I am running into an issue with setup where one of my remote VM can't query a bind9 DNS that I setup.
So here is the setup, I have three Virtual Machines and communicating with each via a WireGuard setup. My bind9 DNS exist on on the VM3 host on a docker network (192.168.255.0/24) with an IP of 192.168.255.53.
VM1: 10.100.20.10 WireGuard Client: 10.0.0.20
VM2: 10.100.10.10 WireGuard Server: 10.0.0.1
PostUp = iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ens3 -j MASQUERADE; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ens3 -j MASQUERADE; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT VM3: 10.100.30.10 WireGuard Client: 10.0.0.30 Docker Network: 192.168.255.0/24
PreUp = iptables -N DOCKER-USER || true PreUp = iptables -I DOCKER-USER -i wg0 -d 192.168.255.0/24 -j ACCEPT PreUp = iptables -I FORWARD -s 10.0.0.0/24 -d 192.168.255.0/24 -j ACCEPT PreUp = iptables -I FORWARD -s 10.100.20.0/24 -d 192.168.255.0/24 -j ACCEPT PreUp = iptables -I FORWARD -s 192.168.255.0/24 -d 10.0.0.0/24 -j ACCEPT PreUp = iptables -I FORWARD -s 192.168.255.0/24 -d 10.100.20.0/24 -j ACCEPT Bind9: 192.168.255.53 Docker container: ubuntu/bind
options { directory "/var/cache/bind"; dnssec-validation no; auth-nxdomain no; listen-on port 53 { any; }; listen-on-v6 { none; }; allow-query { any; }; recursion yes; forwarders { 8.8.8.8; # Google Public DNS 1.1.1.1; # Cloudflare DNS }; }; So I can query from VM3 to the bind9, but I can't query the bind9 from VM1. I am seeing the query traffic on the wg0 on VM3, so i know the tunnel is correctly working. I can ping and traceroute from VM1 against the bind9, but I can't resolve anything for example:
nslookup google.com 192.168.255.53 ;; communications error to 192.168.255.53#53: timed out ;; communications error to 192.168.255.53#53: timed out ;; communications error to 192.168.255.53#53: timed out ;; no servers could be reached After spending days, I am at my wits end almost. I do see that a tcpdump in the bind9 container is empty when I try to query from VM1. Note, I do get traffic from VM3. I figure it must be iptable routing issues. But the routes I set upon the VM3 (part of the WireGuard setup) are not enough for me to query the bind9 from VM1. Am I missing a routing somewhere, I can't see what I am missing.
I will say this, I went ahead and did a drastic attempt by disabling the docker iptables. And that finally allowed VM1 to query the bind9 dns. In any case, this is hinting that it something with iptable routing. Now I don't want to disable the iptables for docker. I plan on using a KinD cluster and a disable iptables for Docker doesn't sound like a good idea. I just can't figure what is going. Any help is welcome.
