Various DNS issues on v1.5-rolling-202309130022

General questions
, ,
1

Hi there,

Brand new on VyOS here.
It has so far been a complete love affair, you’ve built something that I like very much!

I set up VyOS 1.5-rolling-202309130022, and ran into a couple of issues. Note that I found out about my issues after I was done with my initial config, which implied bridging a number of my interfaces. I do not know if these issues existed out of the box, but I don’t see why bridging interfaces may have confused anything. And for added clarity, my eth0 WAN interface has not been touched.

My issues are:

  1. Partially solved: my DNS was unreachable from my LAN. I added a generic firewall rule for UDP and TCP 53, using the example given for SSH, without the timer block. It now responds on my LAN, but now port 53 is authorized on all interfaces.
  2. Although I added additional DNS Forwarding listeners with the “set service dns forwarding listen-address” command, my loopback interface does not serve DNS over ::1#53, or 127.0.0.1:53. In other words, my box cannot resolve DNS, but the clients can.

I get my DNS from DHCP, so unsure what is the issue here. In the quick start or some of the configuration doc I read, nobody makes mention of needing firewall rules to explicitly allow port 53, especially given that it’s for LAN clients.

Anything I’m missing here?

Thanks for any help or pointers!

2

What is it you are trying to do?

Personally I would avoid using DNS forwarding, better to just allow the destination straight from the client.

For example allow LAN to WAN 1.1.1.1:53 (UDP and TCP), source nat if needed.

Regarding localhost you probably need something like this added to your ruleset:

set firewall ipv4 input filter rule 999999 action 'accept'
set firewall ipv4 input filter rule 999999 inbound-interface interface-name 'lo'
set firewall ipv4 input filter rule 999999 source address '127.0.0.0/8'

set firewall ipv4 output filter rule 999999 action 'accept'
set firewall ipv4 output filter rule 999999 destination address '127.0.0.0/8'
set firewall ipv4 output filter rule 999999 outbound-interface interface-name 'lo'

set firewall ipv6 input filter rule 999999 action 'accept'
set firewall ipv6 input filter rule 999999 inbound-interface interface-name 'lo'
set firewall ipv6 input filter rule 999999 source address '::1/128'

set firewall ipv6 output filter rule 999999 action 'accept'
set firewall ipv6 output filter rule 999999 destination address '::1/128'
set firewall ipv6 output filter rule 999999 outbound-interface interface-name 'lo'
3 Likes
3

First off, that is a thorough reply, one of the best welcomes I’ve had! Thanks :slight_smile:

What I’m trying to do is pretty simple, staging my set up as I get acquainted with VyOS. DNS Forwarding sounded like the recommended approach, and I was surprised it didn’t automagically work. Then, DNS lookup failing on the VyOS host itself is troublesome. Slow ssh connections for reverse lookups, unable to use internet resources, repos and such.

I’m trying to stick to best practices until I get a good handle on things and play Router Ninja!

Keeping DNS internal can also help further down the line for captive portals, but I agree with your 1.1.1.1 approach totally.

Will try your firewall rules, thanks a million for that as well. Super appreciated.

Cheers!

4

Glad to be able to help :slight_smile:

You can configure which DNS-server(s) VyOS itself will be using with:

set system name-server '1.1.1.1'
set system name-server '1.0.0.1'

where you can mix with IPv6 aswell.

Note however that the name-server config in VyOS is currently lacking VRF-capabilities as described in:

https://vyos.dev/T5371

That is the name-server will be blindly used in whatever vrf you are currently in.

For example if you have configured vrf INTERNET and MGMT (and nothing on default) and you have above name-servers set (1.1.1.1 and 1.0.0.1) then when being in console (or through SSH) you must do this:

force vrf INTERNET
ping ping.sunet.se
exit

before for example ping or system update works.

Another workaround (specially when scripting) is to use sudo ip vrf exec INTERNET ping ping.sunet.se.

Here is an example of how I have a /config/custom/config_backup.sh to perform manual backups:

#!/bin/sh

# Script debugging
#set -x

# Set variables
NOW=$(date +"%y%m%d_%H%M")
SRCFILE=/config/config.boot
DSTFILE=/home/username/vyos/config_${NOW}.boot
USER=username
SERVER=192.0.2.1
VRF=INTERNET

# Perform stuff
ip vrf exec ${VRF} scp ${SRCFILE} ${USER}@${SERVER}:${DSTFILE}