Selfhosted

40218 readers

1336 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

ruud@lemmy.world

Loki@lemmy.world

CannaVet@lemmy.world

HybridSarcasm@lemmy.world

devve@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

rDNS, how? (feddit.dk)

submitted 1 year ago by drkt@feddit.dk to c/selfhosted@lemmy.world

46 comments fedilink hide all child comments

I'm on at least 2 blocklists at this point for the crime of not having reverse DNS set up. I don't know how rDNS works. No amount of reading Wikipedia is helping me understand what I have to do.

I have a domain at a registrar which gives me bog standard DNS.
I have Apache running on my network.
I have PiHole running on my network.

My understanding is that rDNS is not set up at my registrar, but somewhere in my network. What do I do?

Thank you for your time.

you are viewing a single comment's thread
view the rest of the comments

[–] drkt@feddit.dk 1 points 1 year ago (7 children)

I've learned that the bad checksums are to to be ignored because it's the NIC that's responsible for it, so tcpdump sees the wrong checksums and it doesn't matter. I have also learned that the Apache container actually does see the incoming connections. Here's an example of my working connection and his connection.

root ~ -> tcpdump -n port 443

## My machine to https://drkt.eu
15:44:50.985650 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [S], seq 2232908482, win 64800, options [mss 1440,nop,wscale 8,nop,nop,sackOK], length 0
15:44:50.985656 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [S.], seq 1276898910, ack 2232908483, win 64800, options [mss 1440,nop,nop,sackOK,nop,wscale 7], length 0
15:44:50.985780 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 1, win 8235, length 0
15:44:50.987032 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [P.], seq 1:518, ack 1, win 8235, length 517
15:44:50.987040 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [.], ack 518, win 503, length 0
15:44:50.987333 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 1:4097, ack 518, win 503, length 4096
15:44:50.987566 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 4097, win 8235, length 0
15:44:50.988400 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 4097:5381, ack 518, win 503, length 1284
15:44:50.988531 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 5381, win 8229, length 0
15:44:50.992091 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [P.], seq 518:582, ack 5381, win 8229, length 64
15:44:50.992095 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [P.], seq 582:1087, ack 5381, win 8229, length 505
15:44:50.992173 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [.], ack 1087, win 501, length 0
15:44:50.992274 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 5381:5668, ack 1087, win 501, length 287
15:44:50.992342 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 5668:5955, ack 1087, win 501, length 287
15:44:50.992488 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 5955, win 8235, length 0
15:44:50.993404 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 5955:10902, ack 1087, win 501, length 4947
15:44:50.993647 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 10902, win 8235, length 0
15:44:55.998521 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [P.], seq 10902:10926, ack 1087, win 501, length 24
15:44:55.998547 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [F.], seq 10926, ack 1087, win 501, length 0
15:44:55.998727 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [P.], seq 1087:1111, ack 10926, win 8234, length 24
15:44:55.998733 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [.], ack 10927, win 8234, length 0
15:44:55.998734 IP6 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868 > 2a05:f6c7:8039::1337.443: Flags [F.], seq 1111, ack 10927, win 8234, length 0
15:44:55.998736 IP6 2a05:f6c7:8039::1337.443 > 2a05:f6c7:8039:0:c859:8de4:257f:b4ff.53868: Flags [.], ack 1112, win 501, length 0

## Office dude to https://drkt.eu
15:45:06.759198 IP 5.186.33.87.59842 > 192.168.78.164.443: Flags [S], seq 3042763137, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:06.759210 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:07.009444 IP 5.186.33.87.59843 > 192.168.78.164.443: Flags [S], seq 1050721154, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:07.009455 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:07.761986 IP 5.186.33.87.59842 > 192.168.78.164.443: Flags [S], seq 3042763137, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:07.761994 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:08.011014 IP 5.186.33.87.59843 > 192.168.78.164.443: Flags [S], seq 1050721154, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:08.011023 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:08.774730 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:09.030829 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:09.772318 IP 5.186.33.87.59842 > 192.168.78.164.443: Flags [S], seq 3042763137, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:09.772327 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:10.020444 IP 5.186.33.87.59843 > 192.168.78.164.443: Flags [S], seq 1050721154, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:10.020452 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:11.782726 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:12.038818 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:13.778722 IP 5.186.33.87.59842 > 192.168.78.164.443: Flags [S], seq 3042763137, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:13.778730 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:14.026072 IP 5.186.33.87.59843 > 192.168.78.164.443: Flags [S], seq 1050721154, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:45:14.026082 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:18.026717 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:18.282740 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:26.214732 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:26.474741 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:42.342747 IP 192.168.78.164.443 > 5.186.33.87.59842: Flags [S.], seq 4039717320, ack 3042763138, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:45:42.598745 IP 192.168.78.164.443 > 5.186.33.87.59843: Flags [S.], seq 1810250599, ack 1050721155, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

[–] chiisana@lemmy.chiisana.net 1 points 1 year ago (6 children)

We're making progress!

Looks like connection are being made, so it isn't routing after all!

Looking at the first recording, based on the different packet length, I'd guess it is doing SSL handshake properly; whereas the second one seems to be all 0 length and so something is not working out. At least on a cursory glance, your settings seems to be pretty permissive, so unless your friend's using a super old system, it shouldn't be an issue. Do you know what OS your friend is using, and if it has up-to-date root certificates? Are they on a system with openssl cli available? Judging by the unifi network, probably? Try openssl s_client -connect drkt.eu:443 -prexit (and ctrl + c to quit after it stops) and see if you can see any oddities with the SSL handshake process.

[–] drkt@feddit.dk 1 points 1 year ago (5 children)

He's running Windows 10, unfortunately- but wouldn't SSL errors show up in Apache logs? His IP appears 0 times in all apache error and access logs dating back 8 months (the beginning of recorded logs).

Here's another example of a working request to https://drkt.eu, and his non-working request respectively.

21:06:10.038213 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [S], seq 383581601, win 65535, options [mss 1460,nop,nop,sackOK,nop,wscale 11], length 0
21:06:10.038225 IP 192.168.78.164.443 > 185.21.217.51.34034: Flags [S.], seq 1228608203, ack 383581602, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:06:10.062959 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [.], ack 1228608204, win 32, length 0
21:06:10.068861 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [P.], seq 383581602:383582119, ack 1228608204, win 32, length 517
21:06:10.068878 IP 192.168.78.164.443 > 185.21.217.51.34034: Flags [.], ack 383582119, win 501, length 0
21:06:10.069190 IP 192.168.78.164.443 > 185.21.217.51.34034: Flags [P.], seq 1228608204:1228611124, ack 383582119, win 501, length 2920
21:06:10.069272 IP 192.168.78.164.443 > 185.21.217.51.34034: Flags [P.], seq 1228611124:1228612300, ack 383582119, win 501, length 1176
21:06:10.069905 IP 192.168.78.164.443 > 185.21.217.51.34034: Flags [P.], seq 1228612300:1228613496, ack 383582119, win 501, length 1196
21:06:10.093915 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [.], ack 1228611124, win 35, length 0
21:06:10.094156 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [.], ack 1228612300, win 37, length 0
21:06:10.095161 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [.], ack 1228613496, win 38, length 0
21:06:10.096357 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [P.], seq 383582119:383582245, ack 1228613496, win 38, length 126
21:06:10.096588 IP 192.168.78.164.443 > 185.21.217.51.34034: Flags [P.], seq 1228613496:1228613547, ack 383582245, win 501, length 51
21:06:10.121482 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [P.], seq 383582245:383582345, ack 1228613547, win 38, length 100
21:06:10.121749 IP 192.168.78.164.443 > 185.21.217.51.34034: Flags [P.], seq 1228613547:1228614978, ack 383582345, win 501, length 1431
21:06:10.146792 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [P.], seq 383582345:383582376, ack 1228614978, win 40, length 31
21:06:10.146907 IP 192.168.78.164.443 > 185.21.217.51.34034: Flags [P.], seq 1228614978:1228615009, ack 383582376, win 501, length 31
21:06:10.146931 IP 192.168.78.164.443 > 185.21.217.51.34034: Flags [F.], seq 1228615009, ack 383582376, win 501, length 0
21:06:10.147568 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [F.], seq 383582376, ack 1228614978, win 40, length 0
21:06:10.147573 IP 192.168.78.164.443 > 185.21.217.51.34034: Flags [.], ack 383582377, win 501, length 0
21:06:10.171696 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [R], seq 383582376, win 0, length 0
21:06:10.171722 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [R], seq 383582376, win 0, length 0
21:06:10.172482 IP 185.21.217.51.34034 > 192.168.78.164.443: Flags [R], seq 383582377, win 0, length 0

21:49:09.999249 IP 5.186.33.87.51592 > 192.168.78.164.443: Flags [S], seq 2577736519, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:49:09.999412 IP 192.168.78.164.443 > 5.186.33.87.51592: Flags [S.], seq 3425825559, ack 2577736520, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:10.254112 IP 5.186.33.87.51594 > 192.168.78.164.443: Flags [S], seq 2174498243, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:49:10.254425 IP 192.168.78.164.443 > 5.186.33.87.51594: Flags [S.], seq 1029590757, ack 2174498244, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:11.000511 IP 5.186.33.87.51592 > 192.168.78.164.443: Flags [S], seq 2577736519, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:49:11.000624 IP 192.168.78.164.443 > 5.186.33.87.51592: Flags [S.], seq 3425825559, ack 2577736520, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:11.262009 IP 5.186.33.87.51594 > 192.168.78.164.443: Flags [S], seq 2174498243, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:49:11.262135 IP 192.168.78.164.443 > 5.186.33.87.51594: Flags [S.], seq 1029590757, ack 2174498244, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:12.010686 IP 192.168.78.164.443 > 5.186.33.87.51592: Flags [S.], seq 3425825559, ack 2577736520, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:12.266608 IP 192.168.78.164.443 > 5.186.33.87.51594: Flags [S.], seq 1029590757, ack 2174498244, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:13.014793 IP 5.186.33.87.51592 > 192.168.78.164.443: Flags [S], seq 2577736519, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:49:13.014920 IP 192.168.78.164.443 > 5.186.33.87.51592: Flags [S.], seq 3425825559, ack 2577736520, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:13.265504 IP 5.186.33.87.51594 > 192.168.78.164.443: Flags [S], seq 2174498243, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:49:13.265645 IP 192.168.78.164.443 > 5.186.33.87.51594: Flags [S.], seq 1029590757, ack 2174498244, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:15.046677 IP 192.168.78.164.443 > 5.186.33.87.51592: Flags [S.], seq 3425825559, ack 2577736520, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:15.274640 IP 192.168.78.164.443 > 5.186.33.87.51594: Flags [S.], seq 1029590757, ack 2174498244, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:17.022305 IP 5.186.33.87.51592 > 192.168.78.164.443: Flags [S], seq 2577736519, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:49:17.022424 IP 192.168.78.164.443 > 5.186.33.87.51592: Flags [S.], seq 3425825559, ack 2577736520, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:17.277539 IP 5.186.33.87.51594 > 192.168.78.164.443: Flags [S], seq 2174498243, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:49:17.277663 IP 192.168.78.164.443 > 5.186.33.87.51594: Flags [S.], seq 1029590757, ack 2174498244, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:21.226692 IP 192.168.78.164.443 > 5.186.33.87.51592: Flags [S.], seq 3425825559, ack 2577736520, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:21.482700 IP 192.168.78.164.443 > 5.186.33.87.51594: Flags [S.], seq 1029590757, ack 2174498244, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:29.414663 IP 192.168.78.164.443 > 5.186.33.87.51592: Flags [S.], seq 3425825559, ack 2577736520, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:49:29.670628 IP 192.168.78.164.443 > 5.186.33.87.51594: Flags [S.], seq 1029590757, ack 2174498244, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

[–] chiisana@lemmy.chiisana.net 2 points 1 year ago

See this page here that explains the Flags: https://opensource.com/article/18/10/introduction-tcpdump

Typically, in a TCP connection, you'd SYN, SYN+ACK, ACK, then transfer actual data over. In the successful sequence, you see this happening as expected.

In the unsuccessful sequence, it seems to be stuck in SYN, SYN+ACK, but there is no ACK that follows (Flags [.]).

Where is the second one captured? On the user's system, or on your system? Something in between is determining the packet isn't intended for the destination and dropping it. It may be a firewall, it may be something else.

load more comments (4 replies)