[ I found a few DNS-related posts, but they were years old already…and unresolved. ]
Home Assistant lost its ability to connect to reach external servers and even my other main too, which it used to find using its FQDN. Updates don’t work , the add-ons section never loads. I also noticed on my firewalls that it has been consistently trying to contact Cloudflare’s DoT servers.
All traffic, but specially DNS, is tightly controlled, unless it gets DNS from a local server it won’t be able to connect at all. I tried to set DNS up on web UI (host:#/hassio/system) but it ignores it. I snooped around in the console and discovered more settings for DNS, I tried to set the server but it still wouldn’t connect. On top of that making this change broke its internal NAT because now on top of trying to bypass the local DNS, it does it from an address on the non-routable class B range, adding another reason for the firewalls to block the traffic.
I think I might have to start over at this point, but before I do I’d like to find out how to make it obey the settings from the get go, it shouldn’t try to bypass admin settings like Amazon/Google’s and most recently Apple’s devices do, specially with encrypted protocols where there’s no visibility—not all network admins are ISPs or bad actors trying to collect user information. This techn…trend is hardly beneficial for users but awesome obfuscating from them what companies do. …maybe on open public networks, IDK.
I trust Home Assistant, I had — until connectivity was lost — voluntarily opted-in to send analytics; but you have to admit that encrypting DNS without warning by default while not doing it for the frontend itself, or have some clear generic, non-plugin-based docu to do it doesn’t look great. Hopefully devs reverse this.
Software + network details
core-2022.3.5
supervisor-2022.03.5
Home Assistant OS 7.5 All shown on “their latest” versions, because there’s no connectivity, naturally. Only TCP HTTP(S) is allowed. DoT, known DoH hosts and QUIC are all forbidden. DNS is handled by domain controllers (which are also forbidden to contact outside) on standard UDP53. There are more layers but this is the immediate DNS to Home Assistant.
I think I might have to reinstall anyway. Thanks for your help!
I did! I even tried natting it to an internal DoT server, I knew it would fail since obviously I don’t have the Cloudflare certificates it would expect but, I’m happy to report that it stopped now. That’s what I logged in to do.
Because of its own NAT problem I decided to start over instead. I use HA as for its nicer user UI compared to my controller’s; for automation it’s too complex. Without any automation I had not much to lose.
I downloaded the latest Home Assistant, already on v8, not just a point upgrade from my 7.x, the OVA didn’t work in Fusion, Workstation or vCenter (!) so I unzipped the it, grabbed the VMDK and dropped it into now the emptied skeleton of the old HA VM. I turned it on and I saw the little thumbnail in vCenter fill with some green color, a good indication Linux is loading. I forgot about it. Later I tried its address and it was ready to be setup. Since it kept its MAC address it got the network settings from DHCP, DHCP6, RA and [I assume] DNS-SD, for the integrations/devices I just need to MQTT it to the main controller. I enabled voluntary analytics once again but I wasn’t sure about the crash reports–I need to get on the specifics of that.
The only 853 now is between two DNS processing nodes on the way out, but that doesn’t appear with a big red X next to it. I think this all may have just been a bug.
Nevertheless, thank you for answering. I don’t know how to mark this solved though. I don’t think I can solve it myself–particularly I did not do anything worth called a fix. Oh well…
Before reinstalling I forgot to remove the NAT rule, which had in turn created a pass firewall rule. Home Assistant is still trying to contact DoT servers. It’s still able to install random addons, but at the same time Amazon and Cloudflare are in the mix, which could be anything…or DoH. I just lost trust in Home Assistant.
@vitaprimo you are right. home assistant or the addons are trying to connect to 8.8.8.8 or 1.1.1.1 or 1.0.0.1 from what i have seen so far. It does not matter what DNS you assign to home assistant either through a DHCP lease or static, the public DNS servers are still being favored.