DNS Internal NAT

Hopefully someone can help…

Been puzzled with an issue where i want to redirect all outbound dns requests from my lan to be redirected to my local dns servers.

DNS Server A: (192.168.1.250)

Host A: (192.168.1.1)
Reqests DNS for a.example.com on server 1.1.1.1

Vyos
For all DNS requests not originating from DNS Server A redirect to DNS Server A

I have been trying to get a DNAT working on this and i can see via tcpdump that the packet is hiting the dns server but the address doesnt seem to be translated.

TCP Dump on DNS Server A

11:21:20.073500 IP (tos 0x0, ttl 64, id 32060, offset 0, flags [none], proto UDP (17), length 66)
    192.168.1.1.49206 > 1.1.1.1.53: [udp sum ok] 40640+ A? a.example.com. (38)

TCP Dump on VyOs [15x.18x.12x.15x is public ip]

11:21:20.073606 IP (tos 0x0, ttl 63, id 32060, offset 0, flags [none], proto UDP (17), length 66)
    15x.18x.12x.15x.49206 > 192.168.1.1.53: [udp sum ok] 40640+ A? a.example.com. (38)

DNAT Rule: [fw-grp-adr-grp-dns-internal is 192.168.1.250]

vyos@vyos# show destination rule 20
 destination {
     port domain
 }
 inbound-interface eth1
 log
 protocol tcp_udp
 source {
     group {
         address-group !fw-grp-adr-grp-dns-internal
     }
 }
 translation {
     address 192.168.1.250
     options {
     }
     port domain
 }

any help with the above would be appreciated.

Hello @phasma,
eth1 is the WAN interface?

No pppoe0 is wan through eth0

Can you provide your version VyOS?

Sure its

vyos:[~] $ show version
Version:          VyOS 1.4-rolling-202302010317
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Wed 01 Feb 2023 03:17 UTC
Build UUID:       175a7c54-62e3-4c63-b580-75c44be9f58c
Build commit ID:  439743ef25bfaf

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-56 4d 7f fe 6a 05 79 8d-32 fa 0b 11 12 ab e5 bd
Hardware UUID:    fe7f4d56-056a-8d79-32fa-0b1112abe5bd

Copyright:        VyOS maintainers and contributors

Bump…can anyone help with this?

Hello @phasma,
Sorry for the wait.
For example, the working configuration from the network laboratory:

set firewall group address-group DNS address '172.16.0.250'
set firewall group address-group DNS address '172.16.0.251'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '172.16.0.1/24'
set nat destination rule 100 destination port 'domain'
set nat destination rule 100 inbound-interface 'eth1'
set nat destination rule 100 log
set nat destination rule 100 protocol 'tcp_udp'
set nat destination rule 100 source group address-group '!DNS'
set nat destination rule 100 translation address '172.16.0.250'
set nat destination rule 100 translation port 'domain'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 translation address 'masquerade'

All internal requests to port 53 are translation to IP 172.16.0.250
Firewall is not used!

As client doing the DNS request and the internal server are on the same LAN, you need to add a sNAT rule for this traffic.
Without, the internal server replies directly, and DNS request isn’t translated back. So the client sends a request to 1.1.1.1 and gets reply back from 192.168.1.1 , which will be ignored.

I did manage to fix this although encountered a wierd bug on 1.4 where it was nating to a destination that wasnt even defined. The behaviour broke all understanding of how dnat/snat works and reverted to 1.3.2 and issue is sorted. Thanks for your reply.

If possible, can you please boot once again using 1.4 image and provide configuration rules for 1.4 that did not work as expected?
If there’s an error, it’s better to share it so it get fixed!

show config commands | grep net
sudo nft list table ip vyos_nat

If using firewall configuration, which may also need verification:

show config commands | grep firewall
sudo nft list table ip vyos_filter

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.