Author Topic: Try to NAT port 53 (Read 749 times)

tverweij · « **on:** July 18, 2024, 11:08:48 pm »

I am trying to MAP port 53 and some other ports, only from a specific source, and map it to a specific machine in the LAN.

All other ports work, but for 53, I don't even see the connections in the in the logs.
So, I don't see it even blocked.

Is this something from within OpnSense, or do I have to contact my Internet provider to ask him to open port 53?
Because, as far as I know, all ports should be open ...

cookiemonster · « **Reply #1 on:** July 19, 2024, 12:00:31 am »

Unclear.
Do you mean you want to forward dns queries (port 53) from WAN to a specific machine on LAN , or within your LAN, or something else?
ISPs tend to apply filtering on that port on their DNS servers that they provide as part of normal service to their clients, but that is going from your WAN out to Internet through their network.
Perhaps you can clarify what you are trying to do a bit more.

Vilhonator · « **Reply #2 on:** July 19, 2024, 12:52:04 am »

On consumer internet contracts you won't be able to host your own DNS server which is open to internet, you need to either host that DNS on VPS like azure or AWS or setup VPN or proxy.

ISPs of most countries block incoming DNS traffic on UDP 53 to prevent people being able to mess up global DNS servers and DNS spoofing, outgoing smtp traffic on TCP 25 to prevent spamming and few other ports only hosting companies like google, amazon AWS, Microsoft and Eila Kaisla need, in fact some countries (for example Finland for one) even have laws which obligate ISPs to do that.

tverweij · « **Reply #3 on:** July 19, 2024, 01:28:20 pm »

Quote from: cookiemonster on July 19, 2024, 12:00:31 am

Unclear.
Do you mean you want to forward dns queries (port 53) from WAN to a specific machine on LAN , or within your LAN, or something else?

I want to forward DNS queries from WAN (originating from specific IP's) to a specific machine on LAN.

tverweij · « **Reply #4 on:** July 19, 2024, 01:33:51 pm »

Quote from: Vilhonator on July 19, 2024, 12:52:04 am

On consumer internet contracts you won't be able to host your own DNS server which is open to internet, you need to either host that DNS on VPS like azure or AWS or setup VPN or proxy.

ISPs of most countries block incoming DNS traffic on UDP 53 to prevent people being able to mess up global DNS servers and DNS spoofing, outgoing smtp traffic on TCP 25 to prevent spamming and few other ports only hosting companies like google, amazon AWS, Microsoft and Eila Kaisla need, in fact some countries (for example Finland for one) even have laws which obligate ISPs to do that.

Its a business contract, not consumer.

But clear - port 25 incoming just works, but it look like 53 is blocked by the provider.
But I already fond another solution that solves the problem, and this can be closed as OpnSense is not the cause.

For the solution (in the case someone is interested):

Its for a branche office with 2 people - we do not have a site2site VPN and don't want one.
So I solved it by setting the DNS on the machines to 127.0.0.1 and add a NetSh Interface Proxy, listening on 127.0.0.1 port 53 and forwarding it to the destination IP on port 5353, that I NAT there to port 53 on the destination.
Not a perfect solution, but it works.

Author Topic: Try to NAT port 53 (Read 749 times)

tverweij

Try to NAT port 53

cookiemonster

Re: Try to NAT port 53

Vilhonator

Re: Try to NAT port 53

tverweij

Re: Try to NAT port 53

tverweij

Re: Try to NAT port 53