1

I have a Raspberry Pi that is running Bind9 as an authoritative DNS server for a local zone. Every other DNS requests are forwarded to a public DNS server. So Bind9 is listening on port 53 at address 192.168.1.254.

Now I want to install Unbound on this Raspberry Pi to provide "DNS over TLS". Because you can't have two different resolvers listening on the same port (53), I thought that I could solve this with a second IP address and port forwarding.

So I configured unbound to listen at 192.168.1.2:1053. DNS queries to this port and address are answered correctly. Over IPtables I installed the following rules:

iptables -t nat -A PREROUTING -p udp --dst 192.168.1.2 --dport 53 -j REDIRECT --to-ports 1053
iptables -t nat -A PREROUTING -p tcp --dst 192.168.1.2 --dport 53 -j REDIRECT --to-ports 1053

Now DNS queries to 192.168.1.2 and port 53 are not answered because of a timeout at the client side.

With IPtables I can determine that the rules are applied correctly but I didn't get an answer. Why?

Improve this question
2
  • Why not simply do DNS over TLS in BIND?
    – Anaksunaman
    Commented Jun 7, 2019 at 23:54
  • Don't want to do "DNS over TLS" for all clients on the network and bind9 is only able to do it with stunnel.
    – idlmn89
    Commented Jun 8, 2019 at 0:01

1 Answer 1

Reset to default
2

I solved this: In the case I described above, simple port forwarding isn't enough. The following does the trick:

iptables -t nat -A PREROUTING -p udp --dport 53 --dst 192.168.1.2 -j DNAT --to-destination 192.168.1.2:1053
iptables -t nat -A PREROUTING -p tcp --dport 53 --dst 192.168.1.2 -j DNAT --to-destination 192.168.1.2:1053

Maybe there are other solutions but this is what works fine for me.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .