DNS & reverse proxy problem - DNS lookup fails sometimes

charry2014 · Jun 25, 2024, 11:04 AM

Relative beginner question here - I set up an NGINX reverse proxy at home to avoid insecure SSL messages in the browser when visiting sites inside my LAN. This uses Lets Encrypt, Duck DNS and NGINX in a docker container, the instructions I followed are here and basically it works fine. Usually I can go to mysite.mydomain.duckdns.org sites which are hosted inside the LAN and the certificate is valid, browser happy.

The duckdns.org entry for mydomain points to 10.0.0.5, where NGINX is running. The SSL certificate in NGINX is provided by Lets Encrypt using a DNS challenge, also valid. The setup is basically sound, usually it works fine.

Except sporadically the sites don't load and Chrome gives a DNS_PROBE_FINISHED_NXDOMAIN when using the mysite.mydomain.duckdns.org address, all load fine given their IP address:port directly. Something odd is happening because this also happens:

nslookup duckdns.org
;; connection timed out; no servers could be reached

Sometimes that works, but lookups for any other site work all the time. In pfSense I have DNS servers set up as 1.1.1.1, 8.8.8.8, 208.67.222.222 and 2620:119:35::35. Most other settings are completely vanilla except in the DNS Resolver -

server:
private-domain: "mydomain.duckdns.org"
server:include: /var/unbound/pfb_dnsbl.*conf

Can anyone help me figure out what it going on?

johnpoz · Jun 25, 2024, 11:34 AM

@charry2014 said in DNS & reverse proxy problem - DNS lookup fails sometimes:

The duckdns.org entry for mydomain points to 10.0.0.5

It normally not a good idea to put rfc1918 address in public dns.

Your first error there is you can't even lookup duckdns.org though..

Why would you not just create a host override for mydomain.duckdns.org so any local resources asking unbound would just get returned your local IP?

So you setup unbound to forward to those IPs.. one problem I can see with that is google and clouldflare are not real filtering dns - while that 222.222 is opendns is it not - which a filtering NS.. Not a good idea to mix NS like that were they could provide different answers or no answers vs answer because of filtering. Because you can never really be sure which of those NS unbound is actually going to ask.

Also if your forwarding, you should make sure you turn off dnssec in unbound or you going to have problematic experience.

charry2014 · Jun 25, 2024, 1:04 PM

Thank you, that was really helpful. I disabled DNSSEC in the DNS Resolver, and changed the DNS servers in Setup - General to be just Cloudflare IPv4 and IPv6 -

1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001

The connections are a lot snappier now, even using duckdns.org as a DNS. So far this seems to have resolved the problems. Easy when you know how .

Going back to your suggestion of a domain override for mydomain.duckdns.org - I tried this out returning the IP of the NGINX proxy and it works (no surprise, I guess) which means that the only thing that duckdns is really needed for is issuing the certificate. The rest is purely local. Nice.

Thank you again.

johnpoz · Jun 25, 2024, 1:08 PM

@charry2014 yeah you don't need public dns to resolve rfc1918.. and to get a cert can all be just done with dns record where it sets a txt message with a number, and validates that record machines proving you own the domain..

You know you can just use the haproxy if you wanted in pfsense for doing your ssl offload.. No need to setup another something running nginx proxy. Can just be done on pfsense, and with the acme package it can get and renew your certs, and haproxy can be set to use those certs.. So it is all auto, update and haproxy using the new updated cert.

I do it for couple of sites I run that are available public - but I can also access that way with the public IP that is on my wan and haproxy sees oh hey your looking for something.mydomain.tld - and sends it to my service internally that doesn't support ssl stuff..

charry2014 · Jun 25, 2024, 4:00 PM

Haproxy is an addon, right? I will have a look at that. This pfSense instance already has the Acme package and has its own certificate so it is a proper https site, which is nice.

charry2014 · Jul 1, 2024, 4:18 PM

OK - so I celebrated too soon. There are weird, sporadic dropouts of the DNS resolution of duckdns.org. Why this would be special to this site, I have no idea, as far as I can think there is no special handling of this site in particular, beyond the mydomain.duckdns.org custom option listed above. All other sites seem to work just fine.

Between each nslookup is about 20 seconds...

~ nslookup duckdns.org
Server:		10.0.0.1
Address:	10.0.0.1#53

Non-authoritative answer:
Name:	duckdns.org
Address: 15.156.222.126

➜  ~ nslookup duckdns.org
Server:		2a00:6020:... ipv6 address
Address:	2a00:6020:... ipv6 address#53

Non-authoritative answer:
Name:	duckdns.org
Address: 15.156.222.126

repeated 3x in a couple of minutes, and then for no apparent reason...

➜  ~ nslookup duckdns.org
;; connection timed out; no servers could be reached

➜  ~ nslookup duckdns.org
;; connection timed out; no servers could be reached

➜  ~ nslookup duckdns.org
;; connection timed out; no servers could be reached

As a workaround I will try HAProxy as @johnpoz suggests, but I am quite unhappy to leave something like this unresolved. Any ideas?