferent subnet 192.168.88.0/24) to begin with, or your VPS would not know how to forward those packets to your RPi Wireguard peer.
Both of these routes have to be operational for a successful communication.

Obviously, you'd have to address that by configuring your wireguard client and your Hetzner VPS accordingly.
As this doesn't involve Pi-hole, you should consider consulting Wireguard's or Hetzner's support for further assistance.

What's the purpose of the VPS in your scenario anyway?

Having your remote Wireguard clients talk directly to the Wireguard peer in your home network would allow you to completely eliminate the VPS from your usage scenario, and likely your routing issues along with it.

1 Like
3

First of all, thank you for your answer. You're completely right and i don't know what i was thinking, that maybe Pi-Hole does the routing (wtf? :D)

I need the Hetzner VPS, because my ISP at home won't allow me to open any ports. Therefore i cannot create a direct Wireguard Connection to my Raspberrypi from the Internet.

I'll have a closer look at my wireguard configuration. Maybe i can find something out. Thank you!

4

Fixing the wireguard client should be easy enough - just add your home subnet (e.g. 192.168.0.0/24) to your remote wireguard machine's allowed ips.
I've no idea about the VPS configuration, though.

Maybe I'm wrong, but isn't your VPS also on the internet?
If you found a way to make that Wireguard connection to your home net work, other Wireguard peers should be able to do so as well.

5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.