[SOLVED] How to resolve hostnames of SNAT from Proxmox node itself?

I

itsthejb

New Member
Jul 26, 2024
13
1
3
Hi everyone,

Relatively new Proxmox user, but loving it so far!

The majority of my services connected to a private SNAT as per the tutorial https://pve.proxmox.com/wiki/Setup_Simple_Zone_With_SNAT_and_DHCP. I can also access these hosts from the Proxmox node via their IP addresses. What I'd like to be able to do as a refinement is to also be able to access them from the node via their hostnames, albeit perhaps with some suffix?

For example:

- Hostname: `foobar` at IP address 10.0.0.100 (SNAT subnet 10.0.0.0/24)
- I can, for example, `ssh root@10.0.0.100` from the Proxmox node
- I'd like to be able to also `ssh root@foobar.<suffix>` from the Proxmox node

I suppose what I need is to be able to resolve the hostname from the `dnsmasq` process for the subnet, right? Currently I suppose it has the problem that it's only listening for the subnet

In any case, hope someone can help!

Thanks in advance
 
You can define a domain in the dnsmasq configuration like so (see [1] for more details as to whiy):

Code: 
/etc/dnsmasq.d/<zone>/20-dns-overrride.conf
domain=mydomain

If it's a vanilla PVE node you can then run your own local dnsmasq instance by reenabling the dnsmasq service and then configure it to proxy your actual DNS server, except for queries concerning the domains of your simple zone. Something like this:

Code: 
interface=lo
listen-address=127.0.0.1
bind-interfaces
server=/mydomain/<gateway_simple_zone>
server=<your_actual_dns>
no-resolv

After you have verified that this is actually working (use dig or drill to run some queries against 127.0.0.1 to check if it is actually working) you can then tell PVE to use your dnsmasq instance as DNS:

Code: 
$ cat /etc/resolv.conf
[...]
nameserver 127.0.0.1

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_dnsmasq_plugin
 
Great, thanks very much! I'll give it a try, but that certainly looks like what I'm looking for
 
Ok, I've been trying this out and it looks almost perfect. However, I then realised that setting a domain in 20-dns-overrride.conf then resulting in name resolution breaking for within the vnet. ie. foo can no longer resolve bar and vice versa. Adding the domain didn't help either; foo.private can't resolve bar.private. Commented that out and restarted my dnsmasq@private.service and things work again from inside the network. However, then I'm back to not being able to resolve from the node.

Any idea what might be going wrong there? Thanks in advance

EDIT: on reflection I assume the problem will be that I now need dns suffixes for all the hosts on the subnet, right? Currently I skipped this for convenience, but I assume now that need to be explicitly foo.private, bar.private etc, correct? Or can I shortcut this is the subnet config?
 
Last edited:
Following up, and marking solved. I had to add a bit more dnsmasq config to get it working exactly, and sharing here:

/etc/dnsmasq.d/<zone>/20-dns-overrride.conf:

Code: 
local=/<zone domain>/
domain=<zone domain>
domain-needed
bogus-priv
expand-hosts

I have a pretty shallow understanding of dnsmasq config, so that came from https://thinkingeek.com/2020/06/06/local-domain-and-dhcp-with-dnsmasq/. All seems to make sense. Only difference is not using no-resolve since I definitely want the zone to query upstream for non-private hosts. As per @shanreich's instructions, I'm using plain dnsmasq on the node itself, forwarding foo.<zone domain> queries to the zone gateway and the rest on to my normal dns server.

Seems to work great! Thanks very much @shanreich
 
  • Like
Reactions: shanreich
As a further follow-up, following these changes I then discovered that the couple of containers I have connected to vmbr0 weren't resolving because they were set to host. To fix this I set them explicitly to my lan (router) IP, which is the next DNS upstream after the loopback dnsmasq which I set up for this. I suppose it would be nice if they could also use the node dnsmasq, but it looks like I'd have the problem of the two instances wanting the same port, since the node instance currently only listens on loopback?

Again, stretching my knowledge here quite a bit, but if anyone can share how this might be possible it would be educational! Thanks!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom