7

I've got a Bind 9 DNS server sitting behind a NAT firewall, assume the Internet facing IP is 1.2.3.4

There are no restrictions on outgoing traffic, and port 53 (TCP/UDP) is forwarded from 1.2.3.4 to the internal DNS server (10.0.0.1). There are no IP Tables rules on either the VPS or the internal Bind 9 server.

From a remote Linux VPS located elsewhere on the internet, nslookup works fine

# nslookup foo.example.com 1.2.3.4
Server:    1.2.3.4
Address:   1.2.3.4#53

Name:      foo.example.com
Addresss:  9.9.9.9

However, when using the host command on the remote VPS, I receive the following output:

# host foo.example.com 1.2.3.4
;; reply from unexpected source: 1.2.3.4#13731, expected 1.2.3.4#53
;; reply from unexpected source: 1.2.3.4#13731, expected 1.2.3.4#53
;; connection timed out; no servers could be reached.

From the VPS, I can establish a connection (using telnet) to 1.2.3.4:53

From the internal DNS server (10.0.0.1), the host command appears to be fine:

# host foo.example.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

foo.example.com has address 9.9.9.9

Any suggestions as to why the host command on my VPS is complaining about the reply coming back from another port, and what can I do to fix this?

Further info:

From a windows host external to the network

>nslookup foo.example.com 1.2.3.4
DNS request timeout
    timeout was 2 seconds
Server: UnKnown
Address: 1.2.3.4

DNS request timed out.
    timeout was 2 seconds
DNS request timed out.
    timeout was 2 seconds
DNS request timed out.
    timeout was 2 seconds
DNS request timed out.
    timeout was 2 seconds
*** Request to UnKnown timed-out

This is a default install of bind from Ubuntu 12.04 LTS, with around 11 zones configured.

$ named -v
BIND 9.8.1-P1

TCP Dump (filtered) from internal DNS server

20:36:29.175701 IP pc.external.com.57226 > dns.example.com.domain: 1+ PTR? 4.3.2.1.in-addr.arpa. (45)
20:36:29.175948 IP dns.example.com.domain > pc.external.com.57226: 1 Refused- 0/0/0 (45)
20:36:31.179786 IP pc.external.com.57227 > dns.example.com.domain: 2+[|domain]
20:36:31.179960 IP dns.example.com.domain > pc.external.com.57227: 2 Refused-[|domain]
20:36:33.180653 IP pc.external.com.57228 > dns.example.com.domain: 3+[|domain]
20:36:33.180906 IP dns.example.com.domain > pc.external.com.57228: 3 Refused-[|domain]
20:36:35.185182 IP pc.external.com.57229 > dns.example.com.domain: 4+ A? foo.example.com. (45)
20:36:35.185362 IP dns.example.com.domain > pc.external.com.57229: 4*- 1/1/1 (95)
20:36:37.182844 IP pc.external.com.57230 > dns.example.com.domain: 5+ AAAA? foo.example.com. (45)
20:36:37.182991 IP dns.example.com.domain > pc.external.com.57230: 5*- 0/1/0 (119)

TCP Dump from client during query

21:24:52.054374 IP pc.external.com.43845 > dns.example.com.53: 6142+ A? foo.example.com. (45)
21:24:52.104694 IP dns.example.com.29242 > pc.external.com.43845: UDP, length 95
Bryan
  • 7,628
  • 15
  • 69
  • 94
  • It looks a bit like your NAT rules for UDP were broken. Can you check with a packet sniffer if the UDP DNS answer packets leaving your network are *really* mangled to carry a different source port number than 53? – the-wabbit Sep 10 '12 at 19:27
  • Thanks @syneticon-dj, I've updated the question to show a TCP dump, so it looks like it is the NAT rules that are broken on our DSL router, however I don't claim to understand the details at the end of each line of the `tcpdump` output. – Bryan Sep 10 '12 at 19:42
  • 3
    the tcpdump trace on your DNS server looks alright - it hands out responses as it should. As I suspect that your NAT would be misconfigured or broken, a tcpdump trace from the router's external interface or another device in the routing path to the client (including the client itself) would be needed to verify this. – the-wabbit Sep 10 '12 at 20:02
  • @syneticon-dj I've updated the question again to show the client `tcpdump` output. There are no other points at which I can examine the traffic, but I think the results are pretty conclusive wouldn't you agree? p.s. Please post your comment as an answer, so I can accept. Time to go shopping for a new router I guess! – Bryan Sep 10 '12 at 20:29

2 Answers2

5

To sum up what has been previously written in comments with some further explanation:

It looks a bit like your NAT rules for UDP were broken. An indication is the error message reply from unexpected source: 1.2.3.4#13731, expected 1.2.3.4#53 and your trace taken from the client where the response looks like dns.example.com.29242 > pc.external.com.43845: UDP, length 95. The source port for the response packet should be 53, it is correct in your dump taken from the DNS server (where resolves to domain for display purposes).

While some (especially historic) resolvers may accept DNS responses from different ports / IPs, most would not - mainly due to security reasons to impede DNS spoofing and cache poisoning attacks.

At any rate, for connectionless UDP NAT traffic, your router should preserve state data from the previously received UDP DNS query packet and re-map the IP:port tuple for the response packet back to 1.2.3.4:53 - which it apparently does not. It may be a configuration error or a bug in the way the router is handling the UDP state table for port forwarding cases - so your best bet would be to open a case with the manufacturer's customer support (having upgraded the code to the latest/greatest beforehand - such an issue is likely to have been noticed by other users previously and thus likely to already be fixed).

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • I get the error even though my ports are correct.192.168.1.9.38655 > 8.8.8.8.53: 10937+ A? www.google.com – Natus Drew Jan 18 '16 at 06:00
  • @nathan it looks like your use case is different than the one described here. I'd suggest opening a new question with more details. – the-wabbit Jan 18 '16 at 14:26
  • In regard to the DNS spoofing, [I was under attack earlier this year (2020)](https://security.stackexchange.com/questions/237127/why-would-hackers-attack-a-dns-server-with-a-dos) and so I can that this is real. There is information about what not to do to avoid such a problem. – Alexis Wilke Nov 17 '20 at 04:53
0

OK... ...I'm only going to say this once... ...You cannot reach a private DNS through a NAT, unless the NAT is the DNS. If you have to port forward to get to a device, the device then has to be configured to respond on that port.

For instance, I send a DNS query on any port to any DNS on my internal network, I don't need a port number because they are not behind a NAT, the message is direct and I get a DNS lookup from my local DNS server, running on the default DNS ports.

You sent a query on a specific port to an external network. Is that port the default DNS response port? If not, I think you know which one is. It was given to you in the error message. Try setting your DNS server to respond on specific port numbers if possible. Set it to respond on 53 like your example. If it still will not go, your NAT is rerouting the message to an outgoing port number.

Just because you send data over the port number to a specific machine doesn't mean the data comes back over the same port number. The DNS response port might be different, which is problem A, and a router sends the response back after NAT on an open port along the return address, a port that isn't necessarily the same as the incoming port. First your message goes to the router, then to the desired port, then to the machine that port forwards to, then comes back along the response port, to the router, which translates the address and port, and sends it back to your address.

Try port triggering on the router at the DNS side. Set it to open port 53 when port 53 is turned on from behind the NAT. If that doesn't work, check your DNS server and set it to respond on port 53 also. That Should allow the messaging to function.

If this is a DNS for a VPN style network, the VPN should be active, and that server should get the port forwarded, while the DNS has a static address on the VPN subnet. Now you can connect the VPN host server and client server, and anybody behind a client server can see the DNS as the primary, with their internet gateway as their secondary, and their ISP DNS as a tertiary.

Alexis Wilke
  • 2,210
  • 1
  • 20
  • 37
harley thomas Davis
  • 1
  • Yes you can :-) You need to do a masquerade on the NAT packets in the postrouting towards the DNS. That's how it work for me. – Aviator Jan 05 '20 at 08:12