Troubleshoot *.nip.io

I’m attempting to use nip.io for some of my local rapid build/destroy labs.

I’ve come to notice that name resolution to local addresses are blocked by my current configuration (rebind protection?) but I’m not quite sure what the culprit is, if it’s blocked by default or if I’ve specifically blocked it in my config.

Can anyone shed light on what I need to do to have working nip dot io name resolution again?

< VYOS Cloud Config user-data. (expandable)
#cloud-config
ssh_authorized_keys:
  - ssh-rsa AAAAB3Nz..truncated..x8yI8KlVt2U= admin@mprcs
vyos_config_commands:
  - configure
  - set firewall all-ping 'enable'
  - set firewall syn-cookies 'enable'
  - set firewall config-trap 'disable'
  - set firewall log-martians 'enable'
  - set firewall ip-src-route 'disable'
  - set firewall send-redirects 'enable'
  - set firewall broadcast-ping 'disable'
  - set firewall ipv6-src-route 'disable'
  - set firewall source-validation 'disable'
  - set firewall receive-redirects 'disable'
  - set firewall ipv6-receive-redirects 'disable'
  - set firewall twa-hazards-protection 'disable'
  - set firewall name OUTSIDE-IN default-action 'drop'
  - set firewall name OUTSIDE-IN rule 10 action 'accept'
  - set firewall name OUTSIDE-IN rule 10 state established 'enable'
  - set firewall name OUTSIDE-IN rule 10 state related 'enable'
  - set firewall name OUTSIDE-LOCAL default-action 'drop'
  - set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
  - set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
  - set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
  - set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
  - set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
  - set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
  - set firewall name WAN-IN default-action 'drop'
  - set firewall name WAN-IN rule 10 action 'accept'
  - set firewall name WAN-IN rule 10 state established 'enable'
  - set firewall name WAN-IN rule 10 state related 'enable'
  - set firewall name WAN-LOCAL default-action 'drop'
  - set firewall name WAN-LOCAL rule 10 action 'accept'
  - set firewall name WAN-LOCAL rule 10 state established 'enable'
  - set firewall name WAN-LOCAL rule 10 state related 'enable'
  - set firewall name WAN-LOCAL rule 20 action 'accept'
  - set firewall name WAN-LOCAL rule 20 icmp type-name 'echo-request'
  - set firewall name WAN-LOCAL rule 20 protocol 'icmp'
  - set firewall name WAN-LOCAL rule 20 state new 'enable'
  - set firewall name WAN-LOCAL rule 30 action 'drop'
  - set firewall name WAN-LOCAL rule 30 destination port '2222'
  - set firewall name WAN-LOCAL rule 30 protocol 'tcp'
  - set firewall name WAN-LOCAL rule 30 recent count '4'
  - set firewall name WAN-LOCAL rule 30 recent time '60'
  - set firewall name WAN-LOCAL rule 30 state new 'enable'
  - set firewall name WAN-LOCAL rule 31 action 'accept'
  - set firewall name WAN-LOCAL rule 31 destination port '2222'
  - set firewall name WAN-LOCAL rule 31 protocol 'tcp'
  - set firewall name WAN-LOCAL rule 31 state new 'enable'
  - set interfaces ethernet eth0 address 'dhcp'
  - set interfaces ethernet eth0 address 'dhcpv6'
  - set interfaces ethernet eth0 description 'WAN'
  - set interfaces ethernet eth0 firewall in name 'WAN-IN'
  - set interfaces ethernet eth0 firewall local name 'WAN-LOCAL'
  - set interfaces ethernet eth1 address '192.168.1.1/16'
  - set interfaces ethernet eth1 description 'LAN'
  - set interfaces loopback lo
  - set nat source rule 100 outbound-interface 'eth0'
  - set nat source rule 100 translation address 'masquerade'
  - set protocols static route 0.0.0.0/0 next-hop 10.0.0.1
  - set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 default-router '192.168.1.1'
  - set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 dns-server '192.168.1.1'
  - set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 domain-name 'home.arpa'
  - set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 lease '86400'
  - set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 start '192.168.1.100'
  - set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 stop '192.168.1.249'
  - set service dhcp-server hostfile-update
  - set service dns forwarding cache-size '1000'
  - set service dns forwarding allow-from '0.0.0.0/0'
  - set service dns forwarding listen-address '0.0.0.0'
  - set service dns forwarding name-server '1.1.1.1'
  - set service dns forwarding name-server '1.0.0.1'
  - set service dns forwarding name-server '8.8.8.8'
  - set service dns forwarding name-server '8.8.4.4'
  - set system name-server '127.0.0.1'
  - set service ssh client-keepalive-interval '180'
  - set service ssh listen-address '0.0.0.0'
  - set service ssh port '2222'
  - delete service ssh port '22'
  - set system config-management commit-revisions '100'
  - set system console device ttyS0 speed '9600'
  - set system host-name 'vyos'
  - set system domain-name 'home.arpa'
  - set system login user vyos authentication plaintext-password asdfqwer1234
  - set system login user vyos authentication public-keys vyos key 'AAAAB3NzaC..truncated..ox8yI8KlVt2U='
  - set system login user vyos authentication public-keys vyos type 'ssh-rsa'
  - set service ssh disable-password-authentication
  - set system ntp server 0.pool.ntp.org
  - set system ntp server 1.pool.ntp.org
  - set system ntp server 2.pool.ntp.org
  - set system syslog global facility all level 'notice'
  - set system syslog global facility protocols level 'debug'
  - commit
  - save

Or here it is my in gist.

Can you provide some examples?
This is me querying my Vyos 1.3.1 router for nip.io

{16:14}~ ➭ dig +short @192.168.0.1 10.0.0.1.nip.io
10.0.0.1

When you say local addresses, do you mean RFC1918 or something else?

What version of Vyos?

Ah, good question. I mean it will not let me resolve 127.0.0.1, and VyOS 1.3

Can you provide some examples of the problem?

{6:13}~ ➭ dig +short @192.168.0.1 127.0.0.1.nip.io
127.0.0.1

I still can’t reproduce the problem.

This is what I got. Maybe I’m jumping to conclusions and I just dont know what to troubleshoot next.

❯ dig +short @192.168.1.1 127.0.0.1.nip.io

~
❯ dig @192.168.1.1 127.0.0.1.nip.io

; <<>> DiG 9.10.6 <<>> @192.168.1.1 127.0.0.1.nip.io
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45278
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;127.0.0.1.nip.io.		IN	A

;; Query time: 1 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Aug 24 11:18:16 PDT 2022
;; MSG SIZE  rcvd: 45

I think that the best way to debug the problem is by tracing the query. It is very easy.
Enable tracing for the required domain (hereafter commands are for 1.3):

sudo rec_control --config-dir=/run/powerdns/ --socket-dir=/run/powerdns/ trace-regex '127.0.0.1.nip.io'

Wipe cache for this domain:

sudo rec_control --config-dir=/run/powerdns/ --socket-dir=/run/powerdns/ wipe-cache '127.0.0.1.nip.io'

Then do the query as before:

dig @192.168.1.1 127.0.0.1.nip.io

Check the log for details:

sudo journalctl -n 1000 -b /usr/sbin/pdns_recursor

And do not forget to disable tracing after:

sudo rec_control --config-dir=/run/powerdns/ --socket-dir=/run/powerdns/ trace-regex ''

Most likely, you will see there an answer or a clear pointer to a place where it can be found.

1 Like