# forwarding DNS traffic to another port



## williamy (Feb 28, 2013)

Hi,
I am trying to run a DNS server on non-standard port. for example, port 10053. I listed down the info of my testing environment below, Can someone please help to point out the uncorrect place. Thanks in advance.

In my test environment, A Windows XP as a client which is using 192.168.1.1 and DNS server's IP is 192.168.1.2. When I runs nslookup command on XP, it can send DNS request traffic to the DNS server. In order to hit the DNS server. I added one line of firewall on the DNS server. It will redirect the DNS request traffic and forwarding to 10053 port.

Here is the firewall rules on the DNS server.

```
00001 fwd 192.168.1.1,10053 ip from any to any dst-port 53 in
65535 allow ip from any to any
```

And I captured the UDP traffic on the DNS server.

```
20:45:04.613509 IP 192.168.1.2.2864 > 192.168.1.1.domain: 1+ PTR? 1.1.168.192.in-addr.arpa. (42)
20:45:04.613688 IP 192.168.1.1.10053 > 192.168.1.2.2864: UDP, length 58
20:45:06.626713 IP 192.168.1.2.2865 > 192.168.1.1.domain: 2+ A? [url]www.google.com.singtec.com[/url]. (44)
20:45:06.627681 IP 192.168.1.1.10053 > 192.168.1.2.2865: UDP, length 60
20:45:08.622418 IP 192.168.1.2.2866 > 192.168.1.1.domain: 3+ A? [url]www.google.com[/url]. (32)
20:45:08.623174 IP 192.168.1.1.10053 > 192.168.1.2.2866: UDP, length 48
```

The Result of the nslookup command on Windows XP is "DNS Request Time Out".


----------



## SirDice (Feb 28, 2013)

It won't accept the response because it's coming from a different port.

Why on earth do you want to run your DNS on anything other than port 53?


----------



## williamy (Feb 28, 2013)

Because I want to run two DNS server on the same machine.


----------



## johnblue (Feb 28, 2013)

Not knowing what you are trying to accomplish exactly, have you considered using a hidden master?


----------



## SirDice (Feb 28, 2013)

williamy said:
			
		

> Because I want to run two DNS server on the same machine.



To do what? You can create multiple "views" in BIND. Perhaps you can use that?


----------



## J65nko (Feb 28, 2013)

Or you could add an second alias IP address and use that to run the second DNS server.

```
# netstat -an -f inet
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  [color=blue]192.168.222.10.53[/color]      *.*                    LISTEN[/color]
tcp          0      0  127.0.0.1.8021         *.*                    LISTEN
tcp          0      0  127.0.0.1.587          *.*                    LISTEN
tcp          0      0  127.0.0.1.25           *.*                    LISTEN
tcp          0      0  *.22                   *.*                    LISTEN
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  [color=blue]192.168.222.10.53[/color]      *.*                   
udp          0      0  [color=blue]192.168.222.11.53[/color]      *.*
```
Here I have an authoritative-only nameserver (tinydns) for my local domain running on *192.168.222.11* and a caching nameserver (dnscache) on *192.168.222.10*.

Please note that a nameserver can use UDP as well as TCP 
If the answer to an UDP nameserver request will not fit within 512 bytes, the nameserver will set the truncated bit, telling the client to redo the query using TCP. Zone transfers also use TCP.


----------



## williamy (Mar 1, 2013)

> It won't accept the response because it's coming from a different port.
> Why on earth do you want to run your DNS on anything other than port 53?



Does it mean that all the DNS servers can only run on port 53 because by default all the clients(e.g. Windows) are configured to use port 53?



> Or you could add an second alias IP address and use that to run the second DNS server.



That means use another IP instead of another port.

All my clients are configured to use IP1 as DNS server. that means I still need to add a firewall to forward to traffic to IP2.


----------



## fonz (Mar 1, 2013)

williamy said:
			
		

> Does it mean that all the DNS servers can only run on port 53 because by default all the clients(e.g. Windows) are configured to use port 53?


By default, yes. Good clients and servers can be told to use other ports just fine, but the client still requires some way of knowing that it must use an alternate port. On a small local network that shouldn't be a problem, but for a server connected to the Internet it will be. DNS is expected to listen on port 53 and while hosts on a local network could possibly be configured to use a different port, the rest of the world has no way of knowing.


----------



## J65nko (Mar 1, 2013)

If you use pf you can redirect port 53 requests to port 10053. Redirection is a kind of Network Address and Port Translation (NAPT) so the answers will be returned using port 53.

The client will not notice at all that the server is actually using port 10053 instead of 53.


----------



## J65nko (Mar 1, 2013)

You posted an answer just one minute after my one at http://forums.freebsd.org/showpost.php?p=211193&postcount=9 so likely you will have missed it 

To illustrate my point, I configured an authoritative-only nsd nameserver for my local domain on 192.168.222.20 using port 10053 instead of the default 53:

```
[cmd=$]netstat -an -f inet[/cmd]

Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  192.168.222.20.43432   192.168.222.10.22      ESTABLISHED
tcp          0      0  [color=blue]192.168.222.20.10053[/color]   *.*                    LISTEN
tcp          0      0  *.6000                 *.*                    LISTEN
tcp          0      0  127.0.0.1.587          *.*                    LISTEN
tcp          0      0  127.0.0.1.25           *.*                    LISTEN
tcp          0      0  *.515                  *.*                    LISTEN
tcp          0      0  *.22                   *.*                    LISTEN
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  [color=blue]192.168.222.20.10053[/color]   *.*                   
udp          0      0  *.514                  *.*
```

Using pf I redirected all port 53 traffic to port 10053 and instructed pf to log these packets.

In one xterm I run tcpdump on the public interface re0, in a second one it monitors the pflog0 interface.

On 192.168.222.10 I do the following name query using dig:


```
[cmd=$]dig parmenides.utp.xnet @192.168.222.20[/cmd]

; <<>> DiG 9.4.2-P2 <<>> parmenides.utp.xnet @192.168.222.20
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57343
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;parmenides.utp.xnet.           IN      A

;; ANSWER SECTION:
parmenides.utp.xnet.    604800  IN      A       192.168.222.10

;; AUTHORITY SECTION:
utp.xnet.               604800  IN      NS      ns1.utp.xnet.
utp.xnet.               604800  IN      NS      ns2.utp.xnet.

;; ADDITIONAL SECTION:
ns1.utp.xnet.           604800  IN      A       10.7.7.20
ns2.utp.xnet.           604800  IN      A       192.168.222.11

;; Query time: 6 msec
;; SERVER: 192.168.222.20#[color=blue]53[/color](192.168.222.20)
;; WHEN: Fri Mar  1 02:55:07 2013
;; MSG SIZE  rcvd: 121
```
 You see that the standard port 53 is being used here.

The output of the two xterms running tcpdump:


```
[cmd=$]sudo tcpdump -ni re0 port 53 or port 10053[/cmd]
tcpdump: listening on re0, link-type EN10MB
tcpdump: WARNING: compensating for unaligned libpcap packets
02:55:07.357997 62.194.100.251.60779 > 192.168.222.20.[color=blue]53[/color]: 57343+ A? parmenides.utp.xnet. (37)
02:55:07.358093 192.168.222.20.[color=blue]53[/color] > 62.194.100.251.60779: 57343*- 1/2/2 A 192.168.222.10 (121)
```


```
[cmd=$]sudo tcpdump -eni pflog0 -s512[/cmd] 
tcpdump: listening on pflog0, link-type PFLOG
02:55:07.358016 rule 0/(match) pass in on re0: 62.194.100.251.60779 > 192.168.222.20.[color=blue]10053[/color]: udp 37
tcpdump: WARNING: compensating for unaligned libpcap packets
02:55:07.358083 rule 0/(match) pass out on re0: 192.168.222.20.[color=blue]10053[/color] > 62.194.100.251.60779: udp 121
```

So the client uses the standard port 53, while the nameserver is configured on port 10053. Because pf does the redirection/translation transparently, the client does not notice at all that this nameserver uses a non-standard port.


----------



## williamy (Mar 1, 2013)

Thanks very much, It works, But can we make it happen with ipfw only?


----------



## J65nko (Mar 1, 2013)

Sorry, but I have not used ipfw since FreeBSD 4.11, so I cannot help you with that


----------



## johnblue (Mar 1, 2013)

J65nko said:
			
		

> Sorry, but I have not used ipfw since FreeBSD 4.11, so I cannot help you with that


word.


----------



## J65nko (Mar 1, 2013)

The FreeBSD handbook has a chapter about ipfw, but unfortunately does not mention *redirection* of packets.
ipfw(8) has a section about *redirection* and there is a redirect example in the *EXAMPLES* section.


----------

