Make DNS forwarder accessible via WAN
-
Works as expected with a forwarding rule. Below tested from a VPN.
nslookup pfsense.localdomain mywanipaddress Serveur : cable-mywanipaddress.electronicbox.net Address: mywanipaddress Nom : pfsense.localdomain Address: 192.168.55.1Rule disabled
nslookup pfsense.localdomain mywanipaddress DNS request timed out. timeout was 2 seconds. Serveur : UnKnown Address: mywanipaddress DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Le délai de la requête sur UnKnown est dépassé.
 -
Thanks so much for your reply. Unfortunately, it still isn't working for me. My forwarding rule was identical to yours except for three things:
-
The Redirect target IP of course points to the LAN address of my pfSense, which is 192.168.1.1
-
I set the protocol to TCP, rather than TCP/UDP like you did.
-
I defined a Filter rule association rather than just set it to Pass
I tried setting the protocol and Filter rule association the same as you did, but it still isn't working for me. I am currently still a couple of hours from home at my mother's, and while all my other filter rules are working fine (I can access all the devices behind my home firewall) the DNS forwarding just isn't working.
When I do a nslookup test I get the same timeout results as you do when you turn your forwarding rule off.
Works as expected with a forwarding rule. Below tested from a VPN.
nslookup pfsense.localdomain mywanipaddress Serveur : cable-mywanipaddress.electronicbox.net Address: mywanipaddress Nom : pfsense.localdomain Address: 192.168.55.1Rule disabled
nslookup pfsense.localdomain mywanipaddress DNS request timed out. timeout was 2 seconds. Serveur : UnKnown Address: mywanipaddress DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Le délai de la requête sur UnKnown est dépassé. -
-
Thanks so much for your reply. Unfortunately, it still isn't working for me. My forwarding rule was identical to yours except for three things:
-
The Redirect target IP of course points to the LAN address of my pfSense, which is 192.168.1.1
-
I set the protocol to TCP, rather than TCP/UDP like you did.
-
I defined a Filter rule association rather than just set it to Pass
I tried setting the protocol and Filter rule association the same as you did, but it still isn't working for me. I am currently still a couple of hours from home at my mother's, and while all my other filter rules are working fine (I can access all the devices behind my home firewall) the DNS forwarding just isn't working.
When I do a nslookup test I get the same timeout results as you do when you turn your forwarding rule off.
Works as expected with a forwarding rule. Below tested from a VPN.
nslookup pfsense.localdomain mywanipaddress Serveur : cable-mywanipaddress.electronicbox.net Address: mywanipaddress Nom : pfsense.localdomain Address: 192.168.55.1Rule disabled
nslookup pfsense.localdomain mywanipaddress DNS request timed out. timeout was 2 seconds. Serveur : UnKnown Address: mywanipaddress DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Le délai de la requête sur UnKnown est dépassé.Set to TCP/UDP or UDP at least. Considering DNS uses primarily UDP on port 53. TCP alone isn't going to help you.
If that doesn't work post a screenshot of your rule. If is correct but doesn't work your ISP is blocking inbound port 53 UDP.
-
-
Thanks again. I am using TCP/UDP now, but as I said, it just won't work for me. That is a good point about my ISP blocking port 53. I am on TekSavvy in Canada, which is very lenient about what you can do with your connection, but perhaps they consider doing DNS going a bit too far. I suppose I could shift the incoming port away from 53, but I don't know if you can put a DNS server on another port and then access it.
Anyway, here is my forward rule setup and the pass rule.
Thanks so much for your reply. Unfortunately, it still isn't working for me. My forwarding rule was identical to yours except for three things:
-
The Redirect target IP of course points to the LAN address of my pfSense, which is 192.168.1.1
-
I set the protocol to TCP, rather than TCP/UDP like you did.
-
I defined a Filter rule association rather than just set it to Pass
I tried setting the protocol and Filter rule association the same as you did, but it still isn't working for me. I am currently still a couple of hours from home at my mother's, and while all my other filter rules are working fine (I can access all the devices behind my home firewall) the DNS forwarding just isn't working.
When I do a nslookup test I get the same timeout results as you do when you turn your forwarding rule off.
Works as expected with a forwarding rule. Below tested from a VPN.
nslookup pfsense.localdomain mywanipaddress Serveur : cable-mywanipaddress.electronicbox.net Address: mywanipaddress Nom : pfsense.localdomain Address: 192.168.55.1Rule disabled
nslookup pfsense.localdomain mywanipaddress DNS request timed out. timeout was 2 seconds. Serveur : UnKnown Address: mywanipaddress DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Le délai de la requête sur UnKnown est dépassé.Set to TCP/UDP or UDP at least. Considering DNS uses primarily UDP on port 53. TCP alone isn't going to help you.
If that doesn't work post a screenshot of your rule. If is correct but doesn't work your ISP is blocking inbound port 53 UDP.
-
-
Thanks again. I am using TCP/UDP now, but as I said, it just won't work for me. That is a good point about my ISP blocking port 53. I am on TekSavvy in Canada, which is very lenient about what you can do with your connection, but perhaps they consider doing DNS going a bit too far. I suppose I could shift the incoming port away from 53, but I don't know if you can put a DNS server on another port and then access it.
Anyway, here is my forward rule setup and the pass rule.
Thanks so much for your reply. Unfortunately, it still isn't working for me. My forwarding rule was identical to yours except for three things:
-
The Redirect target IP of course points to the LAN address of my pfSense, which is 192.168.1.1
-
I set the protocol to TCP, rather than TCP/UDP like you did.
-
I defined a Filter rule association rather than just set it to Pass
I tried setting the protocol and Filter rule association the same as you did, but it still isn't working for me. I am currently still a couple of hours from home at my mother's, and while all my other filter rules are working fine (I can access all the devices behind my home firewall) the DNS forwarding just isn't working.
When I do a nslookup test I get the same timeout results as you do when you turn your forwarding rule off.
Works as expected with a forwarding rule. Below tested from a VPN.
nslookup pfsense.localdomain mywanipaddress Serveur : cable-mywanipaddress.electronicbox.net Address: mywanipaddress Nom : pfsense.localdomain Address: 192.168.55.1Rule disabled
nslookup pfsense.localdomain mywanipaddress DNS request timed out. timeout was 2 seconds. Serveur : UnKnown Address: mywanipaddress DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Le délai de la requête sur UnKnown est dépassé.Set to TCP/UDP or UDP at least. Considering DNS uses primarily UDP on port 53. TCP alone isn't going to help you.
If that doesn't work post a screenshot of your rule. If is correct but doesn't work your ISP is blocking inbound port 53 UDP.
Pretty sure Teksavvy is blocking inbound DNS because there were too many wide open DNS servers causing problems on the residential connections.
Try simplifying into just pass with no linked rule. Also you try adding port 53 into the red redirect target port box again for good measure. What is your nslookup www.google.com yourwanipaddress saying?
-
-
nslookup www.google.com mywanipaddress DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: mywanipaddress DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to UnKnown timed-out -
nslookup www.google.com mywanipaddress DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: mywanipaddress DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to UnKnown timed-outIf you ask me it is blocked.
- Install this http://mayakron.altervista.org/wikibase/show.php?id=AcrylicHome on laptop/client
- Change pfsense rule to port 888 for inbound port only leave redirect port on 53
- Edit arcylic config file C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicConfiguration.ini
; The IP address of your primary DNS server. ; Upon installation it points to the primary OpenDNS server. ; PrimaryServerAddress=yourpfsensewaniphere ; ; The UDP port your primary DNS server is supposed to be listening to. The ; default value of 53 is the standard port for DNS resolution. You should ; change this value only if you are using a non standard DNS server. ; PrimaryServerPort=888- Start acrylic service Start Menu -> Acrylic DNS Proxy -> Config - Start…
- Set dhcp client in windows to 127.0.0.1 for your adapters.
- test nslookup of someting internal on your pfsense lan.
- add log-queries to advanced options in pfsense -> Services -> DNS Forwarded -> Advanted and save to verify queries are coming from your WAN IP in the Status -> System Logs -> Resolver log
-
Thanks so much for your suggestions. I don't know why I didn't think of Acrylic myself since I looked at it a few weeks ago as a possible alternative to paying for a DNS unblocker service.
I got it to work (although it wasn't at first because I not only had to point the primary DNS to my home WAN address, but also clear the secondary DNS since Acrylic defaults that to one of the OpenDNS servers). Once I had cleared that, I was able to route my DNS queries from my laptop, through Acrylic on port 888 to my home firewall, from the firewall to the pfSense DNS forwarder on port 53, and back out to the DNS unblocker service. Clearly TekSavvy is blocking port 53 since it worked fine when I connected via port 888.
Unfortunately this may have all been for naught since the unblocker service still recognizes that I am on a laptop with an IP address different than my home WAN and blocks the queries. The LAN I'm currently on is on a different subnet than my home LAN uses so maybe that is why, since it may confuse the NAT translations.
I wish my home ISP had a faster upstream speed since then I could simply VPN into my home LAN and stream that way, but upstream speed is only 768Kbps, which is nowhere near fast enough for HD Netflix streaming. Even regular HD (1280x720) requires 3Mbps, and super HD needs up to 8Mbps. I am either going to have to figure out how to spoof my originating IP address when contacting the unblocker DNS server, or revisit using Acrylic to resolve all DNS requests for Netflix hostnames to the US based servers instead of my home country. Basically that is all the unblocker server does anyway, but the trick is figuring out the long list of Netflix hostnames used for playback and then have Acrylic return them instead.
Anyway, thanks again for your help.
-
Thanks so much for your suggestions. I don't know why I didn't think of Acrylic myself since I looked at it a few weeks ago as a possible alternative to paying for a DNS unblocker service.
I got it to work (although it wasn't at first because I not only had to point the primary DNS to my home WAN address, but also clear the secondary DNS since Acrylic defaults that to one of the OpenDNS servers). Once I had cleared that, I was able to route my DNS queries from my laptop, through Acrylic on port 888 to my home firewall, from the firewall to the pfSense DNS forwarder on port 53, and back out to the DNS unblocker service. Clearly TekSavvy is blocking port 53 since it worked fine when I connected via port 888.
Unfortunately this may have all been for naught since the unblocker service still recognizes that I am on a laptop with an IP address different than my home WAN and blocks the queries. The LAN I'm currently on is on a different subnet than my home LAN uses so maybe that is why, since it may confuse the NAT translations.
I wish my home ISP had a faster upstream speed since then I could simply VPN into my home LAN and stream that way, but upstream speed is only 768Kbps, which is nowhere near fast enough for HD Netflix streaming. Even regular HD (1280x720) requires 3Mbps, and super HD needs up to 8Mbps. I am either going to have to figure out how to spoof my originating IP address when contacting the unblocker DNS server, or revisit using Acrylic to resolve all DNS requests for Netflix hostnames to the US based servers instead of my home country. Basically that is all the unblocker server does anyway, but the trick is figuring out the long list of Netflix hostnames used for playback and then have Acrylic return them instead.
Anyway, thanks again for your help.
Whoops totally forgot to add the commented out secondary line doh. My bad.
I thought there was a bit more to it than that for sure. I thought it high jacks then tunnels you. Though maybe I am wrong. It may seem just like a DNS but there is more going on. How much do you pay for unblocking service? Personally I rent a VPS from chicagovps for $40 a year and run openvpn on there. Connect from wherever and multiple clients.
There may be someway to screw with it yet. What do the queries look like in the resolver log? Did you clear your DNS cache? Ipconfig -flushdns.
Did some more reading and what they do is they check IP and tunnel the geoauth then insert your IP back in for receiving the stream. If your IP doesn't match a registered one it wont do the trickery.
-
I will look into this some more over the next few days. Right now I am not paying anything for the unblock service since they are currently in beta, but I got an email a few days ago saying they expect to go gold in a couple of weeks and at that point the service will cost $4.95/mo. They did state that they were planning a discount package for anyone who signs up in the first week after they go live.
What happens is that as long as I connect to Netflix from my home LAN the unblocker works fine, no matter which device I connect with (I see and can play US programs in Canada on any PC or laptop, a Samsung Smart TV, a WDTV Live HD connected to a dumb TV, and two smartphones). I have pfSense set up with domain overrides for "netflix.com" and "netflix.net" so that any device requesting hostname resolution will normally use the regular DNS servers, but will use the unblocker service for any requests involving Netflix. This is much safer than just pointing pfSense to always use the unblocker DNS since this way your DNS can't get hijacked when you connect to your bank, for instance. The problem is that if I want to watch US Netflix on my laptop or smartphone when I am away from home the unblocker service forces me to change the registered IP address, and then of course it doesn't work for any device on my home LAN till I get home and set it back. This is frustrating for anyone at home who wants to watch US Netflix while I am away.
I was going to do some experimenting with my OpenVPN connection to my LAN, but I just discovered it is broken right now. It used to work, but now it seems the gateway is not being set up correctly for the VPN connection so nothing routes properly. I don't know what happened since it used to work fine, but I haven't used it in maybe 6 months.