Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Translation Breaks DNS

    Scheduled Pinned Locked Moved
    NAT
    2
    6
    391
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dma_pf
      last edited by dma_pf

      I am trying to send my DNS requests out via an interface that has NAT translation set up on it and it fails.

      In DNS resolver the Outgoing Network Interfaces is set to only use the interface with the translated NAT. DNS Access List are in place to allow my LAN (192.168.163.1/24), 127.0.0/8, interface address (10.2.0.3) and translated address (10.2.0.2) to access the DNS Resolver (not in forwarding mode).

      The interface is a wireguard tunnel interface to a VPN provider. The interface address is 10.2.0.3 that has it's outbound NAT translated to 10.2.0.2. Internet traffic across this tunnel works perfectly. But all DNS requests fail....regardless if I'm using Resolver in resolving or forwarding mode.

      However, if I set the interface to use the 10.2.0.2 IP address all (resolving or forwarding) DNS queries work perfectly....they are not being blocked by the VPN provider and it has been confirmed by their tech support that they do not block anything on port 53.

      I did a pcap on the interface and I can see that the outbound NAT rule is not being applied. Here's a picture of the pcap:

      NATTranslation.png

      In the red circle you can see that the DNS query was sent out but with the actual interface address (10.2.0.3) and not the translated NAT of 10.2.0.2. I can't figure out why the outbound NAT rule is not being applied to the DNS request sent by Resolver. Here are some pictures of the outbound NAT setup:

      Outbound NAT Translation Rule At Top Of Outbound Nat Rules.
      f9816299-c27d-45f5-a155-5eb674fbbc5d-image.png

      Detail Of Outbound NAT Rule (Alias in Translation is 1 IP - 10.2.0.2)
      1d37d03d-dc8d-4dd8-a0eb-673579ddff90-image.png

      Thanks in advance for any help in figuring out what I have incorrectly setup.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @dma_pf
        last edited by johnpoz

        @dma_pf said in NAT Translation Breaks DNS:

        DNS Access List are in place to allow my LAN (192.168.163.1/24), 127.0.0/8, interface address (10.2.0.3) and translated address (10.2.0.2) to access the DNS Resolver

        Huh - you lost me... If your saying normal traffic works out of your vpn connection, then all traffic going out that interface would already be natted, there is no special need to create a special nat for dns? And there would be no need to nat anything anyway if you set unbound to use that interface address when talking out the tunnel..

        You would nat say traffic from your lan 192.168.x.x whatever going down the vpn tunnel network of 10.something.. If your talking from the vpn interface for unbound there is no reason to nat anything..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        D 1 Reply Last reply Reply Quote 0
        • D
          dma_pf @johnpoz
          last edited by

          @johnpoz said in NAT Translation Breaks DNS:

          Huh - you lost me... If your saying normal traffic works out of your vpn connection, then all traffic going out that interface would already be natted, there is no special need to create a special nat for dns? And there would be no need to nat anything anyway if you set unbound to use that interface address when talking out the tunnel..
          You would nat say traffic from your lan 192.168.x.x whatever going down the vpn tunnel network of 10.something.. If your talking from the vpn interface for unbound there is no reason to nat anything..

          Hi John, thanks for your help. With regard to the Access List I created the list for the various addresses as a trouble shooting measure. I did that based on a prior issue (https://forum.netgate.com/topic/165818/dns-not-working-with-phone-as-peer?_=1673805533998) we worked on which was only resolved by creating an access list for DNS requests to be routed out of wireguard. In that issue without the Access List I was not able to route DNS requests via a remote peer on a wireguard tunnel. Since I could not get DNS to work in my current issue I created the Access List as a troubleshooting item to see if it would work.

          As to why I have to NAT translate the Interface IP it is because I'm trying to set up 3 VPN connections to my provider for redundancy purposes. ProtonVPN requires all connections to all of their servers to be on IP 10.2.0.2. Therefore I could not set up 3 different vpn connections as the interfaces would all require the same IP address.

          However, I've gotten the 3 connections to their servers to work by creating 3 different interfaces, 10.2.0.3, 10.2.0.4 and 10.2.0.5 with each of them having an outbound NAT rule translating traffic on the interfaces to 10.2.0.2 that the provider wants. A lot more detail of how this was set up is here: https://forum.netgate.com/topic/176579/different-interfaces-gateways-using-same-ip-address.

          This setup has been working perfectly for all traffic except DNS. For some reason when Resolver sends the DNS requests out any of those interfaces (resolving or forwarding) the NAT translation is ignored and the packets are sent with the original interface IP address.

          I attempted to create the NAT rule in my post above to try to be more specific to any traffic from on my router to port 53 to be translated. If I set the NAT rule as shown in the picture below I get the exact same results.....everything but DNS packets are routed correctly. It's like Resolver is not seeing/using the NAT rule or is completely ignoring it.

          b03f7880-a941-4ff9-8a09-2da80bcc2b4f-image.png

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @dma_pf
            last edited by

            @dma_pf if you want to nat dns, then you wouldn't use the vpn interface as the unbound interface. Use the loopback, then when it goes out, it would use your nat rule.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            D 1 Reply Last reply Reply Quote 0
            • D
              dma_pf @johnpoz
              last edited by

              @johnpoz So I set the Outgoing Network Interfaces in Resolver to Localhost. Saved the settings, cleared all states and did a pcap on the VPN interface while doing a dig in the command prompt on pfsense.

              This time dig resolved the domain. However, there was no traffic at all on the VPN interface. And when I checked https://www.dnsleaktest.com it shows that my DNS is being asked for from the IP address assigned by my ISP which is on my WAN. Doing a pcap on WAN shows the DNS requests.

              How to route the Localhost DNS request out the VPN interface?

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @dma_pf
                last edited by

                @dma_pf said in NAT Translation Breaks DNS:

                How to route the Localhost DNS request out the VPN interface?

                localhost would use the routing on your box.. Why would it use your isp dns? Thought you said you were resolving? And not forwarding.. There is no scenario where unbound would ask your isp dns unless you allowed those to be set via dhcp, and you were set to forward. Pfsense itself might ask them, if loopback didn't answer? Ie unbound was down/not working..

                If you want to use your vpn dns, then set your default route to go out vpn. Or forward to your vpn dns..

                I really don't get what you think having multiple connections to your vpn gets you? Do you actually have multiple wan connections?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post