Port Forwarding DNS (only) is dead! v.2.6.0

ButlerCN

My port forward to my DNS server isn't working.
This has worked for years and now, the port is closed.
I have three other port forwards that are still working, but not port 53. When I run an external port scan, I see the other ports open, but nothing for 53.
I have removed all non-essential packages. I have deleted and recreated the configuration multiple times.
I have checked the documentation and watched tutorials, just in case my brain messed it up.
I have double-checked with my ISP to make sure they're not blocking it. NO JOY.
Is there something special about forwarding port 53?
Could there be an issue with the latest release (2.60)?

I'm dying here. Thanks for anything you have to offer.

ptt

Check/read: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html (point 5)

ButlerCN

@ptt said in Port Forwarding DNS (only) is dead! v.2.6.0:

https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

I appreciate the reference. I've gone through it all (including packet tracing) and the fact just remains that port 53 on my IP address is closed. Port 80 is open and forwarding with no problem.

johnpoz

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

that port 53 on my IP address is closed.

If your isp is blocking 53 to you - nothing pfsense can do about it.

Forwarding any port is the same, there is nothing special about 53. In the link provided - step 5 as pointed out already. If you sniff on your wan and you do not see 53 hitting pfsense wan, there is nothing pfsense can do about that. And either your isp is lying to you, or your not testing it correctly to send the traffic there, or your behind another nat?

Is pfsense wan IP public, or is rfc1918 or cgnat IP?

troysjanda

@butlercn you can try grc.com shields up and see if 53 is closed, stealth or open just a thought. Are you by chance using a dns server for monitoring if your connection is up? I have heard that people using 8.8.8.8 have a similar issue as yours when using 8.8.8.8 as a monitor ip in gateway. i am not an expert in fact a newb to be totally honest but i do a lot of reading.

ButlerCN

@johnpoz I will contact my ISP a third time. The first time I brought it up with them, they changed the VLAN I was on which gave me a new IP address. They said that things like this usually work better on this VLAN. I think the first one may have been CGNAT, so I'm not on that anymore.
When I called back a week later with a bloody forehead, they swore up and down that it's all wide open.
I have a public IP address and I'm checking it with multiple web-based port scanners, including GRC.

Is it possible that receiving my WAN IP address via DHCP instead of static could be causing this?
The address has never changed. I'm grasping at straws.

ButlerCN

@troysjanda Thanks for the suggestions. I've been using GRC among a few others. Funny you mention 8.8.8.8, I had been using it for a while, but changed to 9.9.9.9, just to be different. Sadly, it didn't help.

johnpoz

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

web-based port scanners, including GRC.

You understand those do TCP scans not UDP which would be normally what dns uses.. Did you forward UDP and TCP? Keep in mind dns on tcp wouldn't send back syn,ack either which is what those scanners look for.

Did you sniff while you were testing?

There really are not many udp "scanners" because well there is no handshake - so its hard, there would not really be a syn,ack back - so very hard to test for, etc.

Your best bet is to use a dns tester, or just do a simple directed dns query from some outside IP to your wan IP.. And then sniff... You do not need to call your ISP to find out if dns is open to you or not..

example

https://openresolver.com

Simple snff on my wan while running the test shows the packets got to my wan, doesn't matter if I forward or not - I can verify the traffic is getting to me..

Why exactly do you think you want to forward DNS? Its a really bad idea - if most likely would lead to you being used in an amplification attack. And if you are just wanting to run an authoritative NS for your domain(s).. It much better to host those on service that do that for their bread and butter. Many places you can get that done for free, etc..

edit: here is my testing from box of mine out on the internet

edit2: So here I forwarded dns (udp) to my internal dns that can resolve my local stuff, I then created a port forwarded (limiting it to my source IP of my outside server) As you can see a dns query now works from outside.

And you can now see my firewall rule after testing shows that traffic has hit that rule..

ButlerCN

@johnpoz First of all, wow, this is a lot of effort on your part and great information. I really appreciate it!
I will go through everything you posted carefully. I'm sure I've already done some of this, but I'll take it slow from start to finish and see if anything new pops up. Thanks

Gertjan

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

I have removed all non-essential packages. I have deleted and recreated the configuration multiple times.

Have you tried the most hidden solution, the one that ctually always works :
After a fresh install of pfSense : do nothing. Do not even change the password, just do plain nothing. Dont even run the the initial Wizard who makes pople think they have to give DNS servers because that is not the case.
pfSense has a resolver, so it works out of the box. DNS will work out of the box.

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

My port forward to my DNS server isn't working.

You have DNS resolver or forwarder on your LAN that you want to use ?
Like a pi-hole or something ?
Or do you have contract with 9.9.9.9 and they want all yuor private DNS requests ?
Why do you think you need a DNS to forward to ?

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

I have three other port forwards that are still working, but not port 53.

You forward port 53 from where to where ?
You forward UDP, or TCP, or both ?

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

I run an external port scan

DNS traffic is outbound, not inbound ....
Right ?

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

I have double-checked with my ISP to make sure they're not blocking it. NO JOY.

They wouldn't do that.
Blocking your "UDP port 53" access to the Internet is nearly the same as cutting the WAN wire.

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

Could there be an issue with the latest release (2.60)?

Yep, No yoke. There is one.
If you use the captive portal, and you use limiters ( see the many recent forum posts about this subject) then it might look like the resolver isn't working an ymore. This means : no more DNS.
Work around : remove all limiters.
If you use the captive portal : install

and apply the build in Captive portal patch.