• 1 Post
  • 14 Comments
Joined 1 year ago
cake
Cake day: July 1st, 2023

help-circle

  • fendrax@jlai.luOPtoSelfhosted@lemmy.worldRunning DNS server in Docker
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    7 months ago

    I had a quick look at resolv.conf’s manpage on Debian and I think @daddy32@lemmy.world’s suggestion of adding a second nameserver would actually work:

    nameserver Name server IP address
        Internet  address  of a name server that the resolver should query, either an IPv4 address (in dot notation), or an IPv6 address in colon (and possibly dot) notation as per RFC 2373.  Up to MAXNS (currently 3, see <re‐
        solv.h>) name servers may be listed, one per keyword.  If there are multiple servers, the resolver library queries them in the order listed.  If no nameserver entries are present, the default is to use the name  server
        on  the  local  machine.   (The algorithm used is to try a name server, and if the query times out, try the next, until out of name servers, then repeat trying all the name servers until a maximum number of retries are
        made.)
    

    According to the doc, the resolver will try each name server in order until one is successful.


  • fendrax@jlai.luOPtoSelfhosted@lemmy.worldRunning DNS server in Docker
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    7 months ago

    Sorry, I was unclear: I use dnsmasq as single source of truth. In its DHCP config, I set machine names, routes and all. And this is because this dnsmasq is the DHCP that it knows how to translate the names of the devices it configured. Pi-hole forwards all DNS requests to dnsmasq. Now if I use two instances of dnsmasq, only one can be a DHCP and the other won’t know how to resolve local names, unless it uses the first dnsmasq as upstream. But in scenarios where this first dnsmasq instance is down, we are back to square one.


  • My goodness, that’s some impressive responsiveness ^^

    I guess see your point. But then the problem shifts to the upstream dnsmasq instance which acts as DHCP + DNS for the local devices. This is the server ultimately able to translate local names.

    I don’t think it’s doable to have two instances of dnsmasq that are able to translate local names interchangeably. That would require two DHCPs to have authority on the network. But I’m no expert so I may be missing something obvious.


  • For some reason, I am only seeing this comment thread now, so sorry for the late response.

    Thanks for those valuable details. But I am still a bit confused. I understand why you are saying that pi hole should be the only DNS server handling requests sent by LAN devices (including the machine hosting the DNS). That’s because it is the only one which can resolve local names (well, that’s actually its upstream dnsmasq running as a sibling container that does that but that’s a minor detail).

    But then you say there should be another DNS server to solve my problem. If I put two server entries in /etc/resolv.conf, one being pi hole and the other my ISP’s DNS, the two of them will be randomly picked by DNS clients. When the ISP’s is used, it will fail to translate local names. I guess there is a way to let the client try the other server after a failure but it will add some undesirable latency.

    Sorry if I misunderstood your point but after reading the first comments I was quite convinced by the idea of adding a second nameserver entry in /etc/resolv.conf. Your explanations convinced me otherwise and now I have the impression that I can’t really solve my initial problem in a reliable way.


  • Well, I have not really thought about why. I guess that’s partly due to old habits of running services on the host with systemd (my migration to docker is recent and still a work in progress). But I guess I’d like to continue to be able to resolve names of local devices on my network when connected through ssh on the host. Is that inherently wrong, still? I will implement the secondary DNS as a fallback. I am hoping to get rid of the issue that way.


  • fendrax@jlai.luOPtoSelfhosted@lemmy.worldRunning DNS server in Docker
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    7 months ago

    Yes, others have suggested something similar. I’ll do that first because it is easy. Monitoring-wise, I should already be covered but since prometheus is running on the same server, it was down during the outage. There is room for improvement, for sure! I have a couple of RPis on my network that I can leverage for better monitoring.


  • Your suggestion looks similar to this other comment and makes sense. I’ll try that!

    I have never managed to wrap my head around DoH and DoT but this is on my todo list ^^

    I didn’t know dnsmasq has an adblock plugin, I’ll have a look. Originally, I was using dnsmasq alone (running on bare metal). Then I migrated to docker and added pi-hole for ad blocking. I tried to get rid of dnsmasq but pi-hole’s embedded DHCP is not as configurable as dnsmasq’s and I could not address my use case.

    Thanks a lot for your time!



  • Yeah, that was my plan B. To be honest, I was not super confident that it would work when I put this setup together, because of the “host uses a container as DNS and docker uses the host as DNS” kind of circular dependency.

    But people do use docker for DNS servers so it has to work, right? That’s where I’d like to understand where I’m wrong. I’m fine with running pi hole and dnsmasq on the host as long as I get why this is not doable in docker.

    Thanks for your input, though. That’s helpful.


  • In both the pi-hole (exposed on the host) and dnsmasq (used as upstream by pi-hole) containers:

    # Generated by Docker Engine.
    # This file can be edited; Docker Engine will not make
     further changes once it
    # has been modified.
    
    nameserver 127.0.0.11
    options ndots:0
    
    # Based on host file: '/etc/resolv.conf' (internal res
    olver)
    # ExtServers: [host(127.0.0.1)]
    # Overrides: []
    # Option ndots from: internal
    

    So they are pointing to docker’s embedded DNS, itself forwarding to the host.




  • I know for a fact that the FP2 is quite thick and bulky and often gives a bad first impression to people from an aesthetics point of view. Personally, that has never been an issue for me but that’s a matter of taste.

    Anyway, I believe that anyone buying a Fairphone should do it for a reason and not like they would buy another a regular product. I wrote in this other thread (in French, unfortunately) that buying a Fairphone is like buying a compromise between fairness, repairability, environment concerns, aesthetics and technical performances. There have always been loads of reasons for people to complain about Fairphones. Either they are ugly & too massive or outdated or expensive, the list goes on. While those complaints can be true, one has to keep in mind that improving on one aspect (making a thiner phone, for example) has direct consequences on the others (like, a thiner phone is probably more difficult to be made modular, so either more pricey or less reliable). Someone replied that rather than being a purchase of a tradeoff, it is a purchase of another type of innovation. Instead of being technical innovation, it is social and environmental innovation. I kind of like that way of approaching it as well.

    Also, I pointed out that there is no doubt that giants in the smartphone business would make fantastic ethical and repairable phones if they ever wanted to. Only they would have the ability to propose a series of models which would fulfill anyone’s needs. But hey, they don’t seem to care, do they? In the meantime, I am willing to support the only tiny actor in the field that is striving to at least try with their unique model.


  • I have had a FP2 for 6,5 years and I’m pretty happy with it. It is still mostly functional but I’m having issues with the bottom mic. As I don’t make phone calls so often, it is not too big of a deal for me to use my bluetooth headphones when I do. But I know that getting spare parts for FP2 has become very difficult now so if the USB plug breaks down it will probably be game over this time.

    Anyway, I repaired it a few times, either with new replacement parts I bought from the fairphone shop or ones I traded on the community forum. Bottom module, screen and even mother board.

    I have had a premium experience with their tech support, also. When I purchased another used FP2 on the community forum for a family relative, it happened to arrive with a broken bottom module. Mic was not working. As this part was already sold out at that time and I could not find any on the aftermarket forum, I reached out to fairphone to kindly ask if they would agree to sell me one, as they were claiming to keep a few of them in store to fulfill their legal requirements in terms of warranty and stuff (not sure any FP2 was still covered by a warranty at that time but this was what was stated on their shop). To my biggest surprise, after reading my begging, they offered to send me a refurbished module free of charge. And when I asked if I could buy a battery at the same time to avoid having a separate parcel to be shipped for that, they just slipped a free battery along with the bottom module. Free of charge. I had never had such an amazing experience with any customer service before.

    I’m running LineageOS and I’m happy with it. In terms of software updates, Fairphone went beyond their initial promise and it has been only recently that they dropped support for FP2.

    When my FP2 dies, I’ll consider buying a FP5 and I’m happy to have this option. But for now, I’m just hoping it can last for another few months!