Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwarding DNS (only) is dead! v.2.6.0

    Scheduled Pinned Locked Moved NAT
    10 Posts 5 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      ButlerCN
      last edited by

      My port forward to my DNS server isn't working.
      This has worked for years and now, the port is closed.
      I have three other port forwards that are still working, but not port 53. When I run an external port scan, I see the other ports open, but nothing for 53.
      I have removed all non-essential packages. I have deleted and recreated the configuration multiple times.
      I have checked the documentation and watched tutorials, just in case my brain messed it up.
      I have double-checked with my ISP to make sure they're not blocking it. NO JOY.
      Is there something special about forwarding port 53?
      Could there be an issue with the latest release (2.60)?

      I'm dying here. Thanks for anything you have to offer.

      pttP GertjanG 2 Replies Last reply Reply Quote 0
      • pttP
        ptt Rebel Alliance @ButlerCN
        last edited by

        Check/read: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html (point 5)

        B 1 Reply Last reply Reply Quote 1
        • B
          ButlerCN @ptt
          last edited by

          @ptt said in Port Forwarding DNS (only) is dead! v.2.6.0:

          https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

          I appreciate the reference. I've gone through it all (including packet tracing) and the fact just remains that port 53 on my IP address is closed. Port 80 is open and forwarding with no problem.

          johnpozJ T 2 Replies Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @ButlerCN
            last edited by

            @butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

            that port 53 on my IP address is closed.

            If your isp is blocking 53 to you - nothing pfsense can do about it.

            Forwarding any port is the same, there is nothing special about 53. In the link provided - step 5 as pointed out already. If you sniff on your wan and you do not see 53 hitting pfsense wan, there is nothing pfsense can do about that. And either your isp is lying to you, or your not testing it correctly to send the traffic there, or your behind another nat?

            Is pfsense wan IP public, or is rfc1918 or cgnat IP?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            B 1 Reply Last reply Reply Quote 0
            • T
              troysjanda @ButlerCN
              last edited by troysjanda

              @butlercn you can try grc.com shields up and see if 53 is closed, stealth or open just a thought. Are you by chance using a dns server for monitoring if your connection is up? I have heard that people using 8.8.8.8 have a similar issue as yours when using 8.8.8.8 as a monitor ip in gateway. i am not an expert in fact a newb to be totally honest but i do a lot of reading.

              Dell Poweredge r210 II, Intel(R) Xeon(R) CPU E31240 @ 3.30GHz RAM: 16GB
              Dell Enterprise HHD x1 500gb (ZFS)
              Pfsense: 2.7.1(amd64)
              Installed Pkg's: Cron, System_Patches.

              B 1 Reply Last reply Reply Quote 0
              • B
                ButlerCN @johnpoz
                last edited by

                @johnpoz I will contact my ISP a third time. The first time I brought it up with them, they changed the VLAN I was on which gave me a new IP address. They said that things like this usually work better on this VLAN. I think the first one may have been CGNAT, so I'm not on that anymore.
                When I called back a week later with a bloody forehead, they swore up and down that it's all wide open.
                I have a public IP address and I'm checking it with multiple web-based port scanners, including GRC.

                Is it possible that receiving my WAN IP address via DHCP instead of static could be causing this?
                The address has never changed. I'm grasping at straws.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • B
                  ButlerCN @troysjanda
                  last edited by

                  @troysjanda Thanks for the suggestions. I've been using GRC among a few others. Funny you mention 8.8.8.8, I had been using it for a while, but changed to 9.9.9.9, just to be different. Sadly, it didn't help.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @ButlerCN
                    last edited by johnpoz

                    @butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

                    web-based port scanners, including GRC.

                    You understand those do TCP scans not UDP which would be normally what dns uses.. Did you forward UDP and TCP? Keep in mind dns on tcp wouldn't send back syn,ack either which is what those scanners look for.

                    Did you sniff while you were testing?

                    There really are not many udp "scanners" because well there is no handshake - so its hard, there would not really be a syn,ack back - so very hard to test for, etc.

                    Your best bet is to use a dns tester, or just do a simple directed dns query from some outside IP to your wan IP.. And then sniff... You do not need to call your ISP to find out if dns is open to you or not..

                    example

                    https://openresolver.com

                    Simple snff on my wan while running the test shows the packets got to my wan, doesn't matter if I forward or not - I can verify the traffic is getting to me..

                    dnstest.jpg

                    Why exactly do you think you want to forward DNS? Its a really bad idea - if most likely would lead to you being used in an amplification attack. And if you are just wanting to run an authoritative NS for your domain(s).. It much better to host those on service that do that for their bread and butter. Many places you can get that done for free, etc..

                    edit: here is my testing from box of mine out on the internet

                    vps.jpg

                    edit2: So here I forwarded dns (udp) to my internal dns that can resolve my local stuff, I then created a port forwarded (limiting it to my source IP of my outside server) As you can see a dns query now works from outside.

                    portforward1.jpg

                    And you can now see my firewall rule after testing shows that traffic has hit that rule..

                    rule.jpg

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 1
                    • B
                      ButlerCN
                      last edited by

                      @johnpoz First of all, wow, this is a lot of effort on your part and great information. I really appreciate it!
                      I will go through everything you posted carefully. I'm sure I've already done some of this, but I'll take it slow from start to finish and see if anything new pops up. Thanks

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @ButlerCN
                        last edited by Gertjan

                        @butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

                        I have removed all non-essential packages. I have deleted and recreated the configuration multiple times.

                        Have you tried the most hidden solution, the one that ctually always works :
                        After a fresh install of pfSense : do nothing. Do not even change the password, just do plain nothing. Dont even run the the initial Wizard who makes pople think they have to give DNS servers because that is not the case.
                        pfSense has a resolver, so it works out of the box. DNS will work out of the box.

                        @butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

                        My port forward to my DNS server isn't working.

                        You have DNS resolver or forwarder on your LAN that you want to use ?
                        Like a pi-hole or something ?
                        Or do you have contract with 9.9.9.9 and they want all yuor private DNS requests ?
                        Why do you think you need a DNS to forward to ?

                        @butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

                        I have three other port forwards that are still working, but not port 53.

                        You forward port 53 from where to where ?
                        You forward UDP, or TCP, or both ?

                        @butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

                        I run an external port scan

                        DNS traffic is outbound, not inbound ....
                        Right ?

                        @butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

                        I have double-checked with my ISP to make sure they're not blocking it. NO JOY.

                        They wouldn't do that.
                        Blocking your "UDP port 53" access to the Internet is nearly the same as cutting the WAN wire.

                        @butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

                        Could there be an issue with the latest release (2.60)?

                        Yep, No yoke. There is one.
                        If you use the captive portal, and you use limiters ( see the many recent forum posts about this subject) then it might look like the resolver isn't working an ymore. This means : no more DNS.
                        Work around : remove all limiters.
                        If you use the captive portal : install
                        8aaa7629-91fb-4536-8fc7-fe905df5835f-image.png

                        and apply the build in Captive portal patch.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.