Port forwarding not working on BIN9 DNS

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
mflorezm
DD-WRT Novice


Joined: 19 Feb 2018
Posts: 11

PostPosted: Mon Dec 05, 2022 7:01    Post subject: Port forwarding not working on BIN9 DNS Reply with quote
Hi everyone:

I used to have a public static ip for my Bind9 DNS server and a second one for my web server. Unfortunately i changed ISP and now i have to share just one public static ip for my DD-wrt router, the DNS server and the web server (The pubic static IP is directly on Wan IP on the DD-wrt Router).

So, i did a port forwarding to web server without any issues on port 443 (TCP) and 53 (UDP) for DNS server, but the DNS server is not working as it is only listening on port 53 but from LAN's ip address even as the port is open (telnet tested). The DNS does not answer to public static ip queries, only lan queries as the process is bind to lan's ip (netstat tested). So, I already tried everything for the Bind9 server to listen on my public ip without findign any solution. So, i would like to ask if is there anything to be done with commands for the NAT to translate the queries on a way that Bind9 thinks that comes form the lan instead of the public static ip.

BTW, what is IP formwarding 1:1 NAT? there is not explain anywhere. Is is under NAT/QoS menu.

thaks,

Mauricio F.
Sponsor
Hapi12021
DD-WRT User


Joined: 22 Jul 2021
Posts: 84

PostPosted: Mon Dec 05, 2022 14:34    Post subject: Reply with quote
Are you running “named” on the router, or on a host connected to the router?

Port forwarding won’t work if running on the router, you’ll need to adjust the firewall to allow incoming connections to the WAN IP, which is somewhat dangerous if you don’t have a good handle on internet security.

Also, remember that you need 53/TCP forwarded / allowed as well for EDNS packets.

You would have to also use the -z flag and specify interfaces to dnsmasq, since it binds to all interfaces by default, and you would encounter port collisions.

If you’re running “named” on a separate host, be sure that your resolver ACLs allow for any host to query the server, but again, you may have to play around with dnsmasq settings on the router to make sure that it’s not intercepting the traffic. Also, is the firewall running on the DNS server host allowing the traffic?

1:1 NAT is what was called a DMZ host, where all ports are simply translated and sent to a single IP in the DMZ.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Mon Dec 05, 2022 16:12    Post subject: Reply with quote
1 to 1 nat https://wiki.dd-wrt.com/wiki/index.php/One-to-one_NAT

if you are running your DNS server on external device, than its easy to point to it...either using dnsmasq or not...

the idea is the same as running external Pi DNS server.. https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331414..

if you are running Bind 9 DNS via entware on your DDWRT router than its easy too...
just bear in mind Entware does not update its packages to the last versions...and therefore this could be a security risk.. Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
mflorezm
DD-WRT Novice


Joined: 19 Feb 2018
Posts: 11

PostPosted: Wed Dec 07, 2022 3:08    Post subject: Reply with quote
Thank you guys for your answers. I'm running Bind9 on a Linux Debian server not inside the router. unfortunately i found hundreds of post where bind9 does not listen on 0.0.0.0:53 just on actual LAN's IP interface 10.24.1.X, so, even with TCP and UDP ports forwarded to that IP the DNS doesn't listen to the queries.

How can i check if DNSmasq is blocking the port53 queries?

As I did not find any solution forwarding ports, I'm trying to assign a public static IP to the Linux server, but there is another problem because I'm not able to assign the IP directly without IP redirection (I’m trying to add one port of my switch to the WAN Vlan without any success yet);

Thanks,

MFM
Hapi12021
DD-WRT User


Joined: 22 Jul 2021
Posts: 84

PostPosted: Wed Dec 07, 2022 4:49    Post subject: Reply with quote
The way port forwarding is supposed to work is that the incoming connection to the WAN IP is SNAT’d to the IP of the server processing the request.

The DNS server will only be listening on its LAN interface, as that is on the inside interface of the firewall. The router’s firewall then translates the IP and the port and payload remain the same. This should work or else all load balancers throughout the history of the internet wouldn’t be able to handle DNS traffic (they can and do).

Your DNS server will not be reachable directly from the internet, as the router will be proxying the connection by means of static-NAT, bi-directionally.

I’m not sure what you are attempting where it won’t answer on the public IP, but it still sounds like maybe your resolver ACLs don’t allow for any host to query the server, since the source IP doesn’t change in an SNAT scenario.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum