Proxmox DNS issues

I have a proxmox host with several VMs and I have this odd issue with DNS. I am unable to resolve or use any other DNS providers besides a (local) gateway listed address. This location is my in laws house on residential internet. Things I have tried:
Ping 1.1.1.1 :: success this works
Ping 192.168.50.3 :: success (local dns server)
dig google.com @1.1.1.1 :: failure, connection timed out
dig google.com @192.168.50.3 :: failure connection timed out
dig google.com @192.168.50.1 :: success (local gateway address)

This is the same story across VMs/LXC/Host OS. This puzzles me because all the settings in resolv.conf are good to go, routing works, am able to access websites (curl -I) from terminal. The other solutions I am seeing are ISP blocking of port 53, but wouldn’t explain connection refused on my local dns server or there is something wrong with my proxmox host and I need to reinstall (nuclear option). While reinstall sucks, it wouldn’t be bad with backups.

Any hints on places I might need to double check?

Need more detail for the setup. Is this location remote from the site you are trying to get to? Using VPN tunnel or what? Where are you pinging from location wise.

ICMP may be allowed where port 53 isn’t depending on the setup. Hard to give advice without better background.

Thanks.

Could try nslookup

Start by typing “nslookup”
Which changes the prompt to a > sign

Then try google.com
And see if it resolves the lookup
Then type “server 1.1.1.1”
Then google.com see if it can resolve with another server?

(Then “exit” at the > prompt to exit)

This will just temporarily set the DNS to another provider. Could try with quad nines or quad 8’s in case one or other not working?

I doubt it will cache the DNS result, but can’t hurt tobtry differing hosts to look for, like ABC.com BBC.com MSNBC.com or whatever

This is a remote location from mine. I am accessing the machine through tailscale. I am running those command while logged in to the host machine, additionally I ran the same tests while logged into a VM on the host machine.

I have done the same thing with nslookup and I get the same results.

Edit: spell check

when I do dig with an @ it refuses.
without an @ it does a seperate search.

did you mean you set the resolver to 1.1.1.1, and then did a dig google?
and the rest?

ping should also resolve hostnames, even if it uses the default 192… nameserver

can you ping google?

ohh, the 192.168.0.1 is the ISP supplied router/gateway?

could try DOH or DOT thru the browser, then try ipleak.net (before & after) to see if the ISP is hijacking them?

edit, the machine is not local, so Can’t use the browser to check.
you could still try pihole /stubby / unbound or similar with DOH / DOT?

Yea .0.1 is the ISP gateway.
Am I using dig and nslookup wrong? It works on my local laptop on arch and I thought that was how it was supposed to work per the man pages. Is there another way to try?

nah, I was just thrown by the @ after the dig. it doesn’t work for me.
Also, I’m not getting anything right now from 1.1.1.1 or 8.8.8.8 but am from 9.9.910

ramblings
trooperish@A4-pve:~$ ping -c 2 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=30.9 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=30.0 ms

--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 29.966/30.415/30.864/0.449 ms

trooperish@A4-pve:~$ ping -c 2 google.com
PING google.com (172.217.21.174) 56(84) bytes of data.
64 bytes from arn11s03-in-f14.1e100.net (172.217.21.174): icmp_seq=1 ttl=120 time=29.6 ms
64 bytes from arn11s03-in-f14.1e100.net (172.217.21.174): icmp_seq=2 ttl=120 time=29.8 ms

--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 29.635/29.717/29.800/0.082 ms

trooperish@A4-pve:~$ dig google.com 1.1.1.1 | grep "google"
; <<>> DiG 9.16.42-Debian <<>> google.com 1.1.1.1
;google.com.			IN	A
google.com.		35	IN	A	172.217.21.174

trooperish@A4-pve:~$ dig google.com @1.1.1.1 | grep "google"
; <<>> DiG 9.16.42-Debian <<>> google.com @1.1.1.1

trooperish@A4-pve:~$ nslookup google.com
Server:		172.17.2.102
Address:	172.17.2.102#53

Non-authoritative answer:
Name:	google.com
Address: 142.250.74.142
Name:	google.com
Address: ::

trooperish@A4-pve:~$ nslookup
> server
Default server: 172.17.2.102
Address: 172.17.2.102#53
> server 1.1.1.1
Default server: 1.1.1.1
Address: 1.1.1.1#53
> google.com
;; connection timed out; no servers could be reached

> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> google.com
;; connection timed out; no servers could be reached

> server 9.9.9.10
Default server: 9.9.9.10
Address: 9.9.9.10#53
> ddg.gg
Server:		9.9.9.10
Address:	9.9.9.10#53

Non-authoritative answer:
Name:	ddg.gg
Address: 40.89.244.232
> google.com
Server:		9.9.9.10
Address:	9.9.9.10#53

Non-authoritative answer:
Name:	google.com
Address: 216.58.211.14
Name:	google.com
Address: 2a00:1450:400f:80d::200e
> 

I’m a bit “special” and have a pihole vm on proxmox, using DOH for resolution, so local resolver is preferred (for me)

I kind of just presumed a local nameserver was desired, rather than the ISP box, so that was my faux pas…

I did try and Dig with an @, but was puzzled, until i realised you changed the computers’ nameserver to that, and then realised what was going on.

sorry for being a bit slow.

I had hoped that the nslookup tool might help, in case ISP is filtering common DNS hosts, rather than traffic destined to port 53 (the DNS port)

where DOH uses the normal HTTPS port to get DNS, so should not be filtered the same way.

so… I hoped nslookup was easy way to test many servers quicker, instead of changing host DNS, and restarting systemd-resolved or dnsmasq or whatever needs to change to update the new server.

just my random question is all…

What is desired is to use my pihole containers for DNS resolution. This seems to have been an issue for a while as I did not realize it was using tailscale servers as external DNS but using the pihole for local DNS resolution. Right now Pihole spts out an answer for local resolved names but nothing else. The rest time out. I am gonna try an spin up a new pihole instance and see if that changes anything.

Ping works, but dns queries fail… And even logs local dns server querying fails, despite the ping working.

Check the Proxmox firewall config. Each VM has a firewall checkbox enabled by default under the NIC config in the VM configurations.

I thought that as well but they are disabled. This one is very strange. Since it works with dns resolution using my openwrt firewall vm, I’ll leave this in place for now and then reinstall from scratch soon to try again from there. This one has me beat. “It should just work”

I finally got over to the location where the server is stored and I am shocked. All DNS requests on this network that are not the gateway address or some address provided by the ISP are 100% blocked.

What shocks me even more is that requests are blocked even on my separated network inside proxmox. I have my VMs and containers assigned to a different Linux bridge that connects to the internet through a OpenWRT VM. In essence I should control everything on this side of the network. I don’t know how these packets are getting dropped, but that are.

The only way I can get other DNS servers to work is hide my traffic through my tailscale node (exit node option) and then I am able to call individual DNS servers.

This network is nothing fancy at all, ISP provided centre old router/modem. Not a fancy packet inspecting tech stack. Maybe it’s a misconfiguration of the router? Not sure.

Edit: after setting my Pihole container to use my VPS as the exit node, and some additional flags to allow lan access, resolution via Pihole is restored. Really not sure how this kit is doing this or why. Pretty aggressive solution I have to come up with to get it working.

From my initial look into it, unbound (in my setup) was being blocked from sending DNS queries to the internet. Which in turn made Pihole connections timeout. With Pihole routed all traffic out my VPS, resolutions are working again.

Switch to a 0-trust network config. At one point, I was thinking of doing a whole wireguard network on the LAN and using the router for directing all the traffic, which is more inefficient compared to just sending it straight to the hosts on the same network, but nothing on the network itself would be able to snoop on the traffic. That’d mean that even the VMs, instead of communicating with each other, would have to go through your router, putting a lot of traffic into the router and proxmox net-int.