do we have to open ports on firewall?
[ERROR]: error creating service client (error getting version from api endpoint 'https://zrok.xxx.xxx.com/': Get "https://zrok.sxxx.xxx.com/api/v1/version": dial tcp: lookup zrok.xxx.xxx.com on 127.0.0.53:53: no such host: Get "https://zrok.xxx.xxx.com/api/v1/version": dial tcp: lookup zrok.xxx.xxx.com on 127.0.0.53:53: no such host) any help appreciated
https://docs.zrok.io/docs/guides/self-hosting/docker/
not mentioned anywhere
Hi @hhftechnologies, welcome to the community and to zrok (and OpenZiti and Browzer),
Generally speaking when I see "no such host" it means domain name resolution has failed somewhere/somehow.
It appears that you're self-hosting zrok but you didn't show me the full zrok hostname so I can't check your name appears in global DNS.
I would expect you just need to add a DNS entry. It's mentioned here: Self-hosting guide for Docker | Zrok
thank you for the prompt reply, but where we have to point the dns records? to the server IP
i can't open ports on firewall
Sorry, that was your opening question... I glossed over it because it didn't seem relevant yet because it looks like a DNS issue.
You should only require outbound access to the internet. If that means you need to open an outbound port, well I can't answer that but generally speaking if you put your components on 443 or 80, then that port is nearly always allowed outbound.
You do NOT need any inbound firewall ports open for clients, but you will of course need inbound ports open to the zrok controller, the zrok front end, the openziti controller and the openziti routers that encompass your overall zrok installation.
that make sense?
server(zrok controller, the zrok front end, the openziti controller and the openziti routers) are on one VM and services other services like( api, blogs etc)are on the other VM but both are interconnected.
entire setup is encapsulated via pfsense as firewall.
the current tunnels we use is cf.
from what you reported, it sounds like the diagram I showed. I think once you solve your DNS issue you'll be good to go.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51071
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;https://zrok.test.hhf.technology. IN A
;; AUTHORITY SECTION:
hhf.technology. 1800 IN SOA lou.ns.cloudflare.com. dns.cloudflare.com. 2353420549 10000 2400 604800 1800
;; Query time: 32 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Oct 03 11:30:34 IST 2024
;; MSG SIZE rcvd: 122
this is my dig result for my dns
test.hhf.technology
gives default page
Do you have an entry for the IP? That dig request looks strange to me, no IP is returned, only the SOA record.
Contrast this to my dig for my self-hosted zrok:
$ dig api.clint.demo.openziti.org
; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> api.clint.demo.openziti.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12536
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;api.clint.demo.openziti.org. IN A
;; ANSWER SECTION:
api.clint.demo.openziti.org. 30 IN A 3.142.245.63
Get DNS to return an IP for *.zrok.test.hhf.technology and you'll be fine. another example of my own see how _anything.api.clint.demo.openziti.org returns the same ip?:
$ dig share1.api.clint.demo.openziti.org +short
3.142.245.63
cd@192.168.253.239:sg4: ~
$ dig share2.api.clint.demo.openziti.org +short
3.142.245.63
cd@192.168.253.239:sg4: ~
$ dig share3.api.clint.demo.openziti.org +short
3.142.245.63