IPv6 port forward for DNS Forwarder when used in parallel with Resolver?

q54e3w · May 13, 2020, 8:36 PM

I have two subnets, one served by the DNS Resolver, another served but the DNS Forwarder. The DNS Forwarder listens on a non standard DNS port to avoid conflict with the resolver. Now I'm looking to implement IPv6 and wondering how best to enable IPv6 DNS Forwarder lookups which would require port redirecting [xx::xx]:53 to [xx::xx]:5335?

Gertjan · May 14, 2020, 6:25 AM

I tend to say yes, you should do, some "PAT" on that network's interface.
PAT as Port address Translation, where you redirected incoming port 53 (TCP & UDP !) connections to port 5335, where the forwarder is listening.
The devices on your network that use IPv6 will still do DNS on port 53, it's pretty hard to change that.

q54e3w · May 14, 2020, 6:59 AM

Thank @Gertjan - that confirms what I've found, still lots to learn about IPv6 though. IPv4 is working fine but without being able to port forward the IPv6 lookups from port 53 to 5335, I'm going to have to find another solution. I could revert to an external services, but then my reverse forwarder to the DNSResolver and internal name resolution won't work. Strict interface binding doesnt support IPv6 either. Good times! :-)

netstat -na | grep .5335
tcp6       0      0 *.5335                 *.*                    LISTEN
tcp4       0      0 *.5335                 *.*                    LISTEN
udp6       0      0 *.5335                 *.*
udp4       0      0 *.5335                 *.*

Gertjan · May 14, 2020, 7:37 AM

The thing is : devices most often use one IPv4. Easy to filter that out.
With IPv6 this isn't true any more.

Type

ipconfig  /all

and you can see that there are at least two IPv6 addresses, an IPv6 addres and a local link IPv6 addres, the one that starts with fe80:....
I use a DHCPv6 sever to attribute real routable Ipv6 to my devices, but I'm not sure this "local link one" is always the same, so hard to capture with a firewall (PAT) rule.

edit : wait .... I can't create a NAT/PAT rule that translates IPv6 incoming "port 53" so that they are written as "port 5353" .....
NAT stuff seems to be "IPv4" only.
Hummmmm.

q54e3w · May 15, 2020, 1:08 AM

yeah, your edit hits the nail on the head re my challenge of running Resolver and Forwarder in parallel on different interfaces. I think NAT64 might be the solution that would help, but this isnt implemented in pfSense currently.
Generally port forwarding in IPv6 seems to be frowned up but I cant see anyway to make this work without being able to redirect a port, or create and bind very specifically to an IPv6 interface address.

q54e3w · May 16, 2020, 6:57 AM

I've found a hacky solution that works around the need to have a port forward that seems to work but doesnt particularly inspire confidence. However, I don't know enough about IPv6 right now to really judge but curious for any feedback.

Set the interfaces selector to my IPv4 subnet I want to listen on
Enable strict interface binding
Advanced options add the subnets IPv6 address, ie

listen-address=2605:xxxx:xxxx:461e:ae1f:6bff:fe73:8972

I think that gets me where I'd like to be without the kludgy hack

netstat -na | grep .53
tcp6       0      0 2605:xxxx:xxxx:4.53    *.*                    LISTEN
tcp4       0      0 192.168.30.1.53        *.*                    LISTEN
udp6       0      0 2605:xxxx:xxxx:4.53    *.*
udp4       0      0 192.168.30.1.53        *.*

would appreciate any feedback if theres a better or more reliable way to do this still.

q54e3w · May 16, 2020, 9:45 AM

making some progress with my learning :)
I can create a ULA for the interface and use that in the listen field too.
This feels better, the GLA is used purely for external traffic, and the ULA internally for IPv6 lookups.

still open for feedback if I'm being crazy/stoopid here. It wouldn't be the first time! :-D