I have a Raspberry Pi that is running Bind9 as an authoritative DNS server for a local zone. Every other DNS requests are forwarded to a public DNS server. So Bind9 is listening on port 53
at address 192.168.1.254
.
Now I want to install Unbound on this Raspberry Pi to provide "DNS over TLS". Because you can't have two different resolvers listening on the same port (53
), I thought that I could solve this with a second IP address and port forwarding.
So I configured unbound to listen at 192.168.1.2:1053
. DNS queries to this port and address are answered correctly. Over IPtables I installed the following rules:
iptables -t nat -A PREROUTING -p udp --dst 192.168.1.2 --dport 53 -j REDIRECT --to-ports 1053
iptables -t nat -A PREROUTING -p tcp --dst 192.168.1.2 --dport 53 -j REDIRECT --to-ports 1053
Now DNS queries to 192.168.1.2
and port 53
are not answered because of a timeout at the client side.
With IPtables I can determine that the rules are applied correctly but I didn't get an answer. Why?