Server behind CGNAT: DNS problem: server failure at resolver looking up A

Hey! I am learning networking and am trying to implement SSL through reverse proxy with nginx and letsencrypt on my media application as an exercise. It happens that I am behind CGNAT, and can only access my media application externally through a single open port in my router that some ddns domain of my ISP points to across CGNAT.

My setup is the following:

  1. My own domain subdomain.domain.com points to ddns.ISPservice.com:10000;

  2. ddns.ISPservice.com:10000 points to my router's IP at the same port: 10.10.10.10:10000 (which is therefore the only access I have to the public internet);

  3. 10.10.10.10:10000 is forwarded to the application host 192.162.0.40:443, where nginx is listening (I set this to 443 thinking about https, but it is arbitrary of course).

  4. nginx proxy pass the connection to 127.0.0.1:10000 where my media application is running.

This works in the sense that if I type subdomain.domain.com in a browser I am able to access my media application. Now, I had no idea if I would be able to SSL certify this setup, but I was told it would work on other forums, so I tried running (with everything installed)

sudo certbot -v --nginx -d betoflix.mariobarela.top

But I get 'DNS problem: server failure at resolver looking up A for subdomain.domain.com;'

What is happening? Can I make this work?

I know that I should provide the real domain name, but since it contains my name I am wary of laying it down here (even though it is already public). In any case, I greatly appreciate any insight.

It's hard to help without an actual name, but if you're comfortable typing your domain name into web tools then it may be that Unboundtest and DNSViz can help you understand why your DNS isn't working the way you expect and confirm that it's actually resolving to a public IP.

Instead of all the crazy CGNAT madness, can you just use IPv6?

7 Likes

How does that work? Because DNS usually doesn't use ports in their "pointing".

Note that the http-01 challenge (used by the --nginx plugin) exclusively uses port 80 (and 443 if redirected to HTTPS) and cannot use any other port number to connect to your server.

So if only port 10000 is usable to access your server, you cannot use the http-01 (or tls-alpn-01) challenge.

Possible solutions might be:

  • dns-01 challenge, if you can add/remove TXT RRs do your own domain;
  • Use IPv6: this is usually not behind the whole CG-NAT stuff.
5 Likes

@Guile , welcome to the community!

I do not know which component gives this name resolution error. I checked your domain and all seems to be OK both with letsdebug and dnsviz.

3 Likes

I don't know how to interpret the result of these scans. Is there a way I can provide you my domain name in private? I apologize if I'm being silly.

I honestly have no idea how it works. I simply tested configuring the redirection to the address ddns.ISPdomain.com:10000 and it worked.

If the challenge only work on the router port 80, than that is probably the issue.

Unfortunately I don't think my ISP can provide me an IPv6.

I don't think I'd call it silly, but most people here (including myself) prefer helping in public where possible. There are some around who might be willing to do consulting work for you if that's the kind of thing you're looking for. But for the most part, anything put on the Internet is public (including all publicly-trusted certificates), so if you're not comfortable with strangers knowing that domain name then you might want to pick a different domain name (at least for testing?)

This can mean a lot of different things from a technical perspective, even if they end up with the same result of "a user using a web browser sees my page" there are a lot of possibilities. Can you explain exactly what this "redirection" is?

Well, what needs to happen, is for the request for the domain name, from the outside, to be on that port. Your ISP or router or whatever can direct it someplace internally, including to another port, as long as from the outside's perspective the reply is still from 80.

I would hope that any ISP which was resorting to setting up CGNAT on IPv4 would be trying to get their customers onto native IPv6 in order to avoid load on their CGNAT resources, but not all ISP are actually as proficient as I would hope.

6 Likes

You are right, unfortunately that is not an option now (I have gotten this domain for professional reasons, which is why it contains my name, and now it is not viable for me to get another).

I use OVH, and this is the only section in their manager I have editted:

I have added the second line, of an 'invisible redirection', from subdomain.mydomain.com to http://ddns.ISPdomain.com:1000.

I have just confirmed that they don't. They are willing to forward any other ports I may need from their DDNS to my router, though, like the one I already have.

Invisible redirection works with an iFrame HTML tag. This allows your redirected domain to integrate the content of the other page corresponding to the target domain into its own HTML page.

You need certificate for ddns domain: and you'd have to use DNS challenge for that

4 Likes

I guess that must be port forwarding or reverse proxy. (Somewhere else you wrote not 1000, but 10000.) In the access log file of your ngnix proxy server behind CGNAT do you see connection from the IP address 86.200.184.189? Or, all connections are originating from the same IP address?

2 Likes

I'll be very frank now. I'm not doing this to come across as arrogant, condescending, or mean, but only to try to get you to understand your error in thinking. Your Emby server is exposed to the Internet, the dynamic DNS service provided by TTINet is well known. The TXT record indicating the port number you use is public. No one has any problem following the domain you use, via the DNS record that creates a forward through an iframe and ends at your Emby server. The only thing your "silliness" leads to is that your Emby server does not have an SSL certificate.

Although I'm clearly ignorant about this, I'm sure anyone who knows enough to be able to help me (or less, actually) is able to get every information you have just thrown off there. It's quite obvious it is publicly available (as others have already emphasized). But I also believe that it is understandable if I am not that confortable throwing my real name and direct information about my setup (again, even if all that information is already available by other means) in plain text somewhere.

I get your point, though. What other information would be needed for you to help me achieve what I am trying to do?

So the basic thing that you need in order to get a certificate is either:

  1. A web server which is publicly available on port 80, and/or
  2. A publicly-available DNS server which you can add and remove a TXT record.

It doesn't sound to me like you currently have one of those. So in order for you get achieve what you're trying to do, you need to either find an actual web host somewhere that will give you public access, or (if you're fine with the web server not being public and only used by people on your own network) a DNS host with an API that you can configure your ACME client to use.

3 Likes

anyway I find no A error looks weird: in invisiable redirect context that page handles by OHV, not any of OP's server, so there should be a A record for what domain however broken one's server is.

1 Like

I see! Thank you very much.

A quick question on point 1: if I host a HTTP server on a free oracle VPS, to whose public IP I point my domain through an A record, for the SSL challenge and forward incoming connections to the ddns, would that work?

1 Like

that's entire job of area of reverse proxy: try caddy , you'll need some special option to trust backend self signed certificate

example but

unms.example.com {
    reverse_proxy 172.16.0.3:10000 {
        transport http {
                tls
                tls_insecure_skip_verify
        }
    }
}
4 Likes

As I was saying there are a lot of kinds of "forward", but yes a reverse proxy is the kind of thing you're looking for. I'll second the recommendation for caddy, it will just automatically get certificates as needed for you.

7 Likes

for frontend side: it won't write certificate for backend

3 Likes