In your Tailscale DNS panel, disable “Use with exit node” option for your nameservers.

When turned on, that option actually allows you to talk directly to nameservers without tunneling DNS queries through the exit node. Since Quad9 in fact has a worldwide CDN, this would leak your (general) DNS query location.

I believe Tailscale send the queries in parallel and fetch the faster response, which is Quad9 in this case. Ideally for your use case, all your queries should be able to reach and show up in Pi-hole’s logs. Use tailscale dns commands for further debugging

Glad to know you got it working.

When you use a VPN as a matter of privacy, I believe you should use their DNS service too to blend in with the crowd. Because of DNS leaks, websites would likely know which DNS server you’re querying from, so using a selfhosted one instead of a VPN’s can be a major uniqueness vector. On the contrary however, I’ve seen many do exactly that, so I guess it’s not as big of an issue. So it’s your choice ultimately.

Now, if you opt for commercial VPN’s DNS servers, be aware that don’t usually block any ads (if they do it’s likely a paid option), and you’d want to configure your own local zones too. To intercept DNS queries and forward only the approved ones to the VPN, I think you have 2 options:

• Host Technitium on the VPN’d machine (your computer) and set up blocklists there. Create Conditional Forwarding zones: 1 towards the main TDNS server for your local domains, and the rest towards the 10.2.0.1 server for your public queries. Technitium may be overkill, AdGuard Home can also do this.
• Configure your main TDNS server to forward queries via the VPN tunnel. This requires the VPN tunnel having an available SOCKS5/HTTP proxy, to be used with TDNS’ Proxy and Forwarders options. Even better, you may use the Advanced Forwarding app to only use this routing for the VPN’d device, and use another routing for other devices

One solution is to resolve all my subdomains on /etc/hosts so it never has to leave the box, but I’m curious what a more experienced net admin would suggest.

Not a net admin but I would enforce a LAN-only DNS server for all relevant clients and put the records there. And/or put such an infra behind a VPN like Tailscale so bots don’t see it.

Yeah they registered a wildcard but queries contain the full domain

Have you solved your problem? It seems like there are some issues with your setup:

TDNS is set to “allow recursion only for private networks” this means that if something external tried to resolve using my TDNS they’ll be refused, correct?

Correct. It only accept recursion queries from private networks and can make outbound requests to the internet as normal

10.2.0.1 turned out to be my vpn’s dns server

On the computer, you’re also using your VPN’s DNS service accessible within the VPN tunnel (hence the weird IP address). If you wanna use Technitium you should disable such service

I set NAT rules to force TDNS port 53 routing. TDNS is set to forward to quad9 and cloud flare externally. DNS blocking lists are set in TDNS.

Unable to reach external net when NAT rules active.

If you’re forcing every device to talk to TDNS, then your TDNS server is also talking to itself and cannot make queries to Cloudflare/Quad9 on port 53. You can either:

• Create an exception rule to allow your TDNS address to talk to Cloudflare/Quad9, or
• Use DNS-over-HTTPS/DNS-over-TLS as your TDNS forwarder protocols as they aren’t affected by rules on port 53 (recommended for encryption)

It seems the DHCP is handing out the fire wall’s ip for DNS server, 100.100.100.1 is that the expected behavior since DNSmasq should be forwarding to TDNS 100.100.100.333.

Yes it’s expected, if you’re telling your clients to forward their queries to dnsmasq, and then let dnsmasq forward those queries to Technitium. If you want clients to talk directly to TDNS instead, set the DHCP option to advertise its address and don’t use your firewall’s address as a forwarder. I prefer the second option as it’ll give you correct client IPs in query logs and save some round trips.

I don’t really know what I’m doing with zones but I have a primary zone set with example.com. I set some static hosts records in this zone and enabled reverse lookup, expecting servicehost.example.com

If you can query the zone and its reverse PTR record in Technitium’s DNS client, then you’ve properly set it up. Remember you’ll have to tick the PTR options when setting up said record. Also you can open an issue on Technitium’s Github or their subreddit for assistance.

My guess would be NSEC zone walking if your DNS provider supports DNSSEC. But that shouldn’t work with unregistered or wildcard domains

The next guess would be during setup, someone somewhere got ahold of your SNI (and/or outgoing DNS requests). Maybe your ISP/VPN service actually logs them and announce it to the world

I suggest next time, try setting up without any over-the-internet traffic at all. E.g. always use curl with the --resolve flag on the same VM as Apache to check if it’s working

Having a DNSSEC-enabled resolver does protect from tampering with the DNS records, but not all ISPs properly support it so you may see many more errors. It should be used in conjunction with recursion or a respectable public resolver with support for DoH/DoT

It’s not a factor for me, but if you continually find slow speed you could try picking a mirror that has better perf. Also dnf can be incredibly slow so you may need some additional max_parallel_downloads tuning

they have an official build too: https://hub.docker.com/r/adguard/dnsproxy

Technitium is very powerful and could perfectly handle being a DNS forwarder + DHCP provider for your LAN, replacing both Pihole + cloudflared. Though it does many other things too, which can make the UI overwhelming for starters. But in my opinion if you’d like to fine-tune a lot of things like cache and custom DNS logic (via installable applets), this would be the software for you

Edit: If you want something simpler to replace Pihole + cloudflared, AdGuard Home is pretty good too. It uses dnsproxy under the hood and has a nice UI

For the upstream provider I guess Quad9 is popular enough to give you fairly good geolocated IPs, but also has some sense of privacy. The main thing is to always validate your andwers with DNSSEC as to detect and refuse any DNS tampering attempts

Yes you’ll need a way to query the domain of the DoH service in plaintext before using it. In many software you can define “bootstrap DNS addresses” to do exactly that. Or you can hardcode the DoH service’s IPs, which for most upstream providers are almost always the same as their “normal” IPs anyways

deleted by creator

Yes it involves nginx’s stream directive

As continued from my answer for ypur previous post I suggest you route pure TCP traffic all the way to your backend and terminate TLS (with a Let’s Encrypt cert) there. In fact, I prefer not to mount any certs on the VPS. This does not involve separate certs nor internal domains.

Is there a way for you to talk to upstream DNS bypassing Ubiquiti’s firewall? Maybe do it on a different port? (idk if the RFC permits this)

There are many ways to do this and you got the right gist, but my recommendation:

• Set up a WireGuard tunnel connecting your VPS and homeserver
• Set up a layer-4 TCP reverse proxy (Nginx’s stream module/Traefik TCP routers/Caddy-L4/HAProxy are all doable) on the VPS
• Use that reverse proxy to route all TCP traffic back to the homeserver’s HTTPS service(s), via the wg tunnel

Here’s a guide that helped me with such a setup: https://theorangeone.net/posts/wireguard-haproxy-gateway/

Wireguard only need one peer to open a silent UDP port, so use the VPS’ IP and no need to portforward your homeserver. There are other more convenient solutions like Tailscale or Pangolin, but being Wireguard-based they all follow the same principle. Lastly this keeps your certs locally for TLS all the way through

For the DNS provider I recommend https://desec.io/. It’s a nonprofit running worldwide DNS servers, supports DNSSEC, and has a plugin for Lego. If your registrar supports DNSSEC as well, I’d recommend enabling it to protect from DNS forgery.

For the DDoS protection I don’t have a recommendation as they’re all “just another SaaS”, but maybe you could limit many more selfhosted things behind auth as to not expose more surface to potential scrapers.

If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

Not an expert but they can try compromising another device on your LAN as a proxy to your rig. Maybe pawn your router and have it open up random ports too. So per-device firewall is defense in depth.

What “good” would my public IP do for a hacker if I have no ports forwarded?

Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

Malware doesn’t need forwarded ports to the internet to function. It can just download a script to a compromised device and wreck havoc on LAN. So if you properly segment your devices and utilize endpoint firewalls it can limit the blast radius and does some detection stuff

Edit: Don’t think of NAT as proper firewall, it’s just an easy way to share addresses via your router/modem. Your ISP’s devices often block inbound connections from the internet by default but that’s a firewall configuration, not a NAT

Beat me to it. This is likely the best way as 443 is ubiquitously unblocked on most networks

Thanks for posting here. I’ll update to continuwuity v0.5.0 immediately when I come back to Matrix