Port 53 question

databeestje · Apr 18, 2012, 5:57 PM

nat reflection for dns does not work, sorry.

yon · Apr 18, 2012, 6:07 PM

nat reflection for dns does not work, sorry.

well.., why it is ? :o

Then How I do use public ip address connect port 53?

databeestje · Apr 18, 2012, 8:00 PM

it will work fine when traffic comes in over the internet, it does not work when trying to connect to the external address from the inside.

yon · Apr 18, 2012, 8:04 PM

@databeestje:

it will work fine when traffic comes in over the internet, it does not work when trying to connect to the external address from the inside.

I can visit external address port 80 in lan, just I don't understand port 53 why it can not do this.?

jimp · Apr 18, 2012, 8:08 PM

NAT reflection does not work for any UDP traffic. There is already an open ticket about it.

yon · Apr 18, 2012, 8:12 PM

@jimp:

NAT reflection does not work for any UDP traffic. There is already an open ticket about it.

ok. then should allow dns use tcp. I have submit ticket about dns tcp.

jimp · Apr 18, 2012, 8:18 PM

I doubt that will gain much support, it is a lot of work for very little benefit. At any moment your ISP could realize what's going on and block DNS over TCP also and it would be a bunch of work wasted. But if someone else is doing the work, have at it…

Fixing NAT reflection for UDP is the real fix for this issue.

yon · Apr 18, 2012, 8:27 PM

@jimp:

I doubt that will gain much support, it is a lot of work for very little benefit. At any moment your ISP could realize what's going on and block DNS over TCP also and it would be a bunch of work wasted. But if someone else is doing the work, have at it…

Fixing NAT reflection for UDP is the real fix for this issue.

yes. Fixing NAT reflection for UDP.

Because of the defects of the UDP protocol itself, easily lead to data tampering and counterfeiting. so use tcp will helpful Prevent tampering with the falsification of data.

and it has some codes for Security issue. http://forum.pfsense.org/index.php/topic,48520.0.html

jimp · Apr 18, 2012, 8:32 PM

Yeah but those don't belong here in the 2.1 board since they will not happen for 2.1.

Not sure any of those will happen, they all seem to be specific to certain other services or practices and require both a client and server component… If you're tunneling to your own DNS server, may as well use a VPN.

DNSSEC can help with the verification part, but still not relevant to this topic. This is only about reflection for UDP.

yon · Apr 18, 2012, 8:50 PM

this is not about vpn, and can't use vpn Solve.

now I build an dns server in my lan network, when my dns server or other server transfer any data to internet, then the data will be government ISP Forged tampering.

This is a security issue. If the pfsense gateway solution, it is a good thing.

jimp · Apr 18, 2012, 8:55 PM

…and still not relevant to this thread. If you want to argue all that, use your other thread(s) that cover that specifically.