Posted: Mon Dec 05, 2022 7:01 Post subject: Port forwarding not working on BIN9 DNS
Hi everyone:
I used to have a public static ip for my Bind9 DNS server and a second one for my web server. Unfortunately i changed ISP and now i have to share just one public static ip for my DD-wrt router, the DNS server and the web server (The pubic static IP is directly on Wan IP on the DD-wrt Router).
So, i did a port forwarding to web server without any issues on port 443 (TCP) and 53 (UDP) for DNS server, but the DNS server is not working as it is only listening on port 53 but from LAN's ip address even as the port is open (telnet tested). The DNS does not answer to public static ip queries, only lan queries as the process is bind to lan's ip (netstat tested). So, I already tried everything for the Bind9 server to listen on my public ip without findign any solution. So, i would like to ask if is there anything to be done with commands for the NAT to translate the queries on a way that Bind9 thinks that comes form the lan instead of the public static ip.
BTW, what is IP formwarding 1:1 NAT? there is not explain anywhere. Is is under NAT/QoS menu.
Are you running “named” on the router, or on a host connected to the router?
Port forwarding won’t work if running on the router, you’ll need to adjust the firewall to allow incoming connections to the WAN IP, which is somewhat dangerous if you don’t have a good handle on internet security.
Also, remember that you need 53/TCP forwarded / allowed as well for EDNS packets.
You would have to also use the -z flag and specify interfaces to dnsmasq, since it binds to all interfaces by default, and you would encounter port collisions.
If you’re running “named” on a separate host, be sure that your resolver ACLs allow for any host to query the server, but again, you may have to play around with dnsmasq settings on the router to make sure that it’s not intercepting the traffic. Also, is the firewall running on the DNS server host allowing the traffic?
1:1 NAT is what was called a DMZ host, where all ports are simply translated and sent to a single IP in the DMZ.
if you are running Bind 9 DNS via entware on your DDWRT router than its easy too...
just bear in mind Entware does not update its packages to the last versions...and therefore this could be a security risk.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Thank you guys for your answers. I'm running Bind9 on a Linux Debian server not inside the router. unfortunately i found hundreds of post where bind9 does not listen on 0.0.0.0:53 just on actual LAN's IP interface 10.24.1.X, so, even with TCP and UDP ports forwarded to that IP the DNS doesn't listen to the queries.
How can i check if DNSmasq is blocking the port53 queries?
As I did not find any solution forwarding ports, I'm trying to assign a public static IP to the Linux server, but there is another problem because I'm not able to assign the IP directly without IP redirection (I’m trying to add one port of my switch to the WAN Vlan without any success yet);
The way port forwarding is supposed to work is that the incoming connection to the WAN IP is SNAT’d to the IP of the server processing the request.
The DNS server will only be listening on its LAN interface, as that is on the inside interface of the firewall. The router’s firewall then translates the IP and the port and payload remain the same. This should work or else all load balancers throughout the history of the internet wouldn’t be able to handle DNS traffic (they can and do).
Your DNS server will not be reachable directly from the internet, as the router will be proxying the connection by means of static-NAT, bi-directionally.
I’m not sure what you are attempting where it won’t answer on the public IP, but it still sounds like maybe your resolver ACLs don’t allow for any host to query the server, since the source IP doesn’t change in an SNAT scenario.