RT-AC66U dropping incoming DNS

[Amoss]

Hello,

I have a problem with port forwarding on an ASUS RT-AC66U. I'm trying to run a DNS server on the LAN behind the router. I've set the port-forwarding on the router to send UDP/TCP port 53 to the IP address of the server. The TCP packets go through fine, but the UDP packets get dropped. So far I've tried:

* Combinations of only UDP / TCP / both through the web-interface.
* Telneting into the router and checking the iptables setup.

The interface is setting up the rules correctly - the nat table is sending everything to a VSERVER chain and inside that chain both udp and tcp port 53 are forwarded to the server.

I'm testing it on the outside with:
$ dig @wan-ip url.in.domain
and
$ dif @wan-ip +tcp url.in.domain

The TCP Query works fine and the UDP gets dropped at the route. I'm running tcpdump on a promiscuous port on the LAN to verify (I can't put a monitor on the WAN easily).

Does anybody know why the router would eat UDP packets on port 53 and how I can disable it? Is there anything else I can do to diagnose it other than switch from standard firmware (3.0.0.4.382_50470) to another distribution and run tcpdump on the router before it hits iptables? Does anybody have ideas of where I could look next?

Thanks,
Andrew

 

[ColinTaylor]

I'm assuming your WAN interface connected to your ISP and not some other internal network. Maybe your ISP blocks UDP DNS traffic in a similar way that SMTP is usually blocked.

 

[Amoss]

I checked with the network operator, they're sure that they leave those ports open and don't block anything on port 53.

 

[ColinTaylor]

I can only suggest that you issue the following command to verify that your UDP packets are actually getting to the WAN interface.

# iptables -t nat -L -v -n

 

[Amoss]

Thanks, I've tried that. It's for traffic in the other direction: incoming from the WAN to the LAN.

 

[ColinTaylor]

Thanks, I've tried that. It's for traffic in the other direction: incoming from the WAN to the LAN.

Yes, that's what that command will show. How many packets are coming in from the WAN interface and hitting your rules.

 

[Amoss]

Ah ok, either that is different switches or I did not see the count in the output. I'll try that.

 

[Amoss]

I've tested it a little bit. The count for the PREROUTING chain is going up when I fire TCP requests, but not UDP. Is there anything on the router that could drop the packet before it hits iptables, or is it definitely being blocked by the ISP?

 

[ColinTaylor]

The only things before the nat/PREROUTING is the raw and mangle PREROUTING chains. I doubt there's anything in there that would specifically target UDP DNS requests.

How are you testing it? It might not be your ISP that's blocking it. If you're using a mobile connection it could be your mobile network.

 

[Amoss]

I’m running dig from two boxes on two different networks. One at work and one in a VPS.

Hmmmm. I’ll have to call the ISP again and see if they can test it / trace the problem. Thanks for your help, that’s a useful trick to know with iptables. It saved me moving a bunch of furniture to tap the line

 

[ColinTaylor]

Let us know if you find the cause. It could be helpful to others.

 

[Amoss]

Will do. It is probably the ISP though. They had nice tech support last time, I’ll try them again.

 

[john9527]

Will do. It is probably the ISP though. They had nice tech support last time, I’ll try them again.

Most ISPs won't let you run your own DNS server. It wouldn't surprise me that they forgot to block tcp/53 in addition to udp/53.