Port/IP Listener setup

I have used Pi-Hole for a while and decided to try to move my DNS lookups to DoH; Cloudflared seemed the simplest way.

Having set it up I noticed that none of the queries were being cached. To cut a long story short, I had used the local IP address in the resolver setup rather than 127.0.0.1.

netstat shows that Cloudflared is setup to only listen to 127.0.0.1. Is this deliberate? I am no expert in this, but it seems that if it listened on 0.0.0.0 then I would have been able to connect using a local IP address.

root@DietPi-PiHole:~# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:5053          0.0.0.0:*               LISTEN      1982/Cloudflared
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      49613/pihole-FTL
tcp        0      0 127.0.0.1:38319         0.0.0.0:*               LISTEN      1982/Cloudflared
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      812/lighttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      49613/pihole-FTL
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      558/dropbear
tcp6       0      0 ::1:4711                :::*                    LISTEN      49613/pihole-FTL
tcp6       0      0 :::80                   :::*                    LISTEN      812/lighttpd
tcp6       0      0 :::53                   :::*                    LISTEN      49613/pihole-FTL
tcp6       0      0 :::22                   :::*                    LISTEN      558/dropbear
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           1982/Cloudflared
udp        0      0 0.0.0.0:53              0.0.0.0:*                           49613/pihole-FTL
udp        0      0 0.0.0.0:59549           0.0.0.0:*                           1139/avahi-daemon:
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           1139/avahi-daemon:
udp6       0      0 :::44505                :::*                                1139/avahi-daemon:
udp6       0      0 :::53                   :::*                                49613/pihole-FTL
udp6       0      0 :::5353                 :::*                                1139/avahi-daemon:

Can someone also explain the message "Starting metrics server" addr="127.0.0.1:40199 in the log and also why Cloudflared is listening on port 38319 please.

Can anyone explain this?

Cloudflared listening on 127.0.0.1:5053 is absolutely correct.
Pi-Hole should be configured to forward requests to above address and port - 127.0.0.1#5053
The possible caching issue I suggest to discuss at https://discourse.pi-hole.net/

No it isn’t a Pi-Hole issue. The issue is that, as it is listening on 127.0.0.1, I cannot hit that port from a different machine on the same subnet.

In setting Cloudflared up, an assumption has been made that the user will only want it to listen locally. I believe it needs to listen to 0.0.0.0:5053 instead.

# nmap -p 5053 192.168.x.xx

Starting Nmap 7.40 ( https://nmap.org ) at 2019-01-26 10:52 GMT
Nmap scan report for DietPi2 (192.168.x.xx)
Host is up (-0.17s latency).
PORT     STATE  SERVICE
5053/tcp closed rlm

Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds

# nmap 192.168.7.xx

Starting Nmap 7.40 ( https://nmap.org ) at 2019-01-26 10:52 GMT
Nmap scan report for DietPi2 (192.168.x.xx)
Host is up (0.000056s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 2.94 seconds

Why I can hear you ask, well for some machines on my LAN I will pass their DNS through Pi-Hole, for others I want to go direct but via DoH. So I need to setup the machine to point to the local IP:5053. However, it currently isn’t listening.

That’s correct. Only Pi-Hole running on the same host is supposed to talk to Cloudflared.
All the machines on the same subnet are supposed to talk with Pi-Hole.

No, they are not. It is up to me to decide what DNS to use.

Ignore the Pi-Hole issue - it is actually irrelevant (hence I changed the subject).

It is - how can I set Cloudflared to listen on a port so a machine on the same subnet can send a DNS request to LOCAL.LAN.IP:5053

Specifying the address parameter should do the trick

--address 0.0.0.0
2 Likes

Yes I tried that but it doesn’t (sadly)

IP of 0.0.0.0

# netstat -lnp | grep cloud
tcp        0      0 127.0.0.1:38601         0.0.0.0:*               LISTEN      27096/Cloudflared
tcp6       0      0 :::5053                 :::*                    LISTEN      27096/Cloudflared
udp6       0      0 :::5053                 :::*                                27096/Cloudflared

IP not specified

# netstat -lnp | grep cloud
tcp        0      0 127.0.0.1:5053          0.0.0.0:*               LISTEN      27081/Cloudflared
tcp        0      0 127.0.0.1:45959         0.0.0.0:*               LISTEN      27081/Cloudflared
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           27081/Cloudflared

IP 192.168.X.X

# netstat -lnp | grep cloud
tcp        0      0 192.168.X.X:5053       0.0.0.0:*               LISTEN      27032/Cloudflared
tcp        0      0 127.0.0.1:38085         0.0.0.0:*               LISTEN      27032/Cloudflared
udp        0      0 192.168.X.X:5053       0.0.0.0:*                           27032/Cloudflared

Compare that to, for instance, lighttpd on port 80

# netstat -lnp | grep light
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1111/lighttpd
tcp6       0      0 :::80                   :::*                    LISTEN      1111/lighttpd

[edit] as an aside, why the second random port?

Ehm, not sure, but your output looks like as if it worked. Have you tried to connect from another machine?

1 Like

Ah, OK :blush:. Yes it does. Thanks.

But why is the output of the netstat different? I’d assumed (oh bugger) it wouldn’t work as it was not what I expected.

How can I change the metrics server and what exactly is that?

What exactly is different and not the way you expected?

Just the text output. My simplistic idea was that it would look like the other services that are installed (like lighttpd). Just interested.

[edit] e.g. there is only tcp6 and no tcp entry.

The output is the same, it simply collapses the IPv6 address. The more interesting thing is why it seems it is not listening on IPv6 in some cases :confused:

Does that mean it is listening on IPv4? Is there a way to test that?

How do you test the connection from the other machines? Try specifying the IPv4 address.

I was just doing a dig or nmap

dig @192.168.X.X -p 5053 community.cloudflare.com
nmap -p 5053 192.168.X.X

So if I specify a IPv4 address, that is what is used? I wondered if the router might be doing some form of translation. Possibly impossible to tell.

I also tried this for the metrics server but Cloudflared failed to start.

I note that;
https://github.com/Cloudflare/Cloudflared/blob/3e8d886c25feec2e71729b3742b61cce5636c767/cmd/Cloudflared/tunnel/cmd.go#L65-L74

The metrics Value has a colon and the address Value does not (and I might be barking up the wrong tree!).

Considering you are in the same network the router shouldnt be involved at all. But it is not clear to me, when Netstat only shows tcp6 do IPv4 connections work?

It looks like it.

 nmap -p 5053 192.168.X.X -4

the -4 should force a IPv4 lookup.

Looks like this is sorted for me anyway. Thanks for your help :smile:.

Just did a new installation and this command line option seems to have gone. Have I missed something in the docs?

I really want to change the address cloudflared listens on.