DNS port forwarding when using lxdbr0

xiki · July 27, 2021, 5:26am

I have switched my containers to use lxdbr0, created a new subnet for my containers and I am reaching the containers from LAN thanks to port forwarding:

Example profile:

config:
description: ""
devices:
  eth0:
    ipv4.address: 10.0.1.2
    name: eth0
    network: lxdbr0
    type: nic
  proxy443:
    listen: tcp:0.0.0.0:<port>
    connect: tcp:127.0.0.1:443
    type: proxy
name: web
used_by: []

I’m very happy with this setup but I bumped into an issue when trying to get the DNS container to work ( using AdGuard Home as DNS ). When I try to do port forwarding for port 53, I get an error saying that address is already in use.

I can see that dnsmasq is using port 53 by user lxd

root@rpi4-20210210:~# lsof -i :53
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq 7481  lxd    6u  IPv4  27696      0t0  UDP 10.0.1.1:domain
dnsmasq 7481  lxd    7u  IPv4  27697      0t0  TCP 10.0.1.1:domain (LISTEN)

I also found a this on this forum which seems to help me but it is a bit overwhelming and I would like to see if there is an “lxd way” to forward port 53.

I’m kinda at a loss here, not sure what is happening. I kindly ask for someone to guide me on how to forward port 53 from host to one of my containers running a dns service.

tomp · July 27, 2021, 8:31am

LXD provides a DHCP and DNS server listening on the lxdbr0 interface in the form of dnsmasq.
So this listens on port 53 of the lxdbr0 interface’s IP.

Your proxy device is being configured to listen on the wildcard address (0.0.0.0) on the host.
This means it will try and listen on all IPs on all interfaces of the host.

This will conflict with the LXD dnsmasq process as you have found.

You should change listen: tcp:0.0.0.0:<port> to the specific listen IP you want, which is probably the IP address of the LXD host’s external interface that connects to the wider LAN.

xiki · July 28, 2021, 4:35am

Thank you for your explanation @tomp!

xiki · July 29, 2021, 6:20pm

Sorry @tomp for coming back to this later, but only now I could continue working on this, and still something is wonky.

I have added a proxy device as mentioned, so now it looks something like this:

...
devices:
  proxy53:
    connect: udp:127.0.0.1:53
    listen: udp:192.168.1.158:53
    type: proxy
  proxy53TCP:
    connect: tcp:127.0.0.1:53
    listen: tcp:192.168.1.158:53
    type: proxy
...

I have added the UDP part during my testing. So far I had no success and couldn’t see that my DNS in LXC is working.

This is my /etc/resolv.conf

# Generated by NetworkManager
nameserver 10.0.2.0
nameserver 192.168.1.158
nameserver 212.56.129.228

I would like to mention also that in this same container I have WireGuard installed. For this I have added another proxy device, like so:

...
  proxy51820:
    connect: udp:127.0.0.1:51820
    listen: udp:0.0.0.0:51820
    type: proxy
...

The client’s requests are able to go through the DNS if it’s connected to the WireGuard Client VPN.

My last issue is to get devices on my LAN that are not connected to the VPN, to go through the DNS.

I would be really grateful if you can provide me with more guidance to solve this!

xiki · July 30, 2021, 5:46am

Sorry I realize some requests are actually working but weirdly enough not all, I need to investigate this further.

xiki · July 30, 2021, 6:53am

It seems fine now

I made sure to have the right ports forwarded like so:

53:53/tcp ← listens on host IP
53:53/udp ← listens on host IP
784:784/udp ← listens on 0.0.0.0
853:853/tcp ← listens on 0.0.0.0
3000:3000/tcp ← listens on 0.0.0.0
80:80/tcp ← listens on 0.0.0.0
443:443/tcp ← listens on 0.0.0.0

Found it a bit weird though that it took some time for the whole thing to become stable, especially with my defined DNS rewrites. But after a coffee things look good, and hopefully they stay that way

On thing which I find suspicious and I would like to share is that when in my DNS container I do netstat -an | grep :53 I get loads and loads of ESTABLISHED upd activity.

root@net:~# netstat -an | grep :53
tcp6       0      0 :::53                   :::*                    LISTEN
udp        0      0 127.0.0.1:46823         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:38632         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:34543         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:55032         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:46844         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59133         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:50943         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59148         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:34578         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:38676         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:34589         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59170         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:34594         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:50979         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:34604         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:46903         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:42807         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:42809         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:34633         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59218         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:51027         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:34644         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:42850         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:42854         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:46953         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:34665         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:46964         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59252         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:55158         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:46975         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59265         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:42890         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:42891         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:46998         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:46999         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:47008         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:55201         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:38833         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:51122         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:34742         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59319         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:42938         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59333         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:55241         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:38859         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:42958         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:55247         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:42965         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:51164         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:38877         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:42991         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59378         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59384         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:43002         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:38906         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59392         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:43032         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:38937         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:51236         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59430         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:38952         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:43057         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:38970         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:34875         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:47170         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59459         127.0.0.1:53            ESTABLISHED
udp        0      0 127.0.0.1:59463         127.0.0.1:53            ESTABLISHED
...

Is this something I should worry about?

xiki · July 30, 2021, 7:50am

Not stable nope

And I’m not sure how to debug this, would appreciate any suggestions.

I just want to note that the same service works when the client is connected to VPN with no issues ( port forwarded 51820 as specified on my router too ) and also the same service worked when it was using a bridged network and had it’s own IP in my LAN

tomp · August 2, 2021, 2:01pm

Where are these settings applied, where do those addresses come from?

xiki · August 3, 2021, 6:39am

Hello @tomp! I have re installed the container from scratch and I don’t have the issue anymore. Hence I am assuming that, as you advised, listening to the specific host IP for my container port forward did the trick.

As to per your last question I have updated the DNS IPs like so

# Generated by NetworkManager
nameserver 192.168.1.158
nameserver 10.0.2.0

I removed the DNS IP provided by my ISP. 192.168.1.158 is the IP of my host running the DNS container and 10.0.2.0 that’s my WireGuard DNS IP and these are configured in my router.

Seems like it is very stable so far!

Thank you once again for your assistance!