Hello.
I’ve implemented a DNS forwarder in VyOS system. It works well
But then I’ve put these firewall rules…:

set firewall ipv4 output filter default-action drop
set firewall ipv4 output filter rule 1 protocol udp
set firewall ipv4 output filter rule 1 destination port 53
set firewall ipv4 output filter rule 1 action accept

…DNS queries from my clients hangs. The thing is that if I delete set firewall ipv4 output filter rule 1 destination port 53 line, resolution works again. So, my question is…isn’t suposed VyOS’s DNS forwarder to do DNS queries to 53/udp port of my main (Internet’s) DNS server? If not, which is the port VyOS is using, then? I’m missing something…

Thanks!

Are you forwarding to an internal DNS server or an external one? If internal is it listening on port 53?Are there other additional rules in your firewall? I’m wondering if dns is resolving through tcp due to fragmenting rather than udp?

You could try running tcpdump from # (conf mode) with and without your rule 53 present. That might give you added insight around what’s happening.

tcpdump -ni any port 53 -n