Failed to start Firejail DoH Proxy Server on Raspberry PI (boot)

[Dejan1969]

I'm trying to set up fdns on raspberry pi 4 (ubuntu server 64) as network server. So far works great, but somehow it won't start on boot.

● fdns.service - Firejail DoH Proxy Server
     Loaded: loaded (/etc/systemd/system/fdns.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Fri 2021-07-16 20:06:45 UTC; 33s ago
       Docs: man:fdns(1)
    Process: 1666 ExecStart=/usr/bin/fdns --proxy-addr=192.168.0.110 (code=exited, status=1/FAILURE)
   Main PID: 1666 (code=exited, status=1/FAILURE)

Jul 16 20:06:45 pi systemd[1]: fdns.service: Scheduled restart job, restart counter is at 5.
Jul 16 20:06:45 pi systemd[1]: Stopped Firejail DoH Proxy Server.
Jul 16 20:06:45 pi systemd[1]: fdns.service: Start request repeated too quickly.
Jul 16 20:06:45 pi systemd[1]: fdns.service: Failed with result 'exit-code'.
Jul 16 20:06:45 pi systemd[1]: Failed to start Firejail DoH Proxy Server.

but work just fine with "sudo systemctl start fdns"

user@pi:~$ sudo systemctl start fdns
user@pi:~$ sudo systemctl status fdns
● fdns.service - Firejail DoH Proxy Server
     Loaded: loaded (/etc/systemd/system/fdns.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-07-16 20:09:39 UTC; 2s ago
       Docs: man:fdns(1)
   Main PID: 1720 (fdns)
      Tasks: 2 (limit: 2101)
     CGroup: /system.slice/fdns.service
             └─1720 /usr/bin/fdns --proxy-addr=192.168.0.110

Jul 16 20:09:39 pi systemd[1]: Started Firejail DoH Proxy Server.
Jul 16 20:09:39 pi fdns[1721]: Testing server ahadns-pl
Jul 16 20:09:39 pi fdns[1721]:    Tags: adblocker, Poland, Europe
Jul 16 20:09:40 pi fdns[1721]:    SSL/TLS connection: 162.47 ms
Jul 16 20:09:41 pi fdns[1721]:    DoH query average: 27.49 ms
Jul 16 20:09:41 pi fdns[1721]:    DoH/Do53 bandwidth ratio: 5.21
Jul 16 20:09:41 pi fdns[1721]:    Keepalive: 140 to 170 seconds

I have compile and install fdns as recomended (btw install fails to copy fdns.service to /etc/systemd/system/)

    $ ./configure --prefix=/usr
    $ make
    $ sudo make install-strip

and using https://github.com/netblue30/fdns/blob/master/etc/fdns.service with following modifications:

#ExecStart=/usr/bin/fdns
ExecStart=/usr/bin/fdns --proxy-addr=192.168.0.110
# FJ: --protocol=unix,inet,inet6 (Breaks --proxy-addr, see #15)
# RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

Any ideas?

Also Firefox DoH (if activated) will bypass fdns even if started with "firejail --dns=192.168.0.110 firefox-esr".

If apps with buildin DoH can bypass fdns... Hmmm ?

[rusty-snake]

What's the full log? journalctl --boot --unit=fdns.service

[Dejan1969]

user@pi:~$ sudo journalctl --boot --unit=fdns.service

-- Logs begin at Wed 2020-04-01 17:23:43 UTC, end at Sat 2021-07-17 06:48:03 UTC. --
Jul 16 20:06:42 pi systemd[1]: Started Firejail DoH Proxy Server.
Jul 16 20:06:42 pi fdns[1570]: Error: invalid proxy address
Jul 16 20:06:42 pi systemd[1]: fdns.service: Main process exited, code=exited, status=1/FAILURE
Jul 16 20:06:42 pi systemd[1]: fdns.service: Failed with result 'exit-code'.
Jul 16 20:06:42 pi systemd[1]: fdns.service: Scheduled restart job, restart counter is at 1.
Jul 16 20:06:42 pi systemd[1]: Stopped Firejail DoH Proxy Server.
Jul 16 20:06:42 pi systemd[1]: Started Firejail DoH Proxy Server.
Jul 16 20:06:43 pi fdns[1632]: Error: invalid proxy address
Jul 16 20:06:43 pi systemd[1]: fdns.service: Main process exited, code=exited, status=1/FAILURE
Jul 16 20:06:43 pi systemd[1]: fdns.service: Failed with result 'exit-code'.
Jul 16 20:06:43 pi systemd[1]: fdns.service: Scheduled restart job, restart counter is at 2.
Jul 16 20:06:43 pi systemd[1]: Stopped Firejail DoH Proxy Server.
Jul 16 20:06:43 pi systemd[1]: Started Firejail DoH Proxy Server.
Jul 16 20:06:43 pi fdns[1654]: Error: invalid proxy address
Jul 16 20:06:43 pi systemd[1]: fdns.service: Main process exited, code=exited, status=1/FAILURE
Jul 16 20:06:43 pi systemd[1]: fdns.service: Failed with result 'exit-code'.
Jul 16 20:06:43 pi systemd[1]: fdns.service: Scheduled restart job, restart counter is at 3.
Jul 16 20:06:43 pi systemd[1]: Stopped Firejail DoH Proxy Server.
Jul 16 20:06:43 pi systemd[1]: Started Firejail DoH Proxy Server.
Jul 16 20:06:44 pi fdns[1661]: Error: invalid proxy address
Jul 16 20:06:44 pi systemd[1]: fdns.service: Main process exited, code=exited, status=1/FAILURE
Jul 16 20:06:44 pi systemd[1]: fdns.service: Failed with result 'exit-code'.
Jul 16 20:06:44 pi systemd[1]: fdns.service: Scheduled restart job, restart counter is at 4.
Jul 16 20:06:44 pi systemd[1]: Stopped Firejail DoH Proxy Server.
Jul 16 20:06:44 pi systemd[1]: Started Firejail DoH Proxy Server.
Jul 16 20:06:44 pi fdns[1666]: Error: invalid proxy address

[Dejan1969]

user@pi:~$ sudo journalctl --unit=fdns.service

-- Logs begin at Wed 2020-04-01 17:23:43 UTC, end at Sat 2021-07-17 06:51:55 UTC. --
Jul 16 19:49:27 pi systemd[1]: Started fdns.
Jul 16 19:49:27 pi systemd[1]: fdns.service: Succeeded.
Jul 16 20:04:48 pi systemd[1]: Started Firejail DoH Proxy Server.
Jul 16 20:04:48 pi fdns[1988]: Testing server quad9
Jul 16 20:04:48 pi fdns[1988]:    Tags: anycast, security, Americas, AsiaPacific, Europe
Jul 16 20:04:48 pi fdns[1988]:    SSL/TLS connection: 194.79 ms
Jul 16 20:04:49 pi fdns[1988]:    DoH query average: 31.59 ms
Jul 16 20:04:49 pi fdns[1988]:    DoH/Do53 bandwidth ratio: 1.90
Jul 16 20:04:49 pi fdns[1988]:    Keepalive: 20 to 25 seconds
Jul 16 20:04:50 pi fdns[1990]: Testing server digital-society
Jul 16 20:04:50 pi fdns[1990]:    Tags: Switzerland, Europe
Jul 16 20:04:50 pi fdns[1990]:    SSL/TLS connection: 142.85 ms
Jul 16 20:04:51 pi fdns[1990]:    DoH query average: 23.57 ms
Jul 16 20:04:51 pi fdns[1990]:    DoH/Do53 bandwidth ratio: 4.77
Jul 16 20:04:51 pi fdns[1990]:    Keepalive: 140 to 170 seconds
Jul 16 20:04:52 pi fdns[1987]: Testing fallback server: adguard (94.140.14.14) - 11.80 ms
Jul 16 20:04:52 pi fdns[1987]: fdns starting
Jul 16 20:04:52 pi fdns[1987]: connecting to digital-society server
Jul 16 20:04:52 pi fdns[1987]: listening on 192.168.0.110
Jul 16 20:04:54 pi fdns[1991]: 470 filter entries added from /etc/fdns/trackers
Jul 16 20:04:54 pi fdns[1991]: 8940 filter entries added from /etc/fdns/fp-trackers
Jul 16 20:04:54 pi fdns[1991]: 10159 filter entries added from /etc/fdns/coinblocker
Jul 16 20:04:54 pi fdns[1991]: 60945 filter entries added from /etc/fdns/adblocker
Jul 16 20:04:54 pi fdns[1994]: 2 filter entries added from /etc/fdns/hosts
Jul 16 20:04:55 pi fdns[1994]: (0) Alert: SSL3 alert write:warning:close notify
Jul 16 20:04:55 pi fdns[1993]: (1) Alert: SSL3 alert write:warning:close notify

[Dejan1969]

I have found workaround solution. Looks like fdns start before network is ready on Rapsberry PI. Changing service type from simple to idle in fdns.service solve problems (for now).

[Unit]
Description=Firejail DoH Proxy Server
Documentation=man:fdns(1)
Wants=network-online.target nss-lookup.target
Before=nscd.service nss-lookup.target ntpdate.service

[Service]
Type=idle
# start fdns as a local server listening on 127.1.1.1 loopback address
#ExecStart=/usr/bin/fdns
# start fdns as a network server listening on all interfaces and on 127.0.0.1 loopback address
#ExecStart=/usr/bin/fdns --proxy-addr-any
# start fdns as a network server listening on a specific network interface address
# --proxy-addr is broken when enabling RestrictAddressFamilies, see #15
ExecStart=/usr/bin/fdns --proxy-addr=192.168.0.110
# For more options like --allow-all-queries see man 1 fdns.
Restart=on-failure
...

[rusty-snake]

Good to hear you found a workaround, however idle shouldn't be used for ordering (it's racey). Does it work if you add an explicit After=network-online.target ([Unit])? Are there any other targets or service in an aarch64 ubuntu server system that we should Wants/After for?

[Dejan1969]

"However idle shouldn't be used for ordering" Yeah I'm aware, but systemd is a real mess.

"After=network-online.target" didn't help, but at least I’ve figured it out now... FDNS starts after network-online.target, but fails because Raspberry PI don't getting IP from my router in time. Only other working solution was to use static IP and adding systemd-networkd-wait-online.service to fdns.service (at least solution I'm aware. I'm open to other suggestions).

Ubuntu server use netplan and setting up static IP is done over /etc/netplan/50-cloud-init.yaml (can be found under a different names)

network:
    version: 2
    renderer: networkd
    ethernets:
      eth0:
        dhcp4: no
        addresses: [192.168.0.110/24]
        gateway4: 192.168.0.1
        nameservers:
          addresses: [192.168.0.110]

Modification in /etc/systemd/system/fdns.service

[Unit]
Description=Firejail DoH Proxy Server
Documentation=man:fdns(1)
After=systemd-networkd-wait-online.service
Wants=network-online.target nss-lookup.target systemd-networkd-wait-online.service
Before=nscd.service nss-lookup.target ntpdate.service

[Service]
Type=simple

There are so much outdated and incorrect "howto" out there...

The interesting article related to this stuff is here: https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ Check "What does this mean for me, a Developer?" section please, and many thanks for help.

[rusty-snake]

because Raspberry PI don't getting IP from my router in time.

I know this problem. Some time ago I wanted to run very simple updater script (just one wget) for an /etc/hosts blocklist after startup. It is awful that there is no way in systemd to start a unit once you are connected to "the internet".

[rusty-snake]

FYI https://raspberrypi.stackexchange.com/questions/78991/running-a-script-after-an-internet-connection-is-established#answer-117726 https://stackoverflow.com/questions/43001223/how-to-ensure-that-there-is-a-delay-before-a-service-is-started-in-systemd