Unable to port forward UDP 53



  • I've been trying for days to get this working.
    I need to have a public dns server working behind (NAT) pfsense.

    My dns server is working just fine but it is impossible to port forward udp port 53 to it.
    For now I've my NAT portforwading both TCP and UDP. TCP is working just fine, but UDP is blocked by pfsense.
    If I change to another port, lets say 54 both TCP and UDP works fine.
    I've tried many different ports and all of them works except UDP port 53?

    tcpdump doesn't show any incoming traffic  if it's set to WAN ip and UDP port 53.
    Is this a bug or by design maybe?

    BTW, I'm using version 2.2.6 of pfsense.



  • Is the DNS resolver on pfsense running? By default, it listens on all interfaces so I am wondering if pfsense is tying to respond to the queries coming into the WAN interface.



  • @Doods:

    Is the DNS resolver on pfsense running? By default, it listens on all interfaces so I am wondering if pfsense is tying to respond to the queries coming into the WAN interface.

    Both DNS Resolver and DNS Forwarder are disabled.
    First thing I checked when I realized that it was only UDP port 53 that didn't forward as it should.



  • If UDP 53 traffic isn't showing up on WAN in a packet capture, it's not reaching your WAN. Something upstream blocking it or some other reason it's not getting to you. That shows traffic before any processing.

    Port forwards override local services, doesn't matter if you leave DNS Forwarder or Resolver running.



  • @cmb:

    If UDP 53 traffic isn't showing up on WAN in a packet capture, it's not reaching your WAN. Something upstream blocking it or some other reason it's not getting to you. That shows traffic before any processing.

    Port forwards override local services, doesn't matter if you leave DNS Forwarder or Resolver running.

    The really weird thing is. If I'm using tcpdump like this:
    tcpdump -v -i em4 dst host x.x.x.x and dst port 54
    and then sending UDP queries to UDP port 54 it shows up so nice in the console.

    But if I using tcpdump like this:
    tcpdump -v -i em4 dst host x.x.x.x and dst port 53
    and sending normal DNS queries nothing shows up in the console.

    So if what you saying is true. Why don't I see any incoming traffic on WAN with either tcpdump or Packet Capture on UDP port 53?

    FYI: If I change back to my old Netgear everything works, so it isn't blocked by my ISP or anything.



  • Is em4 your WAN? And x.x.x.x your WAN IP?


  • LAYER 8 Global Moderator

    "tcpdump doesn't show any incoming traffic  if it's set to WAN ip and UDP port 53."

    Dude if its not showing up on your wan, then pfsense can never forward it…  What is in front of pfsense??  What does your pfsense wan connect too??



  • @cmb:

    Is em4 your WAN? And x.x.x.x your WAN IP?

    YES!



  • @johnpoz:

    "tcpdump doesn't show any incoming traffic  if it's set to WAN ip and UDP port 53."

    Dude if its not showing up on your wan, then pfsense can never forward it…  What is in front of pfsense??  What does your pfsense wan connect too??

    Why isn't pfsense showing the incoming traffic on port udp 53 using tcpdump on my wan?
    I can use tcpdump and see ALL other traffic on my wan including tcp port 53. The only traffic not showing up is UDP port 53??
    I've also checked with my ISP to be absolutely sure they don't block UDP on port 53.
    This is why I started this thread  :o

    I've used pfsense since version 1.2.3 and I've never come across this issue before.

    FYI: I've nothing before pfsense. Pfsense wan is connected to my fiberconverter from my ISP.


  • LAYER 8 Global Moderator

    Dude if your not seeing udp 53 with tcpdump - then its NOT getting there plain and simple…

    Think about it for 2 seconds, what is more likely tcpdump shows you all other traffic but doesn't show you udp 53 or its just not there!!! My bet is its NOT THERE!!!  If its NOT there then pfsense can not forward it plain and simple..

    Where are you sending it from??  Maybe its blocked from sending from there?

    I am not forwarding 53, I have no rules that allow 53 even... But I do a simple tcpdump on my wan interface for dst 53 and use one of my vpses and send a dig to that IP and there you go.. tcpdump showing it..

    So either your not sending it, its getting blocked somewhere in between, your sending it to the wrong IP?  Your not running tcpdump correctly..  If tcpdump is not seeing the traffic then its not there - if its not there then you can not forward it..




  • @johnpoz:

    Think about it for 2 seconds, what is more likely tcpdump shows you all other traffic but doesn't show you udp 53 or its just not there!!! My bet is its NOT THERE!!!  If its NOT there then pfsense can not forward it plain and simple..

    Hehe…you just said what I was thinking. Maybe it's not there or pfsense is fucking with me ???
    Nevertheless, I switched back to my old Netgear just to check that traffic is really coming to my wan on udp 53.
    To my big surprise it's not coming anything to udp port 53 to my Netgear either??

    Called my ISP once again, this time a technician informed me that they just added a filter to block out certain ports wich one of them was udp port 53 :o

    • When did you add the filter I asked?
    • He replied: Hmm I think it was two days ago.  :-\

    So the same day I switch to a new Pfsense with the lasted version my ISP added a new filter...what are the odds? ;)
    Anyway, the good thing is that my ISP can remove the filter on my account, so I can run my own DNS.

    I apologized for taking your time for a non existing problem.


  • LAYER 8 Global Moderator

    yeah with all the dns amplification attacks of late, the new glibc dns client issue..  To be honest there is ZERO reason to try and host your own dns..

    Even if you had gig up and down, its pointless - your 1 IP..  If your computer(s) on 24/7 – you have some sla for power from your elec company??

    You can host dns for FREE many places HE is one, or for like $29 a year you can get like 5 million plus queries a month to your multiple domains, etc.. Anycast - multiple global DCs, etc. etc. etc..

    What you should do is take it as a sign that your isp blocked it that you should actually host it correctly ;)  How are you getting your 2nd server??  DNS has to have min 2 servers and there is suppose to be geographic diversity, etc.



  • @johnpoz:

    yeah with all the dns amplification attacks of late, the new glibc dns client issue..  To be honest there is ZERO reason to try and host your own dns..

    Even if you had gig up and down, its pointless - your 1 IP..  If your computer(s) on 24/7 – you have some sla for power from your elec company??

    You can host dns for FREE many places HE is one, or for like $29 a year you can get like 5 million plus queries a month to your multiple domains, etc.. Anycast - multiple global DCs, etc. etc. etc..

    What you should do is take it as a sign that your isp blocked it that you should actually host it correctly ;)  How are you getting your 2nd server??  DNS has to have min 2 servers and there is suppose to be geographic diversity, etc.

    I got my own little computer company since 2003. I've got "real" servers in a rack with dual UPS units.
    I'm running two Xenservers with HA so I can patch without interrupt the servers.

    Now to my DNS issue.
    For the moment I got two DNS servers that I admin myself.
    The primary DNS is located at a big company which is also my client, so I have my own virtual server running at their place ::) Good and stable hardware on 100Mbit fiber.
    My secondary DNS is located 300 miles away at another company, also on fiber.

    What's happend is that the company where my secondary DNS is are closing down their business.
    So I thought I move the secondary DNS "home".

    That's why all this fuzz started  ;D


  • LAYER 8 Netgate

    +1 for HE.net DNS. Dyn is also decent. I see little reason to host your own authoritative DNS.


  • LAYER 8 Global Moderator

    So you have a computer and need to host your dns for why exactly??  What should be local is local dns, you need to resolve your stuff that is not public..  Anything that is public dude really leave the hosting of that to the companies that do that for their bread and butter.

    Is your dns ipv6?  So you have geographic diversity what about carrier?  Who are the internet providers, who are the peers?  Are they in a DC that you have ddos protect, or someone with a decent home connection could take down your dns ;)

    How many domains do you have?  Do you have ipv6 connectivity?  There really is just no reason to host your own dns, other than your own local authoritative and recursive caching servers..


Log in to reply