We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Strange NAT Resolution Issue - DNS Loop
Strange NAT Resolution Issue - DNS Loop
So, I've encountered a strange issue that hopefully someone can point me in the right direction to figure it out/prevent it.
VestaCP VPS (container)
Apache (no nginx/fpm)
Let'sEncrypt per domain/subdomain
Public Static IP NAT'd to Private Class-C
I'm getting it setup for hosting my personal website (codejp3.com) and development sites for clients (subdomains) and for testing out software (also subdomains).
Using my own DNS and nameservers on the VPS.
Mxtoolbox.com reports no issues with either DNS or DKIM/SPF/DMARC. The only issues reported are for email -
Reverse DNS does not match SMTP Banner - which is due to my ISP not adding a PTR record
and a single false positive Blacklist which will drop off over time.
Email is working correctly, securely, and not getting rejected as spam by the big email providers.
I setup Nextcloud as a new VestaCP User and Subdomain with its' own DNS records just like all other subdomains that have been functioning just fine.
Took a while, but I got Nextcloud up and running smoothly. Worked out each error one at a time until the logs stopped growing.
So I got to the point that I was ready to setup the MAIL app for Nextcloud allowing Nextcloud users the ability to add their own email accounts to their "cloud" accounts as a feature of Nextcloud (nothing to do with VestaCP really). I tried to add a gmail account to a Nextcloud user, and in the middle, it kicks out a error saying it can't login to the account, but then my whole VPS stopped responding to DNS. The server kept on functioning, but anything to do with name resolution stopped.
I did see any errors in the VestaCP logs.
The Nextcloud subdomain logs only showed messages about not authenticating on 993, which seems like a bad password response to me. Certainly not a major thing that should cripple DNS over the whole VPS.
I used mxtoolbox.com to assess and it said for my DNS:
"Loop detected! We were referred back to MY-STATIC-IP"
So I spent time inspecting what part of the NAT/IP handling process was dropping the ball and everything checked out. Even still "dig @MY-STATIC-IP mydomain.tld" showed NO ACTIVITY. Bind was up and not reporting any issues. DNS records per domain/subdomain were being pulled in my /etc/bind/named.conf but NOTHING. Just dead.
I could still access all domains/subdomains with a local private IP and the server was functioning normally, but all name resolution was crippled.
On a whim, I removed my public static IP from the NAT field in VestaCP > IP > NAT.
That changed all DNS records to use my private class-c server IP.
I then changed it back and put my public static IP back in the NAT field, changing all my DNS records for everything back to use the public IP ......and IT WORKED!!!!! DNS was back fully functional without any issues again.
I tried the same thing of adding a (gmail) IMAP email account for the Nextcloud user on that subdomain, and SAME ISSUE AGAIN.
DNS died, server-wide.
Bind is up and running.
No errors in logs.
Removing and re-adding my public IP from the NAT field in VestaCP fixed it.
Same thing each time.
Now I'm wondering why/how an IMAP Email function of a single subdomain could crash DNS server-wide? It seems to have to do with NAT and Bind, but I'm not sure where/why it's breaking. Any suggestions of what I can be looking for?
VestaCP VPS (container)
Apache (no nginx/fpm)
Let'sEncrypt per domain/subdomain
Public Static IP NAT'd to Private Class-C
I'm getting it setup for hosting my personal website (codejp3.com) and development sites for clients (subdomains) and for testing out software (also subdomains).
Using my own DNS and nameservers on the VPS.
Mxtoolbox.com reports no issues with either DNS or DKIM/SPF/DMARC. The only issues reported are for email -
Reverse DNS does not match SMTP Banner - which is due to my ISP not adding a PTR record
and a single false positive Blacklist which will drop off over time.
Email is working correctly, securely, and not getting rejected as spam by the big email providers.
I setup Nextcloud as a new VestaCP User and Subdomain with its' own DNS records just like all other subdomains that have been functioning just fine.
Took a while, but I got Nextcloud up and running smoothly. Worked out each error one at a time until the logs stopped growing.
So I got to the point that I was ready to setup the MAIL app for Nextcloud allowing Nextcloud users the ability to add their own email accounts to their "cloud" accounts as a feature of Nextcloud (nothing to do with VestaCP really). I tried to add a gmail account to a Nextcloud user, and in the middle, it kicks out a error saying it can't login to the account, but then my whole VPS stopped responding to DNS. The server kept on functioning, but anything to do with name resolution stopped.
I did see any errors in the VestaCP logs.
The Nextcloud subdomain logs only showed messages about not authenticating on 993, which seems like a bad password response to me. Certainly not a major thing that should cripple DNS over the whole VPS.
I used mxtoolbox.com to assess and it said for my DNS:
"Loop detected! We were referred back to MY-STATIC-IP"
So I spent time inspecting what part of the NAT/IP handling process was dropping the ball and everything checked out. Even still "dig @MY-STATIC-IP mydomain.tld" showed NO ACTIVITY. Bind was up and not reporting any issues. DNS records per domain/subdomain were being pulled in my /etc/bind/named.conf but NOTHING. Just dead.
I could still access all domains/subdomains with a local private IP and the server was functioning normally, but all name resolution was crippled.
On a whim, I removed my public static IP from the NAT field in VestaCP > IP > NAT.
That changed all DNS records to use my private class-c server IP.
I then changed it back and put my public static IP back in the NAT field, changing all my DNS records for everything back to use the public IP ......and IT WORKED!!!!! DNS was back fully functional without any issues again.
I tried the same thing of adding a (gmail) IMAP email account for the Nextcloud user on that subdomain, and SAME ISSUE AGAIN.
DNS died, server-wide.
Bind is up and running.
No errors in logs.
Removing and re-adding my public IP from the NAT field in VestaCP fixed it.
Same thing each time.
Now I'm wondering why/how an IMAP Email function of a single subdomain could crash DNS server-wide? It seems to have to do with NAT and Bind, but I'm not sure where/why it's breaking. Any suggestions of what I can be looking for?