What's new

RT-AC66U dropping incoming DNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Amoss

New Around Here
Hello,

I have a problem with port forwarding on an ASUS RT-AC66U. I'm trying to run a DNS server on the LAN behind the router. I've set the port-forwarding on the router to send UDP/TCP port 53 to the IP address of the server. The TCP packets go through fine, but the UDP packets get dropped. So far I've tried:

* Combinations of only UDP / TCP / both through the web-interface.
* Telneting into the router and checking the iptables setup.

The interface is setting up the rules correctly - the nat table is sending everything to a VSERVER chain and inside that chain both udp and tcp port 53 are forwarded to the server.

I'm testing it on the outside with:
$ dig @wan-ip url.in.domain
and
$ dif @wan-ip +tcp url.in.domain

The TCP Query works fine and the UDP gets dropped at the route. I'm running tcpdump on a promiscuous port on the LAN to verify (I can't put a monitor on the WAN easily).

Does anybody know why the router would eat UDP packets on port 53 and how I can disable it? Is there anything else I can do to diagnose it other than switch from standard firmware (3.0.0.4.382_50470) to another distribution and run tcpdump on the router before it hits iptables? Does anybody have ideas of where I could look next?

Thanks,
Andrew
 
I'm assuming your WAN interface connected to your ISP and not some other internal network. Maybe your ISP blocks UDP DNS traffic in a similar way that SMTP is usually blocked.
 
I checked with the network operator, they're sure that they leave those ports open and don't block anything on port 53.
 
I can only suggest that you issue the following command to verify that your UDP packets are actually getting to the WAN interface.
Code:
# iptables -t nat -L -v -n
 
Thanks, I've tried that. It's for traffic in the other direction: incoming from the WAN to the LAN.
 
Thanks, I've tried that. It's for traffic in the other direction: incoming from the WAN to the LAN.
Yes, that's what that command will show. How many packets are coming in from the WAN interface and hitting your rules.
 
Ah ok, either that is different switches or I did not see the count in the output. I'll try that.
 
I've tested it a little bit. The count for the PREROUTING chain is going up when I fire TCP requests, but not UDP. Is there anything on the router that could drop the packet before it hits iptables, or is it definitely being blocked by the ISP?
 
The only things before the nat/PREROUTING is the raw and mangle PREROUTING chains. I doubt there's anything in there that would specifically target UDP DNS requests.

How are you testing it? It might not be your ISP that's blocking it. If you're using a mobile connection it could be your mobile network.
 
I’m running dig from two boxes on two different networks. One at work and one in a VPS.

Hmmmm. I’ll have to call the ISP again and see if they can test it / trace the problem. Thanks for your help, that’s a useful trick to know with iptables. It saved me moving a bunch of furniture to tap the line :)
 
Will do. It is probably the ISP though. They had nice tech support last time, I’ll try them again.
 
Will do. It is probably the ISP though. They had nice tech support last time, I’ll try them again.
Most ISPs won't let you run your own DNS server. It wouldn't surprise me that they forgot to block tcp/53 in addition to udp/53.
 
Similar threads
Thread starter Title Forum Replies Date
A Aimesh dropping WiFi ASUS Wi-Fi 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top