Reply

DNS port forward

derfz
Aspirant

DNS port forward

Hello all

 

I seem to be having trouble forwarding DNS to my server.

 

I have setup port forwarding 53 TCP/UDP to my server IP, but when I test it I only get a responce from TCP. To test I set port 53 to UDP only and it failed outright.

 

Just wondering if I'm missing something.

 

Regards

 

Fred

Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 1 of 10

Accepted Solutions
antinode
Guru

Re: DNS port forward

> Read my second post, it does tell you what I did to test.

   I don't have an account with BuddyNS, so I assume that I can't use
their "a test service within there consol", and "UDP queries ERROR"
doesn't tell me much, either.  I'm far from an authority, but my dim
impression was that UDP was used for DNS much more than TCP, so that if
UDP port forwarding was bad, hardly anything would work.  (And, as I
said, "I haven't noticed any problems" around here, but I don't know how
to reproduce your test(s).)

> Although it doesn't say [...]

   No, it does say.  As I said, I was looking for a way to compare the
behavior of your server with that of mine from an outside-world
location.  And, as I complained before, "I have also used several other
internet based DNS test services" was less than helpful.

> I changed my firmware to tomotoUSB [...] I'm thinking of ditching the
> router as this is the obvious problem [...]

   You think that the _hardware_ is the problem?  That wouldn't be my
first guess.

View solution in original post

Message 9 of 10

All Replies
antinode
Guru

Re: DNS port forward

> I have setup port forwarding 53 TCP/UDP to my server IP, [...]

   What is your "my server"?

> [...] when I test it [...]

   How, exactly?  What happens if you "test it" using the LAN IP address
of your "my server"?  Using your public IP address from within your LAN?

> Just wondering if I'm missing something.

   At the very least, a clear description of what you're doing.

> Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router

   Is that accurate?  Firmware version?

Message 2 of 10
derfz
Aspirant

Re: DNS port forward

Server: Debian 9 running bind (not that this is relavent)

 

Secondary DNS server: BuddyDNS. They have a test service within there consol. But I have also used several other internet based DNS test services.

Test results:

StatusComplete

UDP queries ERROR

TCP queries OK

AXFR queries OK

 

The following tests were done from a different server on the same LAN.

 

LAN IP UDP test: nc -vz -u local.ip.of.server 53

Response: Connection to local.ip.of.server 53 port [udp/domain] succeeded!

 

LAN FQDN UDP test: nc -vz -u fqdn.of.server 53

Response: Connection to fqdn.of.server 53 port [udp/domain] succeeded!

 

Firmware: Firmware Version V1.0.4.12_10.1.46 (up to date)

 

My lan tests indicate that port 53 TCP/UDP are open and active. However it appears that connections from outside my lan only connect via TCP.

 

However I cannot rule out that my ISP may be blocking or limiting port 53:UDP inbound requests.

 

Regards

 

Fred

Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 3 of 10
derfz
Aspirant

Re: DNS port forward

I have just spoken with my Internet provider and they have confirmed that there are no blocks on my service.

 

Hence I beleive that the issue may be with the router given the above tests.

 

Regards

 

Fred

Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 4 of 10
antinode
Guru

Re: DNS port forward

> Secondary DNS server: BuddyDNS. They have a test service [...]

   "buddyns.com"?

> [...] I have also used several other internet based DNS test services.

   If you disclosed what you actually did, then I might easily be able
to run similar tests against my D7000, which might tell us if Netgear
ever did this right.  (I haven't noticed any problems, but that may
prove little.)

Message 5 of 10
derfz
Aspirant

Re: DNS port forward

Prerequisits:

A hosted domain (domain.tld)

Ability to assign custom domain servers to that domain.

Point the primary NS server to ns1.domain.tld along with the IP. This is your external (Internet) IP. This should be static.

Point the secondary NS server to ns2.domain.tld with the buddydns server IP you have selected.

Install Bind9 (named) on a machine on your LAN. I installed it on a debian9 server.

Setup the domain (domain.tld) on bind as a master (authoritive)

Setup delegation and domain transfer as per the instructions on buddydns.

Ensure you have port forwarding setup on your router with port 53 UDT/TCP pointing to the IP of the machine with bind on it.

You will need to ensure any firewall in operation on the machine with bind on it is allowing port 53

 

Note: When you change the DNS settings with your provider it can take up to 48 hours to propogate.

When you make changes on your bind server the changes take effect immediately, but can take up to 48 hours to propogate to all servers.

your hosted domain (domain.tld) is often refered to as FQDN.

Google is your friend when locating a DNS testing service.

 

I'm currently investigating changing the firmware to some other third party firmware to see of that will resolve the issue. And the router isn't under warranty, so if I brick it I'll simply upgrade to the X10.

 

Regards

 

Fred

Message 6 of 10
antinode
Guru

Re: DNS port forward

> Prerequisits:
> [...]

   Thanks for the lecture.  I have a domain and a DNS server under my
control.

> Google is your friend when locating a DNS testing service.

   Google does not tell me how you tested your DNS server, which, as you
may recall, is what I asked.  My goal was not to waste my time trying to
guess how to replicate your tests and/or results.  It still is.

Message 7 of 10
derfz
Aspirant

Re: DNS port forward


@antinode wrote:

> Prerequisits:
> [...]

   Thanks for the lecture.  I have a domain and a DNS server under my
control.

> Google is your friend when locating a DNS testing service.

   Google does not tell me how you tested your DNS server, which, as you
may recall, is what I asked.  My goal was not to waste my time trying to
guess how to replicate your tests and/or results.  It still is.


Read my second post, it does tell you what I did to test. Although it doesn't say I did the nc command tests from another server on my LAN.

 

I changed my firmware to tomotoUSB in an attempt to resolve this, but that didn't work for me, so I switched back to the factory firmware. I'm thinking of ditching the router as this is the obvious problem and I'm simply not skilled enough to resolve the problem myself.

 

Regards

 

Fred

Message 8 of 10
antinode
Guru

Re: DNS port forward

> Read my second post, it does tell you what I did to test.

   I don't have an account with BuddyNS, so I assume that I can't use
their "a test service within there consol", and "UDP queries ERROR"
doesn't tell me much, either.  I'm far from an authority, but my dim
impression was that UDP was used for DNS much more than TCP, so that if
UDP port forwarding was bad, hardly anything would work.  (And, as I
said, "I haven't noticed any problems" around here, but I don't know how
to reproduce your test(s).)

> Although it doesn't say [...]

   No, it does say.  As I said, I was looking for a way to compare the
behavior of your server with that of mine from an outside-world
location.  And, as I complained before, "I have also used several other
internet based DNS test services" was less than helpful.

> I changed my firmware to tomotoUSB [...] I'm thinking of ditching the
> router as this is the obvious problem [...]

   You think that the _hardware_ is the problem?  That wouldn't be my
first guess.

View solution in original post

Message 9 of 10
derfz
Aspirant

Re: DNS port forward

I have mananged to resolve the issue.

 

I went back to a smoothwall firewall and simply attached my router to it as an AP. Now the router does nothing but connect wireless clients and the smoothwall does all the internet management.

 

Port 53 UDP has security issues, so I'm assuming netgear have setup security so hard for my router that it blocks it completely. As I understand it, port 53 TCP is used prodominently for basic DNS requests, where port 53 UDP for the most part is used for delegation/transfer etc requests. 

 

Regards

 

Fred

Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 9991 views
  • 0 kudos
  • 2 in conversation
Announcements