[BUG] We need another DNS approach for [Synology] systems.

[zzecool]

In Synology the current DNS implementation fails like this if you have a DNS running localy :

The local DNS is listening in all available addresses for that we need a DNS that will listen in a different port but not with the current implementation as it is not supported.

sudo netstat -tuln | grep -w ':53'

tcp6       0      0 :::53                   :::*                    LISTEN     
udp6       0      0 :::53                   :::*   

2024-05-13T23:20:38+03:00 WARN client/internal/dns/service_listener.go:185: binding dns on 100.115.6.17:53 is not available, error: listen udp 100.115.6.17:53: bind: address already in use
2024-05-13T23:20:38+03:00 WARN client/internal/dns/service_listener.go:185: binding dns on 127.0.0.1:53 is not available, error: listen udp 127.0.0.1:53: bind: address already in use
2024-05-13T23:20:38+03:00 WARN client/internal/dns/service_listener.go:185: binding dns on 127.0.0.153:53 is not available, error: listen udp 127.0.0.153:53: bind: address already in use
2024-05-13T23:20:38+03:00 WARN client/internal/dns/service_listener.go:215: failed to load DNS forwarder eBPF program, error: field NbXdpProg: program nb_xdp_prog: map .rodata: map create: read- and write-only maps not supported (requires >= v5.2)
2024-05-13T23:20:38+03:00 WARN client/internal/dns/server.go:316: the DNS manager of this peer doesn't support custom port. Disabling primary DNS setup. Learn more at: https://docs.netbird.io/how-to/manage-dns-in-your-network#local-resolver
2024-05-13T23:20:38+03:00 ERRO client/internal/dns/server.go:322: unable to configure DNS for this peer using file manager without a nameserver group with all domains configured

You guys are active, so we are very close to make Netbird fully supported in Synology.

[zzecool]

@bcmmbaga Hop in now that you are on fire :P

[mlsmaycon]

Hello @zzecool thanks for reporting this issue.

Can you test using user space mode?

If you are on DSM 7.0+ you can do that by using the following commands:

sudo mkdir -p /etc/sysconfig
echo 'NB_WG_KERNEL_DISABLED=true' | sudo tee -a /etc/sysconfig/netbird
sudo systemctl restart netbird

[zzecool]

sudo mkdir -p /etc/sysconfig
echo 'NB_WG_KERNEL_DISABLED=true' | sudo tee -a /etc/sysconfig/netbird
sudo systemctl restart netbird

@mlsmaycon Yes here you are :

2024-05-22T18:52:59+03:00 INFO client/internal/connect.go:115: starting NetBird client version 0.27.7 on linux/amd64
2024-05-22T18:52:59+03:00 WARN client/system/info_linux.go:115: geucwReleaseInfo: exit status 1
2024-05-22T18:53:00+03:00 WARN client/internal/wgproxy/factory_linux.go:17: failed to initialize ebpf proxy, fallback to user space proxy: field NbXdpProg: program nb_xdp_prog: map .rodata: map create: read- and write-only maps not supported (requires >= v5.2)
2024-05-22T18:53:00+03:00 INFO iface/tun_usp_linux.go:33: using userspace bind mode
2024-05-22T18:53:00+03:00 INFO client/internal/routemanager/manager.go:93: Routing setup complete
2024-05-22T18:53:00+03:00 INFO iface/tun_usp_linux.go:45: create tun interface
2024-05-22T18:53:00+03:00 ERRO client/firewall/iptables/router_linux.go:51: failed to cleanup routing rules: failed to list rules in FORWARD chain: running [/sbin/iptables -t filter -S FORWARD --wait]: exit status 1: iptables: No chain/target/match by that name.

2024-05-22T18:53:00+03:00 ERRO client/firewall/create_linux.go:48: failed to create iptables manager: failed to list rules in FORWARD chain: running [/sbin/iptables -t filter -S FORWARD --wait]: exit status 1: iptables: No chain/target/match by that name.

2024-05-22T18:53:00+03:00 INFO client/internal/dns/host_linux.go:68: System DNS manager discovered: file
2024-05-22T18:53:00+03:00 INFO client/internal/engine.go:359: Network monitor is disabled, not starting
2024-05-22T18:53:00+03:00 INFO client/internal/connect.go:261: Netbird engine started, the IP is: 100.150.200.200/16
2024-05-22T18:53:00+03:00 INFO signal/client/grpc.go:158: connected to the Signal Service stream
2024-05-22T18:53:00+03:00 INFO management/client/grpc.go:147: connected to the Management Service stream
2024-05-22T18:53:00+03:00 WARN client/internal/engine.go:551: running SSH server is not permitted
2024-05-22T18:53:00+03:00 INFO client/internal/dns/file_linux.go:107: created a NetBird managed /etc/resolv.conf file with the DNS settings. Added 1 search domains. Search list: [netbird.selfhosted]
2024-05-22T18:53:00+03:00 INFO client/internal/dns/file_repair_linux.go:48: start to watch resolv.conf: /etc/resolv.conf
2024-05-22T18:53:00+03:00 INFO client/internal/acl/manager.go:52: ACL rules processed in: 549.946µs, total rules count: 22
2024-05-22T18:53:02+03:00 WARN client/internal/dns/upstream.go:185: probing upstream nameserver 1.1.1.1:53: read udp 10.0.0.50:36965->1.1.1.1:53: i/o timeout
2024-05-22T18:53:02+03:00 WARN client/internal/dns/upstream.go:185: probing upstream nameserver 1.0.0.1:53: read udp 10.0.0.50:46327->1.0.0.1:53: i/o timeout
2024-05-22T18:53:02+03:00 WARN client/internal/dns/upstream.go:265: Upstream resolving i2024-05-22T18:53:00+03:00 INFO client/internal/dns/host_linux.go:68: System DNS manager discovered: file
2024-05-22T18:53:00+03:00 INFO client/internal/engine.go:359: Network monitor is disabled, not starting
2024-05-22T18:53:00+03:00 INFO client/internal/connect.go:261: Netbird engine started, the IP is: 100.150.200.200/16
2024-05-22T18:53:00+03:00 INFO signal/client/grpc.go:158: connected to the Signal Service stream
2024-05-22T18:53:00+03:00 INFO management/client/grpc.go:147: connected to the Management Service stream
2024-05-22T18:53:00+03:00 WARN client/internal/engine.go:551: running SSH server is not permitted
2024-05-22T18:53:00+03:00 INFO client/internal/dns/file_linux.go:107: created a NetBird managed /etc/resolv.conf file with the DNS settings. Added 1 search domains. Search list: [netbird.selfhosted]
2024-05-22T18:53:00+03:00 INFO client/internal/dns/file_repair_linux.go:48: start to watch resolv.conf: /etc/resolv.conf
2024-05-22T18:53:00+03:00 INFO client/internal/acl/manager.go:52: ACL rules processed in: 549.946µs, total rules count: 22
2024-05-22T18:53:02+03:00 WARN client/internal/dns/upstream.go:185: probing upstream nameserver 1.1.1.1:53: read udp 10.0.0.50:36965->1.1.1.1:53: i/o timeout
2024-05-22T18:53:02+03:00 WARN client/internal/dns/upstream.go:185: probing upstream nameserver 1.0.0.1:53: read udp 10.0.0.50:46327->1.0.0.1:53: i/o timeout
2024-05-22T18:53:02+03:00 WARN client/internal/dns/upstream.go:265: Upstream resolving is Disabled for 30s
2024-05-22T18:53:02+03:00 INFO [nameservers: [{1.1.1.1 udp 53} {1.0.0.1 udp 53}]] client/internal/dns/server.go:504: Temporarily deactivating nameservers group due to timeout
2024-05-22T18:53:02+03:00 ERRO [nameservers: [{1.1.1.1 udp 53} {1.0.0.1 udp 53}]] client/internal/dns/server.go:525: Failed to apply nameserver deactivation on the host: unable to configure DNS for this peer using file manager without a nameserver group with all domains configureds Disabled for 30s
2024-05-22T18:53:02+03:00 INFO [nameservers: [{1.1.1.1 udp 53} {1.0.0.1 udp 53}]] client/internal/dns/server.go:504: Temporarily deactivating nameservers group due to timeout
2024-05-22T18:53:02+03:00 ERRO [nameservers: [{1.1.1.1 udp 53} {1.0.0.1 udp 53}]] client/internal/dns/server.go:525: Failed to apply nameserver deactivation on the host: unable to configure DNS for this peer using file manager without a nameserver group with all domains configured

[mlsmaycon]

@zzecool can you try adding a default nameserver in the NetBird's dashboard? As the detected DNS mode was file, it won't resolve DNS queries without one.

[zzecool]

@mlsmaycon

I have a dns for this node in the Web management interface.

The dns is up and running fine.

It is on the same machine that netbird is running on port 53.

[mlsmaycon]

in that case, you can add one of the node's local IPs as a nameserver and distribute it to a group that only contains the Synology node.

[zzecool]

in that case, you can add one of the node's local IPs as a nameserver and distribute it to a group that only contains the Synology node.

@mlsmaycon

This is exactly what i have.

On the web interface for this node group the DNS is the 10.0.0.50

and this is inside the node :

Its ip address just to be clear

$ ifconfig | grep -A 1 ovs
ovs_bond0 Link encap:Ethernet  HWaddr 00:15:30:9F:71:02  
          inet addr:10.0.0.50  Bcast:10.0.0.255  Mask:255.255.255.0

The resolv test :

$ nslookup google.com     
Server:         10.0.0.50
Address:        10.0.0.50#53

Non-authoritative answer:
Name:   Google.com
Address: 172.217.17.110
Name:   google.com
Address: 2a00:1450:4017:810::200e

[zzecool]

@mlsmaycon

Maybe this is the problem that after this rule i have cloudflare for ALL ?

Does the first rule matched have higher priority and used or not ?

Thanks

[mlsmaycon]

Could be. The peers in the personal group might be using the cloudflare addresses.

Just to confirm, your Synology is part of the personal group? if not it should be, or you should add one of its group to the distribution groups.

[zzecool]

Could be. The peers in the personal group might be using the cloudflare addresses.

Just to confirm, your Synology is part of the personal group? if not it should be, or you should add one of its group to the distribution groups.

Yes its part of the personal group.

[mlsmaycon]

ok, to validate the setup try limiting the cloudflare configuration to another group.

[zzecool]

ok, to validate the setup try limiting the cloudflare configuration to another group.

Yeap that did the trick. So the first matched rule is getting ignore and replaced, you have to consider if this is what you want, as most ppl we are used to the iptables way priority of rules.

2024-05-22T19:48:25+03:00 INFO client/internal/dns/file_linux.go:107: created a NetBird managed /etc/resolv.conf file with the DNS settings. Added 1 search domains. Search list: [netbird.selfhosted]
2024-05-22T19:48:25+03:00 INFO client/internal/dns/file_repair_linux.go:48: start to watch resolv.conf: /etc/resolv.conf
2024-05-22T19:48:25+03:00 INFO client/internal/acl/manager.go:52: ACL rules processed in: 508.582µs, total rules count: 22

Removing the /etc/sysconfig/netbird breaks everything again.

So now that your install.sh script detects Synology just fine, please add the creation of /etc/sysconfig/netbird file :D

• kind to explain what the userspace is doing exactly with the NB_WG_KERNEL_DISABLED=true config ?

We are making progress :D

[mlsmaycon]

@zzecool can you confirm that this local resolver, 10.0.0.50#53, comes with every Synology by default?

[zzecool]

@zzecool can you confirm that this local resolver, 10.0.0.50#53, comes with every Synology by default?

Nope this is a DNS that im personaly running on this machine.

[mlsmaycon]

Okay, in that case, it is better not to default to userspace mode just yet, as it may affect other users.

We will look into the masquerade issue and then make a decision.

Thanks for validating this.

[zzecool]

Okay, in that case, it is better not to default to userspace mode just yet, as it may affect other users.

We will look into the masquerade issue and then make a decision.

Thanks for validating this.

Can you think any other way to make this work in kernel space while having another DNS running in the same machine ?