Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to port forward UDP 53

    Scheduled Pinned Locked Moved DHCP and DNS
    15 Posts 5 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gmork
      last edited by

      I've been trying for days to get this working.
      I need to have a public dns server working behind (NAT) pfsense.

      My dns server is working just fine but it is impossible to port forward udp port 53 to it.
      For now I've my NAT portforwading both TCP and UDP. TCP is working just fine, but UDP is blocked by pfsense.
      If I change to another port, lets say 54 both TCP and UDP works fine.
      I've tried many different ports and all of them works except UDP port 53?

      tcpdump doesn't show any incoming traffic  if it's set to WAN ip and UDP port 53.
      Is this a bug or by design maybe?

      BTW, I'm using version 2.2.6 of pfsense.

      1 Reply Last reply Reply Quote 0
      • D
        Doods
        last edited by

        Is the DNS resolver on pfsense running? By default, it listens on all interfaces so I am wondering if pfsense is tying to respond to the queries coming into the WAN interface.

        1 Reply Last reply Reply Quote 0
        • G
          gmork
          last edited by

          @Doods:

          Is the DNS resolver on pfsense running? By default, it listens on all interfaces so I am wondering if pfsense is tying to respond to the queries coming into the WAN interface.

          Both DNS Resolver and DNS Forwarder are disabled.
          First thing I checked when I realized that it was only UDP port 53 that didn't forward as it should.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            If UDP 53 traffic isn't showing up on WAN in a packet capture, it's not reaching your WAN. Something upstream blocking it or some other reason it's not getting to you. That shows traffic before any processing.

            Port forwards override local services, doesn't matter if you leave DNS Forwarder or Resolver running.

            1 Reply Last reply Reply Quote 0
            • G
              gmork
              last edited by

              @cmb:

              If UDP 53 traffic isn't showing up on WAN in a packet capture, it's not reaching your WAN. Something upstream blocking it or some other reason it's not getting to you. That shows traffic before any processing.

              Port forwards override local services, doesn't matter if you leave DNS Forwarder or Resolver running.

              The really weird thing is. If I'm using tcpdump like this:
              tcpdump -v -i em4 dst host x.x.x.x and dst port 54
              and then sending UDP queries to UDP port 54 it shows up so nice in the console.

              But if I using tcpdump like this:
              tcpdump -v -i em4 dst host x.x.x.x and dst port 53
              and sending normal DNS queries nothing shows up in the console.

              So if what you saying is true. Why don't I see any incoming traffic on WAN with either tcpdump or Packet Capture on UDP port 53?

              FYI: If I change back to my old Netgear everything works, so it isn't blocked by my ISP or anything.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                Is em4 your WAN? And x.x.x.x your WAN IP?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "tcpdump doesn't show any incoming traffic  if it's set to WAN ip and UDP port 53."

                  Dude if its not showing up on your wan, then pfsense can never forward it…  What is in front of pfsense??  What does your pfsense wan connect too??

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • G
                    gmork
                    last edited by

                    @cmb:

                    Is em4 your WAN? And x.x.x.x your WAN IP?

                    YES!

                    1 Reply Last reply Reply Quote 0
                    • G
                      gmork
                      last edited by

                      @johnpoz:

                      "tcpdump doesn't show any incoming traffic  if it's set to WAN ip and UDP port 53."

                      Dude if its not showing up on your wan, then pfsense can never forward it…  What is in front of pfsense??  What does your pfsense wan connect too??

                      Why isn't pfsense showing the incoming traffic on port udp 53 using tcpdump on my wan?
                      I can use tcpdump and see ALL other traffic on my wan including tcp port 53. The only traffic not showing up is UDP port 53??
                      I've also checked with my ISP to be absolutely sure they don't block UDP on port 53.
                      This is why I started this thread  :o

                      I've used pfsense since version 1.2.3 and I've never come across this issue before.

                      FYI: I've nothing before pfsense. Pfsense wan is connected to my fiberconverter from my ISP.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Dude if your not seeing udp 53 with tcpdump - then its NOT getting there plain and simple…

                        Think about it for 2 seconds, what is more likely tcpdump shows you all other traffic but doesn't show you udp 53 or its just not there!!! My bet is its NOT THERE!!!  If its NOT there then pfsense can not forward it plain and simple..

                        Where are you sending it from??  Maybe its blocked from sending from there?

                        I am not forwarding 53, I have no rules that allow 53 even... But I do a simple tcpdump on my wan interface for dst 53 and use one of my vpses and send a dig to that IP and there you go.. tcpdump showing it..

                        So either your not sending it, its getting blocked somewhere in between, your sending it to the wrong IP?  Your not running tcpdump correctly..  If tcpdump is not seeing the traffic then its not there - if its not there then you can not forward it..

                        dnsinboundvps.png
                        dnsinboundvps.png_thumb

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • G
                          gmork
                          last edited by

                          @johnpoz:

                          Think about it for 2 seconds, what is more likely tcpdump shows you all other traffic but doesn't show you udp 53 or its just not there!!! My bet is its NOT THERE!!!  If its NOT there then pfsense can not forward it plain and simple..

                          Hehe…you just said what I was thinking. Maybe it's not there or pfsense is fucking with me ???
                          Nevertheless, I switched back to my old Netgear just to check that traffic is really coming to my wan on udp 53.
                          To my big surprise it's not coming anything to udp port 53 to my Netgear either??

                          Called my ISP once again, this time a technician informed me that they just added a filter to block out certain ports wich one of them was udp port 53 :o

                          • When did you add the filter I asked?
                          • He replied: Hmm I think it was two days ago.  :-\

                          So the same day I switch to a new Pfsense with the lasted version my ISP added a new filter...what are the odds? ;)
                          Anyway, the good thing is that my ISP can remove the filter on my account, so I can run my own DNS.

                          I apologized for taking your time for a non existing problem.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            yeah with all the dns amplification attacks of late, the new glibc dns client issue..  To be honest there is ZERO reason to try and host your own dns..

                            Even if you had gig up and down, its pointless - your 1 IP..  If your computer(s) on 24/7 – you have some sla for power from your elec company??

                            You can host dns for FREE many places HE is one, or for like $29 a year you can get like 5 million plus queries a month to your multiple domains, etc.. Anycast - multiple global DCs, etc. etc. etc..

                            What you should do is take it as a sign that your isp blocked it that you should actually host it correctly ;)  How are you getting your 2nd server??  DNS has to have min 2 servers and there is suppose to be geographic diversity, etc.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • G
                              gmork
                              last edited by

                              @johnpoz:

                              yeah with all the dns amplification attacks of late, the new glibc dns client issue..  To be honest there is ZERO reason to try and host your own dns..

                              Even if you had gig up and down, its pointless - your 1 IP..  If your computer(s) on 24/7 – you have some sla for power from your elec company??

                              You can host dns for FREE many places HE is one, or for like $29 a year you can get like 5 million plus queries a month to your multiple domains, etc.. Anycast - multiple global DCs, etc. etc. etc..

                              What you should do is take it as a sign that your isp blocked it that you should actually host it correctly ;)  How are you getting your 2nd server??  DNS has to have min 2 servers and there is suppose to be geographic diversity, etc.

                              I got my own little computer company since 2003. I've got "real" servers in a rack with dual UPS units.
                              I'm running two Xenservers with HA so I can patch without interrupt the servers.

                              Now to my DNS issue.
                              For the moment I got two DNS servers that I admin myself.
                              The primary DNS is located at a big company which is also my client, so I have my own virtual server running at their place ::) Good and stable hardware on 100Mbit fiber.
                              My secondary DNS is located 300 miles away at another company, also on fiber.

                              What's happend is that the company where my secondary DNS is are closing down their business.
                              So I thought I move the secondary DNS "home".

                              That's why all this fuzz started  ;D

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                +1 for HE.net DNS. Dyn is also decent. I see little reason to host your own authoritative DNS.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  So you have a computer and need to host your dns for why exactly??  What should be local is local dns, you need to resolve your stuff that is not public..  Anything that is public dude really leave the hosting of that to the companies that do that for their bread and butter.

                                  Is your dns ipv6?  So you have geographic diversity what about carrier?  Who are the internet providers, who are the peers?  Are they in a DC that you have ddos protect, or someone with a decent home connection could take down your dns ;)

                                  How many domains do you have?  Do you have ipv6 connectivity?  There really is just no reason to host your own dns, other than your own local authoritative and recursive caching servers..

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.