Port/IP Listener setup


#1

I have used Pi-Hole for a while and decided to try to move my DNS lookups to DoH; Cloudflared seemed the simplest way.

Having set it up I noticed that none of the queries were being cached. To cut a long story short, I had used the local IP address in the resolver setup rather than 127.0.0.1.

netstat shows that cloudflared is setup to only listen to 127.0.0.1. Is this deliberate? I am no expert in this, but it seems that if it listened on 0.0.0.0 then I would have been able to connect using a local IP address.

[email protected]:~# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:5053          0.0.0.0:*               LISTEN      1982/cloudflared
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      49613/pihole-FTL
tcp        0      0 127.0.0.1:38319         0.0.0.0:*               LISTEN      1982/cloudflared
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      812/lighttpd
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      49613/pihole-FTL
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      558/dropbear
tcp6       0      0 ::1:4711                :::*                    LISTEN      49613/pihole-FTL
tcp6       0      0 :::80                   :::*                    LISTEN      812/lighttpd
tcp6       0      0 :::53                   :::*                    LISTEN      49613/pihole-FTL
tcp6       0      0 :::22                   :::*                    LISTEN      558/dropbear
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           1982/cloudflared
udp        0      0 0.0.0.0:53              0.0.0.0:*                           49613/pihole-FTL
udp        0      0 0.0.0.0:59549           0.0.0.0:*                           1139/avahi-daemon:
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           1139/avahi-daemon:
udp6       0      0 :::44505                :::*                                1139/avahi-daemon:
udp6       0      0 :::53                   :::*                                49613/pihole-FTL
udp6       0      0 :::5353                 :::*                                1139/avahi-daemon:

Can someone also explain the message "Starting metrics server" addr="127.0.0.1:40199 in the log and also why cloudflared is listening on port 38319 please.


#2

Can anyone explain this?


#3

cloudflared listening on 127.0.0.1:5053 is absolutely correct.
Pi-Hole should be configured to forward requests to above address and port - 127.0.0.1#5053
The possible caching issue I suggest to discuss at https://discourse.pi-hole.net/


#4

No it isn’t a Pi-Hole issue. The issue is that, as it is listening on 127.0.0.1, I cannot hit that port from a different machine on the same subnet.

In setting cloudflared up, an assumption has been made that the user will only want it to listen locally. I believe it needs to listen to 0.0.0.0:5053 instead.

# nmap -p 5053 192.168.x.xx

Starting Nmap 7.40 ( https://nmap.org ) at 2019-01-26 10:52 GMT
Nmap scan report for DietPi2 (192.168.x.xx)
Host is up (-0.17s latency).
PORT     STATE  SERVICE
5053/tcp closed rlm

Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds

# nmap 192.168.7.xx

Starting Nmap 7.40 ( https://nmap.org ) at 2019-01-26 10:52 GMT
Nmap scan report for DietPi2 (192.168.x.xx)
Host is up (0.000056s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 2.94 seconds

Why I can hear you ask, well for some machines on my LAN I will pass their DNS through Pi-Hole, for others I want to go direct but via DoH. So I need to setup the machine to point to the local IP:5053. However, it currently isn’t listening.


#5

That’s correct. Only Pi-Hole running on the same host is supposed to talk to cloudflared.
All the machines on the same subnet are supposed to talk with Pi-Hole.


#6

No, they are not. It is up to me to decide what DNS to use.

Ignore the Pi-Hole issue - it is actually irrelevant (hence I changed the subject).

It is - how can I set cloudflared to listen on a port so a machine on the same subnet can send a DNS request to LOCAL.LAN.IP:5053


#7

Specifying the address parameter should do the trick

--address 0.0.0.0

#8

Yes I tried that but it doesn’t (sadly)

IP of 0.0.0.0

# netstat -lnp | grep cloud
tcp        0      0 127.0.0.1:38601         0.0.0.0:*               LISTEN      27096/cloudflared
tcp6       0      0 :::5053                 :::*                    LISTEN      27096/cloudflared
udp6       0      0 :::5053                 :::*                                27096/cloudflared

IP not specified

# netstat -lnp | grep cloud
tcp        0      0 127.0.0.1:5053          0.0.0.0:*               LISTEN      27081/cloudflared
tcp        0      0 127.0.0.1:45959         0.0.0.0:*               LISTEN      27081/cloudflared
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           27081/cloudflared

IP 192.168.X.X

# netstat -lnp | grep cloud
tcp        0      0 192.168.X.X:5053       0.0.0.0:*               LISTEN      27032/cloudflared
tcp        0      0 127.0.0.1:38085         0.0.0.0:*               LISTEN      27032/cloudflared
udp        0      0 192.168.X.X:5053       0.0.0.0:*                           27032/cloudflared

Compare that to, for instance, lighttpd on port 80

# netstat -lnp | grep light
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1111/lighttpd
tcp6       0      0 :::80                   :::*                    LISTEN      1111/lighttpd

[edit] as an aside, why the second random port?


#9

Ehm, not sure, but your output looks like as if it worked. Have you tried to connect from another machine?


#10

Ah, OK :blush:. Yes it does. Thanks.

But why is the output of the netstat different? I’d assumed (oh bugger) it wouldn’t work as it was not what I expected.

How can I change the metrics server and what exactly is that?


#11

What exactly is different and not the way you expected?


#12

Just the text output. My simplistic idea was that it would look like the other services that are installed (like lighttpd). Just interested.

[edit] e.g. there is only tcp6 and no tcp entry.


#13

The output is the same, it simply collapses the IPv6 address. The more interesting thing is why it seems it is not listening on IPv6 in some cases :confused:


#14

Does that mean it is listening on IPv4? Is there a way to test that?


#15

How do you test the connection from the other machines? Try specifying the IPv4 address.


#16

I was just doing a dig or nmap

dig @192.168.X.X -p 5053 community.cloudflare.com
nmap -p 5053 192.168.X.X

So if I specify a IPv4 address, that is what is used? I wondered if the router might be doing some form of translation. Possibly impossible to tell.


#17

I also tried this for the metrics server but cloudflared failed to start.

I note that;

The metrics Value has a colon and the address Value does not (and I might be barking up the wrong tree!).


#18

Considering you are in the same network the router shouldnt be involved at all. But it is not clear to me, when Netstat only shows tcp6 do IPv4 connections work?


#19

It looks like it.

 nmap -p 5053 192.168.X.X -4

the -4 should force a IPv4 lookup.

Looks like this is sorted for me anyway. Thanks for your help :smile:.