NPM not resolving - Adguard, Unbound, Nginx setup

[metalmilitiaster]

Been running my homelab successfully for a while in the following manner:

Adguard (port: 53) > Unbound (port:5335) > DNS over TLS to Cloudflare. This has been working as intended for months.

Opnsense is running baremetal with Adguard and Unbound running as plugins.

I've since wanted to incorporate Nginx Proxy Manager to make use of Lets Encrypt certificates for local services as well as resolving to hostnames based on my domain hosted with Cloudflare. mydomain.com has been registered and the necessary A record (mydomain.com pointing to npm local address 192.168.2.226) and CNAME (* pointing to mydomain.com) have been created. An online NSlookup confirms mydomain.com is pointing to 192.168.2.226 but if running nslookup on my of my hosts i receive the following:

Code Select Expand

***@DH29P76QY6 ~ % nslookup mydomain.com
Server: 192.168.2.130
Address: 192.168.2.130#53

** server can't find odvdesigns.com: SERVFAIL

Keep in mind that 192.168.2.130 is my opnsense box and mydomain.com is just an example.

Nginx Proxy is running in an LXC container based on tteck's script. Proxy hosts have been added in Nginx with relevant ports and Lets Encrypt wildcard certicate for *.mydomain.com

When attempting to access jellyfin.mydomain.com in my browser i get ERR_CONNECTION_REFUSED and there are two responses in the Adguard query log as follows

Code Select Expand

Response details
Status
Processed
DNS server
127.0.0.1:5335
Elapsed
0.92 ms
Response code
NOERROR

and

Code Select Expand

Response details
Status
Processed
DNS server
127.0.0.1:5335
Served from cache
Elapsed
0.20 ms
Response code
NOERROR
Response
A: 192.168.2.15 (ttl=3600)

192.168.2.15 is the correct address for the Jellyfin webui but why can i not reach it in the browser?

If i bypass my dhcp assigned dns on a local machine and use 1.1.1.1 instead then i can reach all proxy hosts added to nginx perfectly fine and the following nslookup is returned:

Code Select Expand

****@DH29P76QY6 ~ % nslookup jellyfin.mydomain.com
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
jellyfin.mydomain.com canonical name = mydomain.com.
Name: mydomain.com
Address: 192.168.2.226

192.168.2.226 being the address of Nginx Proxy

I am only wanting to access services by subdomain name locally so have not done any port forwarding. I've tried overrides in unbound and multiple other settings advised on threads i've been reading through but i am confusing myself even more and was hoping someone can help me troubleshoot this in a structured manner.

Any help would be much appreciated please

[dseven]

You probably need to add (your actual) "mydomain.com" to Private Domains under Services -> Unbound DNS -> Advanced

[metalmilitiaster]

Thanks, i have done this and now some of the services are resolving but not all

adguard.mydomain.com returns the following when trying to access via Chrome - see attachment. However when opening in an incognito window i do not receive this message.

unifi.mydomain.com does not resolve at all,

Code Select Expand

This site can't be reached
unifi.mydomain.com refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

jellyfin.mydomain.com also does not resolve unless i specify the port number ie. jellyfin.mydomain.com:8096 although no certificate is then applied

synology.mydomain.com redirects to https://synology.odvdesigns.com:5001/ but does not use the wildcard certificate and is still making use of the synology default cert

All of these are working as intended and with SSL certs,

nginx.mydomain.com
proxmox.mydomain.com
adguard.mydomain.com

[dseven]

"Resolve" (usually) refers to looking up a hostname in DNS and getting back an IP address. "Connection Refused" is (usually) not a failure to resolve - rather that the host/port you're trying to connect to has nothing listening there, or there's something (like a firewall) blocking the connection. You have a lot going on there, including components I'm not familiar with, but I think you have at least some non-DNS problems to deal with.......

[metalmilitiaster]

If bypassing my local DNS by using 1.1.1.1 synology.odvdesigns.com is working and Lets Encrypt certificate is being used. All other domain names work also but as soon as Unbound and Adguard are used again then the queries do not reach Nginx Proxy

I thought it was due to NPM being in a container and ports being blocked but this is not the case

Any suggestions for what else i can try or commands to be run. The fact that it is not working is not the biggest problem here. The main reason i want to get this resolved is so that i can understand the process better

[newsense]

This is all backwards. Unbound has no business resolving anything internal. All requests are processed by AGH.

Go to AGH and add your internal domain machines to the DNS rewrite section.

[metalmilitiaster]

I've done as suggested and added a DNS rewrite in AGH of *.mydomain.com to NPM and am able to reach all NPM proxy hosts now. Thanks for this!

But i am still confused. I thought all DNS requests not in unbound cache (seeing that it's set up as a recursive DNS server) would go AGH > Unbound > Cloudflare?

So it is working locally now as needed but what about when i want to reach the hosts with subdomain names externally at a later stage, surely then i would need the request to reach Cloudflare so that it can point to ones public IP?

Also, the way it is currently working i'm assuming the A and CNAME records in Cloudflare are not required but why are these always mentioned in tutorials for Nginx Proxy internal use?

[metalmilitiaster]

Another observation is that now if i ping any machines by hostname then the Nginx IP is returned for all. Is this expected behaviour when Nginx proxy is working correctly?