Port 53 question



  • I am using 2.1-DEVELOPMENT (i386) built on Tue Apr 17 16:58:04 EDT 2012.

    I have NAT 53 port for my dns server. but I can't connect dns server with public ipv4 address in LAN or on the dns server.

    I have setup Enable NAT reflection. I don't find the reason.

    Please help..




  • nat reflection for dns does not work, sorry.



  • @databeestje:

    nat reflection for dns does not work, sorry.

    well.., why it is ?  :o

    Then How I do use public ip address connect port 53?



  • it will work fine when traffic comes in over the internet, it does not work when trying to connect to the external address from the inside.



  • @databeestje:

    it will work fine when traffic comes in over the internet, it does not work when trying to connect to the external address from the inside.

    I can visit external address port 80 in lan, just I don't understand port 53  why it can not do this.?


  • Rebel Alliance Developer Netgate

    NAT reflection does not work for any UDP traffic. There is already an open ticket about it.



  • @jimp:

    NAT reflection does not work for any UDP traffic. There is already an open ticket about it.

    ok.  then should allow dns use tcp. I have submit ticket about dns tcp.


  • Rebel Alliance Developer Netgate

    I doubt that will gain much support, it is a lot of work for very little benefit. At any moment your ISP could realize what's going on and block DNS over TCP also and it would be a bunch of work wasted. But if someone else is doing the work, have at it…

    Fixing NAT reflection for UDP is the real fix for this issue.



  • @jimp:

    I doubt that will gain much support, it is a lot of work for very little benefit. At any moment your ISP could realize what's going on and block DNS over TCP also and it would be a bunch of work wasted. But if someone else is doing the work, have at it…

    Fixing NAT reflection for UDP is the real fix for this issue.

    yes. Fixing NAT reflection for UDP.

    Because of the defects of the UDP protocol itself, easily lead to data tampering and counterfeiting. so use tcp will helpful Prevent tampering with the falsification of data.

    and it has some codes for Security issue. http://forum.pfsense.org/index.php/topic,48520.0.html


  • Rebel Alliance Developer Netgate

    Yeah but those don't belong here in the 2.1 board since they will not happen for 2.1.

    Not sure any of those will happen, they all seem to be specific to certain other services or practices and require both a client and server component… If you're tunneling to your own DNS server, may as well use a VPN.

    DNSSEC can help with the verification part, but still not relevant to this topic. This is only about reflection for UDP.



  • this is not about vpn, and can't use vpn Solve.

    now I build an dns server in my lan network, when my dns server or other server transfer any data to internet, then the data will be government ISP Forged tampering.

    This is a security issue. If the pfsense gateway solution, it is a good thing.


  • Rebel Alliance Developer Netgate

    …and still not relevant to this thread. If you want to argue all that, use your other thread(s) that cover that specifically.


Log in to reply