DNS Filtering not working with TCP requests

[bassplayerchris]

Hi -

I have switched on DNS Filtering for a node on my network. I am able to verify the rules in the PREROUTING and DNSFILTER chains in the nat iptables (DNS Filtering is actually set to redirect the nodes DNS requests to the router itself. I can verify that when the node makes DNS requests over UDP that the request is rewritten correctly, however when it makes the request over TCP the request is not rewritten, and goes to the DNS server that the node has hardcoded inside it.

FWIW, NAT is switched off on the router concerned - but evidently UDP requests are being rewritten correctly.

 

[RMerlin]

That's correct, I don't rewrite TCP requests because I have never seen a case where TCP was used (beside zone transfers). I could always also redirect TCP requests for those unusual cases, but results might be unexpected, as most DNS servers don't listen to tcp/53.

 

[bassplayerchris]

That's correct, I don't rewrite TCP requests because I have never seen a case where TCP was used (beside zone transfers). I could always also redirect TCP requests for those unusual cases, but results might be unexpected, as most DNS servers don't listen to tcp/53.

I think the behaviour where a UDP request that is sent back marked as 'reponse too big' is followed by a TCP request is normal. Though in this case the device is misbehaving somewhat in launching TCP queries off it's own back. What puzzles me more is that it appears to me that you already cater for this with the following rules:

-A PREROUTING -s Y.Y.Y.0/255.255.255.0 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s Y.Y.Y.0/255.255.255.0 -p tcp -m tcp --dport 53 -j DNSFILTER

and then later

-A DNSFILTER -m mac --mac-source X:X:X:X:X:X -j DNAT --to-destination dns.ip

Which should deal with both TCP and UDP, no?

 

[RMerlin]

I think the behaviour where a UDP request that is sent back marked as 'reponse too big' is followed by a TCP request is normal. Though in this case the device is misbehaving somewhat in launching TCP queries off it's own back. What puzzles me more is that it appears to me that you already cater for this with the following rules:

-A PREROUTING -s Y.Y.Y.0/255.255.255.0 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s Y.Y.Y.0/255.255.255.0 -p tcp -m tcp --dport 53 -j DNSFILTER

and then later

-A DNSFILTER -m mac --mac-source X:X:X:X:X:X -j DNAT --to-destination dns.ip

Which should deal with both TCP and UDP, no?

That sounds correct. So it should indeed handle both cases.

 

[bassplayerchris]

That sounds correct. So it should indeed handle both cases.

Okay, I think I've found the problem. I have tcpdump at an upstream router. I can't see any of the TCP queries that I can see on the asus. I think tcpdump (for whatever reason) sees the UDP stream after PREROUTING has been applied, but sees the TCP stream before PREROUTING has been applied.

I assume this is Linux network stack behaviour and so nothing we can do anything about.