0

I have an internet connection with a static ip from my ISP. I do have mail servers and webservers hosted from it. What i would like to achieve is run couple of nameservers by getting another static ip from my ISP. I have forwarded TCP and UDP ports from my local IP address and the internet connection is being managed by pfsense. The DNS resolver and forwarder service has been disabled.

I tried to setup a nameserver by NAT and forwarded PORT 53 for udp & tcp traffic. But still when i try to query a record for a zone on my nameserver using dig externally or internally , i get an error "no servers could be reached". Is there any guide or information that would help me to setup the nameservers behind NAT or help me solve this issue?

My ISP has confirmed that they do not have blocks or filters in place. I have also confirmed that no ports are being blocked or filtered from my end too. The name of the nameserver is ns1.sitehosters.in.

ETHERNET CONFIG on NS1

auto eth1
iface eth1 inet static
address 192.168.1.12 
netmask 255.255.255.0 
gateway 192.168.1.1(PFSENSE) 
dns-nameservers 8.8.8.8

/etc/bind/named/conf.options

options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 { any; };
};

Named.conf.local file on ns1

nano /etc/bind/named.conf.local
zone "sitehosters.in" {
type master;
allow-transfer {none;};
file"/etc/bind/pri.sitehosters.in"
};

Netstat output from below:

tcp 0 0 192.168.1.36:domain . LISTEN 1156/named 
tcp 0 0 localhost:domain . LISTEN 1156/named 
tcp 0 0 localhost:953 . LISTEN 1156/named 
udp 0 0 192.168.1.36:domain . 1156/named 
udp 0 0 localhost:domain . 1156/named

DNSCHECK at PINGDOM

No name servers found at child.

No name servers could be found at the child. 
This usually means that the child is not configured to answer queries about the zone.

Please find some screenshots of my router config which might help you to point me in the right direction. I use pfsense on a PC which is managing all the internet connection and firewall.

When using packet capture on my wan port in pfsense, i get

19:05:02.660753 IP xx.xx.xx.xx.13747 > 8.8.8.8.53: UDP, length 27
19:05:02.669900 IP 8.8.8.8.53 > xx.xx.xx.xx.13747: UDP, length 509
19:05:02.670409 IP xx.xx.xx.xx.63621 > 8.8.8.8.53: UDP, length 44
19:05:02.694125 IP xx.xx.xx.xx.34919 > 8.8.8.8.53: UDP, length 27
19:05:02.704487 IP 8.8.8.8.53 > xx.xx.xx.xx.34919: UDP, length 509
19:05:02.705580 IP xx.xx.xx.xx.11687 > 8.8.8.8.53: UDP, length 44
19:05:02.741893 IP 8.8.8.8.53 > xx.xx.xx.xx.11687: UDP, length 208
19:05:02.741919 IP 8.8.8.8.53 > xx.xx.xx.xx.63621: UDP, length 208

19:13:39.682095 IP 81.143.220.107.51368 > xx.xx.xx.xx.53: tcp 0
19:13:39.682355 IP xx.xx.xx.xx.53 > 81.143.220.107.51368: tcp 0
19:13:39.893583 IP 81.143.220.107.51368 > xx.xx.xx.xx: tcp 0
19:13:39.894893 IP 81.143.220.107.51368 > xx.xx.xx.xx.53: tcp 34
19:13:39.895023 IP xx.xx.xx.xx.53 > 81.143.220.107.51368: tcp 0
19:13:39.895353 IP xx.xx.xx.xx.53 > 81.143.220.107.51368: tcp 155
19:13:40.100199 IP 81.143.220.107.51368 > xx.xx.xx.xx.53: tcp 0
19:13:40.100220 IP 81.143.220.107.51368 > xx.xx.xx.xx.53: tcp 0

The report at intodns.com says 

DNS servers responded   ERROR: One or more of your nameservers did not respond:
The ones that did not respond are: xx.xx.xx.xx
mindflame
  • 3
  • 1
  • 5
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/60873/discussion-on-question-by-mindflame-running-nameserver-behind-nat). – EEAA Jun 22 '17 at 04:34

2 Answers2

0

If you want to run a nameserver that is the authority for an Intenet zone then it will need to be properly addressed with an public IP.

If you must put a name server behind a NAT, then the NAT device must incorporate an appropriate Application Layer Gateway (ALG). Although many NAT devices will incorporate an ALG suitable for NATing the client IP address I don't know if any of them are built to NAT SOA records etc.

If you only have /32 public addresses then you might be able to port-forward through your outer router and then push that through a second NAT device to restore the original destination IP address. Off the top of my head this should work but I haven't thought it through at length.

I haven't looked at yopu configs in detail but notice that you've got 8.8.8.8 defined as name server. Unless you want to restrict your name server to authoritative-only then you'd have that set to 127.0.0.1.

On reflection NATing twice shouldn't be necessary. The DNS server may need to have an interface on it with the public IP address though, you can probably achieve that with a secondary IP on an interface.

marctxk
  • 319
  • 1
  • 4
  • I have tried putting 127.0.0.1 too. But that does not help....pfsense is capable of ALG as far as i know. This all makes point if i say any packet hitting my DNS server LAN. But packet tracer at pfsense do not show any packets arriving to my DNS Server from WAN. – mindflame Jun 19 '17 at 14:36
  • Using 127.0.0.1 is not meant to help Internet hosts get DNS from you but will force your own DNS server host to use its own DNS server software. These are two separate functions. Some of the comments above to your question are helpful. You need to know whether the nameserver resolves authoritative information at all and the "dig @127.0.0.1" that @BrandonXavier describes does this. If you don't get a response to that then you need to turn on query-logging in BIND to check that the query has reached the nameserver software. – marctxk Jun 20 '17 at 13:25
  • I gave dig @127.0.0.1 sitehosters.in SOA a shot. Its giving me the SOA, NS and A records.... – mindflame Jun 20 '17 at 14:06
  • Next thing is to try that from your LAN using dig @192.168.1.36 ... – marctxk Jun 20 '17 at 14:30
  • It also gives me SOA, NS and A records. But running dig @45.116.230.68 sitehosters.in SOA gives me no servers could be reached... – mindflame Jun 20 '17 at 14:35
  • That is from the Internet, yes? In which case you need to find out first that you have the IP routed to you, then that it's hitting the outside of your firewall. I presume you can run tcpdump on the pfSense? – marctxk Jun 20 '17 at 14:53
  • Yes it is from the internet. Are u talking about packet tracer in pfsense? – mindflame Jun 20 '17 at 15:08
  • I'm afraid I'm not familiar with pfSense at that operational level but a quick web search shows tha you can run tcpdump either in the sheel or via the GUI. If the packet tracer facility is similar to that on the cisco ASA, then no not that. That provides a theoretical view of how a packet tarverses the firewall, tcpdump will tell you whether DNS requests are getting to the firewall from the Internet. Also note that I'm going to edit my answer. – marctxk Jun 21 '17 at 08:52
  • packet tracer is a similar function that captures packet information arriving at a specified LAN port from the internet. – mindflame Jun 21 '17 at 10:14
  • Should do well then. Check whether the packets are getting in and whether they are leaving with the expected IPs (and ports), You'll also see any return traffic if it's there. – marctxk Jun 21 '17 at 10:57
  • I dont see any traffic on it. – mindflame Jun 21 '17 at 11:22
0

I figured it out. The ISP had a filter on port 53 even though it was open. Got to change the ISP as they cant remove the block. Thanks all for the time spend solving the issue

mindflame
  • 3
  • 1
  • 5