Proxmox blocking DNS of Virtual IP

E

ehrie

New Member
Mar 29, 2025
2
0
1
Having a problem I hope someone here can atleast get me started on how I get to the bottom of an solve. Here's what I have going on:

Two MiniPCs, each with Proxmox on them. On each an LXC container with Pihole and Unbound on them, static IPs all around. I have keepalived installed in both LXCs and a VIP configured, outside the DHCP range for that network to again prevent any duplication.

This is what works:
DNS points at the native IP for each PiHole, everything works.
VIP for the /admin panel works for both PiHoles, depending where the VIP is being pointed at.
For Proxmox2, DNS through the VIP works.
My problem comes when the VIP is pointed at the PiHole on Proxmox1. DNS does not work, when I try a dig through the VIP when it's pointed there, I get a Connection Refused on the VIP itself. If I kill keepalived there, it fails back over to Proxmox2 and it all works again as it should.

How do I start troubleshooting why only on Proxmox1 only the DNS port seems to be blocked? The firewall is turned off so I know it's not that. I checked /etc/network/interfaces/ to make sure there was nothing off there. Those files match between both Proxmoxes save the unique IP address for each.
 
I've now deleted every other container from this Proxmox install to try and understand what the heck is going on here. Only thing I can tell is keepalived is doing it's job. Here's my ip a with the service stopped:

Code: 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:24:11:6c:da:61 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.15.1.50/24 brd 10.15.1.255 scope global eth0
       valid_lft forever preferred_lft forever

And when the service is started and it takes control of the VIP:

Code: 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:24:11:6c:da:61 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.15.1.50/24 brd 10.15.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.15.1.8/24 scope global secondary eth0
       valid_lft forever preferred_lft forever

But if I try to dig through it...
Code: 
dig @10.15.1.8 espn.com
;; communications error to 10.15.1.8#53: connection refused
;; communications error to 10.15.1.8#53: connection refused
;; communications error to 10.15.1.8#53: connection refused

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @10.15.1.8 espn.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

But as soon as I stop keepalived and it fails over to the other proxmox box...all is right with the world again.

Code: 
root@pihole1:~# dig @10.15.1.8 espn.com

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @10.15.1.8 espn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56419
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;espn.com.                      IN      A

;; ANSWER SECTION:
espn.com.               300     IN      A       18.161.21.96
espn.com.               300     IN      A       18.161.21.34
espn.com.               300     IN      A       18.161.21.129
espn.com.               300     IN      A       18.161.21.4

;; Query time: 116 msec
;; SERVER: 10.15.1.8#53(10.15.1.8) (UDP)
;; WHEN: Sat Mar 29 16:25:10 EDT 2025
;; MSG SIZE  rcvd: 101
 
You must log in or register to reply here.
Top Bottom