I have an internet connection with a static ip from my ISP. I do have mail servers and webservers hosted from it. What i would like to achieve is run couple of nameservers by getting another static ip from my ISP. I have forwarded TCP and UDP ports from my local IP address and the internet connection is being managed by pfsense. The DNS resolver and forwarder service has been disabled.
I tried to setup a nameserver by NAT and forwarded PORT 53 for udp & tcp traffic. But still when i try to query a record for a zone on my nameserver using dig externally or internally , i get an error "no servers could be reached". Is there any guide or information that would help me to setup the nameservers behind NAT or help me solve this issue?
My ISP has confirmed that they do not have blocks or filters in place. I have also confirmed that no ports are being blocked or filtered from my end too. The name of the nameserver is ns1.sitehosters.in.
ETHERNET CONFIG on NS1
auto eth1
iface eth1 inet static
address 192.168.1.12
netmask 255.255.255.0
gateway 192.168.1.1(PFSENSE)
dns-nameservers 8.8.8.8
/etc/bind/named/conf.options
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 { any; };
};
Named.conf.local file on ns1
nano /etc/bind/named.conf.local
zone "sitehosters.in" {
type master;
allow-transfer {none;};
file"/etc/bind/pri.sitehosters.in"
};
Netstat output from below:
tcp 0 0 192.168.1.36:domain . LISTEN 1156/named
tcp 0 0 localhost:domain . LISTEN 1156/named
tcp 0 0 localhost:953 . LISTEN 1156/named
udp 0 0 192.168.1.36:domain . 1156/named
udp 0 0 localhost:domain . 1156/named
DNSCHECK at PINGDOM
No name servers found at child.
No name servers could be found at the child.
This usually means that the child is not configured to answer queries about the zone.
Please find some screenshots of my router config which might help you to point me in the right direction. I use pfsense on a PC which is managing all the internet connection and firewall.
When using packet capture on my wan port in pfsense, i get
19:05:02.660753 IP xx.xx.xx.xx.13747 > 8.8.8.8.53: UDP, length 27
19:05:02.669900 IP 8.8.8.8.53 > xx.xx.xx.xx.13747: UDP, length 509
19:05:02.670409 IP xx.xx.xx.xx.63621 > 8.8.8.8.53: UDP, length 44
19:05:02.694125 IP xx.xx.xx.xx.34919 > 8.8.8.8.53: UDP, length 27
19:05:02.704487 IP 8.8.8.8.53 > xx.xx.xx.xx.34919: UDP, length 509
19:05:02.705580 IP xx.xx.xx.xx.11687 > 8.8.8.8.53: UDP, length 44
19:05:02.741893 IP 8.8.8.8.53 > xx.xx.xx.xx.11687: UDP, length 208
19:05:02.741919 IP 8.8.8.8.53 > xx.xx.xx.xx.63621: UDP, length 208
19:13:39.682095 IP 81.143.220.107.51368 > xx.xx.xx.xx.53: tcp 0
19:13:39.682355 IP xx.xx.xx.xx.53 > 81.143.220.107.51368: tcp 0
19:13:39.893583 IP 81.143.220.107.51368 > xx.xx.xx.xx: tcp 0
19:13:39.894893 IP 81.143.220.107.51368 > xx.xx.xx.xx.53: tcp 34
19:13:39.895023 IP xx.xx.xx.xx.53 > 81.143.220.107.51368: tcp 0
19:13:39.895353 IP xx.xx.xx.xx.53 > 81.143.220.107.51368: tcp 155
19:13:40.100199 IP 81.143.220.107.51368 > xx.xx.xx.xx.53: tcp 0
19:13:40.100220 IP 81.143.220.107.51368 > xx.xx.xx.xx.53: tcp 0
The report at intodns.com says
DNS servers responded ERROR: One or more of your nameservers did not respond:
The ones that did not respond are: xx.xx.xx.xx
Best Answer
If you want to run a nameserver that is the authority for an Intenet zone then it will need to be properly addressed with an public IP.
If you must put a name server behind a NAT, then the NAT device must incorporate an appropriate Application Layer Gateway (ALG). Although many NAT devices will incorporate an ALG suitable for NATing the client IP address I don't know if any of them are built to NAT SOA records etc.
If you only have /32 public addresses then you might be able to port-forward through your outer router and then push that through a second NAT device to restore the original destination IP address. Off the top of my head this should work but I haven't thought it through at length.
I haven't looked at yopu configs in detail but notice that you've got 8.8.8.8 defined as name server. Unless you want to restrict your name server to authoritative-only then you'd have that set to 127.0.0.1.
On reflection NATing twice shouldn't be necessary. The DNS server may need to have an interface on it with the public IP address though, you can probably achieve that with a secondary IP on an interface.