Make DNS forwarder accessible via WAN



  • I have some domain overrides set up on my LAN that I would like to use from my laptop when I am travelling. I have tried setting up a port forward for the DNS port (53) to the IP address of pfSense on my LAN (192.168.1.1). It seemed to work when I accessed it via NAT reflection from inside my LAN, but when I try to set my laptop to use the WAN IP address of my pfSense server as the DNS server address, DNS requests just time out. I tried changing the target IP of the forward to localhost, but that didn't work either. I can ping my WAN address, and via forwarding rules I can access several servers on various machines inside the firewall on my LAN, I just can't seem to get the DNS requests to traverse the firewall, get rerouted out to the main and override DNS servers, and the results returned to my laptop when I am outside the firewall on the WAN side.

    The reason I want to be able to use my pfSense DNS forwarder this way is that the actual DNS server I am using for the overrides (for bypassing geoblocking) will only work with a single source IP at a time. If you try to resolve an IP address from a different source IP than the one on record for your account, it is refused (actually, the host name is resolved to the IP address for a page that tells you to log in and change the registered source IP). When I configure pfSense to do the overrides, any device on my LAN appears to the DNS server to originate from the same IP address, so all of them are allowed to use the server for lookups. However, if I set up my laptop when travelling to use the alternate DNS server, it is refused unless I log in to the DNS server provider and change the registered IP address. If I do that though, none of the devices on my LAN can use the geo-unblocker DNS until I set the registered IP address back to my home network WAN address. I was hoping to be able to set the DNS server for my laptop to point to my home network's WAN address, and have the requests routed back out by pfSense to the geo-unblocker server, then have the replies returned to my laptop.

    I am wondering now if the problem is that while I am allowing the incoming DNS requests through the firewall, the replies that pfSense is trying to send back to my laptop are being blocked since there is no rule for that. Does anyone know the correct way (or if it is even possible) to make the pfSense DNS forwarding server available on the WAN side?



  • Using a VPN would put you behind your pfsense. I am not sure querying your DNS Forwarder from WAN is a good idea.



  • Yes, I have OpenVPN set up to allow remote access to my LAN, and that would work except that doing it that way would not only route the DNS requests through my home router, but also stream the video portion via my home Internet connection too. The whole point of using a geo-unblocking DNS service is that while the DNS requests go through their server, the video streams come direct from the the content provider's servers. I just don't have enough upstream bandwidth on my home Internet connection to feed the video stream back out to my laptop when I'm not at home.

    I understand the risks of exposing my DNS forwarder on the WAN side, but I'm willing to take those risks. I just don't know how to set it up properly.

    @bryan.paradis:

    Using a VPN would put you behind your pfsense. I am not sure querying your DNS Forwarder from WAN is a good idea.



  • Works as expected with a forwarding rule. Below tested from a VPN.

    
    nslookup pfsense.localdomain mywanipaddress
    Serveur :   cable-mywanipaddress.electronicbox.net
    Address:  mywanipaddress
    
    Nom :    pfsense.localdomain
    Address:  192.168.55.1
    
    

    Rule disabled

    
    nslookup pfsense.localdomain mywanipaddress
    DNS request timed out.
        timeout was 2 seconds.
    Serveur :   UnKnown
    Address:  mywanipaddress
    
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Le délai de la requête sur UnKnown est dépassé.
    
    

    ![2014-03-05 19_09_32-pfsense.localdomain - Firewall_ NAT_ Port Forward_ Edit.png](/public/imported_attachments/1/2014-03-05 19_09_32-pfsense.localdomain - Firewall_ NAT_ Port Forward_ Edit.png)
    ![2014-03-05 19_09_32-pfsense.localdomain - Firewall_ NAT_ Port Forward_ Edit.png_thumb](/public/imported_attachments/1/2014-03-05 19_09_32-pfsense.localdomain - Firewall_ NAT_ Port Forward_ Edit.png_thumb)



  • Thanks so much for your reply. Unfortunately, it still isn't working for me. My forwarding rule was identical to yours except for three things:

    • The Redirect target IP of course points to the LAN address of my pfSense, which is 192.168.1.1

    • I set the protocol to TCP, rather than TCP/UDP like you did.

    • I defined a Filter rule association rather than just set it to Pass

    I tried setting the protocol and Filter rule association the same as you did, but it still isn't working for me. I am currently still a couple of hours from home at my mother's, and while all my other filter rules are working fine (I can access all the devices behind my home firewall) the DNS forwarding just isn't working.

    When I do a nslookup test I get the same timeout results as you do when you turn your forwarding rule off.

    @bryan.paradis:

    Works as expected with a forwarding rule. Below tested from a VPN.

    
    nslookup pfsense.localdomain mywanipaddress
    Serveur :   cable-mywanipaddress.electronicbox.net
    Address:  mywanipaddress
    
    Nom :    pfsense.localdomain
    Address:  192.168.55.1
    
    

    Rule disabled

    
    nslookup pfsense.localdomain mywanipaddress
    DNS request timed out.
        timeout was 2 seconds.
    Serveur :   UnKnown
    Address:  mywanipaddress
    
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Le délai de la requête sur UnKnown est dépassé.
    
    


  • @Slartibartfast:

    Thanks so much for your reply. Unfortunately, it still isn't working for me. My forwarding rule was identical to yours except for three things:

    • The Redirect target IP of course points to the LAN address of my pfSense, which is 192.168.1.1

    • I set the protocol to TCP, rather than TCP/UDP like you did.

    • I defined a Filter rule association rather than just set it to Pass

    I tried setting the protocol and Filter rule association the same as you did, but it still isn't working for me. I am currently still a couple of hours from home at my mother's, and while all my other filter rules are working fine (I can access all the devices behind my home firewall) the DNS forwarding just isn't working.

    When I do a nslookup test I get the same timeout results as you do when you turn your forwarding rule off.

    @bryan.paradis:

    Works as expected with a forwarding rule. Below tested from a VPN.

    
    nslookup pfsense.localdomain mywanipaddress
    Serveur :   cable-mywanipaddress.electronicbox.net
    Address:  mywanipaddress
    
    Nom :    pfsense.localdomain
    Address:  192.168.55.1
    
    

    Rule disabled

    
    nslookup pfsense.localdomain mywanipaddress
    DNS request timed out.
        timeout was 2 seconds.
    Serveur :   UnKnown
    Address:  mywanipaddress
    
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Le délai de la requête sur UnKnown est dépassé.
    
    

    Set to TCP/UDP or UDP at least. Considering DNS uses primarily UDP on port 53. TCP alone isn't going to help you.

    If that doesn't work post a screenshot of your rule. If is correct but doesn't work your ISP is blocking inbound port 53 UDP.



  • Thanks again. I am using TCP/UDP now, but as I said, it just won't work for me. That is a good point about my ISP blocking port 53. I am on TekSavvy in Canada, which is very lenient about what you can do with your connection, but perhaps they consider doing DNS going a bit too far. I suppose I could shift the incoming port away from 53, but I don't know if you can put a DNS server on another port and then access it.

    Anyway, here is my forward rule setup and the pass rule.

    @bryan.paradis:

    @Slartibartfast:

    Thanks so much for your reply. Unfortunately, it still isn't working for me. My forwarding rule was identical to yours except for three things:

    • The Redirect target IP of course points to the LAN address of my pfSense, which is 192.168.1.1

    • I set the protocol to TCP, rather than TCP/UDP like you did.

    • I defined a Filter rule association rather than just set it to Pass

    I tried setting the protocol and Filter rule association the same as you did, but it still isn't working for me. I am currently still a couple of hours from home at my mother's, and while all my other filter rules are working fine (I can access all the devices behind my home firewall) the DNS forwarding just isn't working.

    When I do a nslookup test I get the same timeout results as you do when you turn your forwarding rule off.

    @bryan.paradis:

    Works as expected with a forwarding rule. Below tested from a VPN.

    
    nslookup pfsense.localdomain mywanipaddress
    Serveur :   cable-mywanipaddress.electronicbox.net
    Address:  mywanipaddress
    
    Nom :    pfsense.localdomain
    Address:  192.168.55.1
    
    

    Rule disabled

    
    nslookup pfsense.localdomain mywanipaddress
    DNS request timed out.
        timeout was 2 seconds.
    Serveur :   UnKnown
    Address:  mywanipaddress
    
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Le délai de la requête sur UnKnown est dépassé.
    
    

    Set to TCP/UDP or UDP at least. Considering DNS uses primarily UDP on port 53. TCP alone isn't going to help you.

    If that doesn't work post a screenshot of your rule. If is correct but doesn't work your ISP is blocking inbound port 53 UDP.



  • @Slartibartfast:

    Thanks again. I am using TCP/UDP now, but as I said, it just won't work for me. That is a good point about my ISP blocking port 53. I am on TekSavvy in Canada, which is very lenient about what you can do with your connection, but perhaps they consider doing DNS going a bit too far. I suppose I could shift the incoming port away from 53, but I don't know if you can put a DNS server on another port and then access it.

    Anyway, here is my forward rule setup and the pass rule.

    @bryan.paradis:

    @Slartibartfast:

    Thanks so much for your reply. Unfortunately, it still isn't working for me. My forwarding rule was identical to yours except for three things:

    • The Redirect target IP of course points to the LAN address of my pfSense, which is 192.168.1.1

    • I set the protocol to TCP, rather than TCP/UDP like you did.

    • I defined a Filter rule association rather than just set it to Pass

    I tried setting the protocol and Filter rule association the same as you did, but it still isn't working for me. I am currently still a couple of hours from home at my mother's, and while all my other filter rules are working fine (I can access all the devices behind my home firewall) the DNS forwarding just isn't working.

    When I do a nslookup test I get the same timeout results as you do when you turn your forwarding rule off.

    @bryan.paradis:

    Works as expected with a forwarding rule. Below tested from a VPN.

    
    nslookup pfsense.localdomain mywanipaddress
    Serveur :   cable-mywanipaddress.electronicbox.net
    Address:  mywanipaddress
    
    Nom :    pfsense.localdomain
    Address:  192.168.55.1
    
    

    Rule disabled

    
    nslookup pfsense.localdomain mywanipaddress
    DNS request timed out.
        timeout was 2 seconds.
    Serveur :   UnKnown
    Address:  mywanipaddress
    
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Le délai de la requête sur UnKnown est dépassé.
    
    

    Set to TCP/UDP or UDP at least. Considering DNS uses primarily UDP on port 53. TCP alone isn't going to help you.

    If that doesn't work post a screenshot of your rule. If is correct but doesn't work your ISP is blocking inbound port 53 UDP.

    Pretty sure Teksavvy is blocking inbound DNS because there were too many wide open DNS servers causing problems on the residential connections.

    Try simplifying into just pass with no linked rule. Also you try adding port 53 into the red redirect target port box again for good measure. What is your nslookup www.google.com yourwanipaddress saying?



  • nslookup www.google.com mywanipaddress
    DNS request timed out.
        timeout was 2 seconds.
    Server:  UnKnown
    Address:  mywanipaddress
    
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Request to UnKnown timed-out
    
    


  • @Slartibartfast:

    nslookup www.google.com mywanipaddress
    DNS request timed out.
        timeout was 2 seconds.
    Server:  UnKnown
    Address:  mywanipaddress
    
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Request to UnKnown timed-out
    
    

    If you ask me it is blocked.

    1. Install this http://mayakron.altervista.org/wikibase/show.php?id=AcrylicHome on laptop/client
    2. Change pfsense rule to port 888 for inbound port only leave redirect port on 53
    3. Edit arcylic config file C:\Program Files (x86)\Acrylic DNS Proxy\AcrylicConfiguration.ini
    ; The IP address of your primary DNS server.
    ; Upon installation it points to the primary OpenDNS server.
    ;
    PrimaryServerAddress=yourpfsensewaniphere 
    ;
    ; The UDP port your primary DNS server is supposed to be listening to. The
    ; default value of 53 is the standard port for DNS resolution. You should
    ; change this value only if you are using a non standard DNS server.
    ;
    PrimaryServerPort=888
    
    1. Start acrylic service Start Menu -> Acrylic DNS Proxy -> Config - Start…
    2. Set dhcp client in windows to 127.0.0.1 for your adapters.
    3. test nslookup of someting internal on your pfsense lan.
    4. add log-queries to advanced options in pfsense -> Services -> DNS Forwarded -> Advanted and save to verify queries are coming from your WAN IP in the Status -> System Logs -> Resolver log












  • Thanks so much for your suggestions. I don't know why I didn't think of Acrylic myself since I looked at it a few weeks ago as a possible alternative to paying for a DNS unblocker service.

    I got it to work (although it wasn't at first because I not only had to point the primary DNS to my home WAN address, but also clear the secondary DNS since Acrylic defaults that to one of the OpenDNS servers). Once I had cleared that, I was able to route my DNS queries from my laptop, through Acrylic on port 888 to my home firewall, from the firewall to the pfSense DNS forwarder on port 53, and back out to the DNS unblocker service. Clearly TekSavvy is blocking port 53 since it worked fine when I connected via port 888.

    Unfortunately this may have all been for naught since the unblocker service still recognizes that I am on a laptop with an IP address different than my home WAN and blocks the queries. The LAN I'm currently on is on a different subnet than my home LAN uses so maybe that is why, since it may confuse the NAT translations.

    I wish my home ISP had a faster upstream speed since then I could simply VPN into my home LAN and stream that way, but upstream speed is only 768Kbps, which is nowhere near fast enough for HD Netflix streaming. Even regular HD (1280x720) requires 3Mbps, and super HD needs up to 8Mbps. I am either going to have to figure out how to spoof my originating IP address when contacting the unblocker DNS server, or revisit using Acrylic to resolve all DNS requests for Netflix hostnames to the US based servers instead of my home country. Basically that is all the unblocker server does anyway, but the trick is figuring out the long list of Netflix hostnames used for playback and then have Acrylic return them instead.

    Anyway, thanks again for your help.



  • @Slartibartfast:

    Thanks so much for your suggestions. I don't know why I didn't think of Acrylic myself since I looked at it a few weeks ago as a possible alternative to paying for a DNS unblocker service.

    I got it to work (although it wasn't at first because I not only had to point the primary DNS to my home WAN address, but also clear the secondary DNS since Acrylic defaults that to one of the OpenDNS servers). Once I had cleared that, I was able to route my DNS queries from my laptop, through Acrylic on port 888 to my home firewall, from the firewall to the pfSense DNS forwarder on port 53, and back out to the DNS unblocker service. Clearly TekSavvy is blocking port 53 since it worked fine when I connected via port 888.

    Unfortunately this may have all been for naught since the unblocker service still recognizes that I am on a laptop with an IP address different than my home WAN and blocks the queries. The LAN I'm currently on is on a different subnet than my home LAN uses so maybe that is why, since it may confuse the NAT translations.

    I wish my home ISP had a faster upstream speed since then I could simply VPN into my home LAN and stream that way, but upstream speed is only 768Kbps, which is nowhere near fast enough for HD Netflix streaming. Even regular HD (1280x720) requires 3Mbps, and super HD needs up to 8Mbps. I am either going to have to figure out how to spoof my originating IP address when contacting the unblocker DNS server, or revisit using Acrylic to resolve all DNS requests for Netflix hostnames to the US based servers instead of my home country. Basically that is all the unblocker server does anyway, but the trick is figuring out the long list of Netflix hostnames used for playback and then have Acrylic return them instead.

    Anyway, thanks again for your help.

    Whoops totally forgot to add the commented out secondary line doh. My bad.

    I thought there was a bit more to it than that for sure. I thought it high jacks then tunnels you. Though maybe I am wrong. It may seem just like a DNS but there is more going on. How much do you pay for unblocking service? Personally I rent a VPS from chicagovps for $40 a year and run openvpn on there. Connect from wherever and multiple clients.

    There may be someway to screw with it yet. What do the queries look like in the resolver log?  Did you clear your DNS cache?  Ipconfig -flushdns.

    Did some more reading and what they do is they check IP and tunnel the geoauth then insert your IP back in for receiving the stream. If your IP doesn't match a registered one it wont do the trickery.



  • I will look into this some more over the next few days. Right now I am not paying anything for the unblock service since they are currently in beta, but I got an email a few days ago saying they expect to go gold in a couple of weeks and at that point the service will cost $4.95/mo. They did state that they were planning a discount package for anyone who signs up in the first week after they go live.

    What happens is that as long as I connect to Netflix from my home LAN the unblocker works fine, no matter which device I connect with (I see and can play US programs in Canada on any PC or laptop, a Samsung Smart TV, a WDTV Live HD connected to a dumb TV, and two smartphones). I have pfSense set up with domain overrides for "netflix.com" and "netflix.net" so that any device requesting hostname resolution will normally use the regular DNS servers, but will use the unblocker service for any requests involving Netflix. This is much safer than just pointing pfSense to always use the unblocker DNS since this way your DNS can't get hijacked when you connect to your bank, for instance. The problem is that if I want to watch US Netflix on my laptop or smartphone when I am away from home the unblocker service forces me to change the registered IP address, and then of course it doesn't work for any device on my home LAN till I get home and set it back. This is frustrating for anyone at home who wants to watch US Netflix while I am away.

    I was going to do some experimenting with my OpenVPN connection to my LAN, but I just discovered it is broken right now. It used to work, but now it seems the gateway is not being set up correctly for the VPN connection so nothing routes properly. I don't know what happened since it used to work fine, but I haven't used it in maybe 6 months.


Log in to reply