0

I'm trying to forward port 53 from the host to one of my KVM virtual machine guests on the virtbr0 interface (which uses NAT).

The guest VM is going to run a customized DNS server. However, after port forwarding port 53, DNS will not resolve in the guest. I just keep getting the error of Temporary failure in name resolution

If I delete my iptables rule from the host, DNS resolves again in the guest VM. What needs to be done to get DNS to work in the guest while allowing port 53 to be forwarded from the host to the guest?

IP tables rules I'm using in a hook script:

/sbin/iptables -I FORWARD -o virbr0 -d  192.168.122.5 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 53 -j DNAT --to 192.168.122.5:53
/sbin/iptables -t nat -I PREROUTING -p udp --dport 53 -j DNAT --to 192.168.122.5:53

Anyone know? Other ports forwarded in this same manner appear to work as expected. DNS won't though, and I don't know why. I have port 53 forwarded on my home network router, and I don't have this issue. Maybe it's a KVM bug? I'm running CentOS 8 with the latest versions of qemu and kvm.

OwN
  • 187
  • 3
  • 14
  • Why are you trying to use port forwarding instead of just accessing it directly? You have total control of the network and no need for dirty hacks. – Michael Hampton Nov 13 '20 at 06:31
  • Because I need my public IP address to resolve to that NAT server on port 53 due to limited IPv4 addresses. There are many reasons this is needed. These are not "dirty" hacks either. – OwN Nov 13 '20 at 07:37
  • Your post read like this was entirely on an internal network, not on the public Internet, thus my confusion. Anyway you'll have to use NAT in this case. Though NAT itself is a dirty hack, but that's a discussion for elsewhere and millions of words have been written about it already. – Michael Hampton Nov 13 '20 at 08:36

1 Answers1

1

Your DNAT rules are too generic. They attempt to forward all DNS traffic to your VM, rather than just what should apply to, DNS traffic originating from outside. Thus when your guest DNS server sends its own DNS queries, they get redirected back to itself.

To fix the problem, also specify the interface on which incoming DNS traffic will arrive from the network, or alternately, the interface to exclude.

/sbin/iptables -t nat -I PREROUTING -i enp4s0 -p udp --dport 53 -j DNAT --to 192.168.122.5:53

or

/sbin/iptables -t nat -I PREROUTING \! -i virbr0 -p udp --dport 53 -j DNAT --to 192.168.122.5:53
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972