DNS response with IP of private range blocked

Hello pato ,

I have created records test-public.mydomain.dom with IP 5.5.5.5 and test-priv-192-168.mydomain.dom with IP 192.168.2.2. On my server I have created simple DNAT on port 53 and 11053 and redirected the DNS queries to DNS server 1.1.1.1:53. I have started tcpdump on my client at home and on the server with DNAT.

Here are the results.

Request test-public.mydomain.dom on the port 53 returns correctly IP 5.5.5.5, on the client and server the request and the response is visible in tcpdump

$ dig -p 53  test-public.mydomain.dom @slave.mydomain.dom
; <<>> DiG 9.16.37-Debian <<>> -p 53 test-public.mydomain.dom @slave.mydomain.dom
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46163
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test-public.mydomain.dom.          IN      A
;; ANSWER SECTION:
test-public.mydomain.dom.   300     IN      A       5.5.5.5
;; Query time: 28 msec
;; SERVER: IP-SLAVE.MYDOMAIN.DOM#53(IP-SLAVE.MYDOMAIN.DOM)
;; WHEN: Wed Mar 01 00:17:50 CET 2023
;; MSG SIZE  rcvd: 65

#### CLIENT ####
00:17:50.617571 IP 192.168.0.53.48130 > IP-SLAVE.MYDOMAIN.DOM.53: 46163+ [1au] A? test-public.mydomain.dom. (61)
00:17:50.644156 IP IP-SLAVE.MYDOMAIN.DOM.53 > 192.168.0.53.48130: 46163 1/0/1 A 5.5.5.5 (65)

#### IP-SLAVE.MYDOMAIN.DOM ####
00:17:50.630917 IP HOME-IP.48130 > IP-SLAVE.MYDOMAIN.DOM.53: 46163+ [1au] A? test-public.mydomain.dom. (61)
00:17:50.636872 IP IP-SLAVE.MYDOMAIN.DOM.53 > HOME-IP.48130: 46163 1/0/1 A 5.5.5.5 (65)

Request test-public.mydomain.dom on the port 11053 returns correctly IP 5.5.5.5 too, on the client and server the request and the response is visible in tcpdump

$ dig -p 11053  test-public.mydomain.dom @slave.mydomain.dom
; <<>> DiG 9.16.37-Debian <<>> -p 11053 test-public.mydomain.dom @slave.mydomain.dom
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13886
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test-public.mydomain.dom.          IN      A
;; ANSWER SECTION:
test-public.mydomain.dom.   296     IN      A       5.5.5.5
;; Query time: 40 msec
;; SERVER: IP-SLAVE.MYDOMAIN.DOM#11053(IP-SLAVE.MYDOMAIN.DOM)
;; WHEN: Wed Mar 01 00:17:55 CET 2023
;; MSG SIZE  rcvd: 65

#### CLIENT ####
00:17:55.240128 IP 192.168.0.53.46461 > IP-SLAVE.MYDOMAIN.DOM.11053: UDP, length 61
00:17:55.282346 IP IP-SLAVE.MYDOMAIN.DOM.11053 > 192.168.0.53.46461: UDP, length 65

#### IP-SLAVE.MYDOMAIN.DOM ####
00:17:55.256946 IP HOME-IP.46461 > IP-SLAVE.MYDOMAIN.DOM.11053: UDP, length 61
00:17:55.274641 IP IP-SLAVE.MYDOMAIN.DOM.11053 > HOME-IP.46461: UDP, length 65

Now request private IP. Request test-priv-192-168.mydomain.dom on port 11053 returns correctly the IP 192.168.2.2, and you can see the DNS request and response in tcpdump on client and server:

$ dig -p 11053  test-priv-192-168.mydomain.dom @slave.mydomain.dom
; <<>> DiG 9.16.37-Debian <<>> -p 11053 test-priv-192-168.mydomain.dom @slave.mydomain.dom
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61347
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test-priv-192-168.mydomain.dom.    IN      A
;; ANSWER SECTION:
test-priv-192-168.mydomain.dom. 276 IN      A       192.168.2.2
;; Query time: 40 msec
;; SERVER: IP-SLAVE.MYDOMAIN.DOM#11053(IP-SLAVE.MYDOMAIN.DOM)
;; WHEN: Wed Mar 01 00:22:50 CET 2023
;; MSG SIZE  rcvd: 71

#### CLIENT ####
00:22:50.190542 IP 192.168.0.53.56017 > IP-SLAVE.MYDOMAIN.DOM.11053: UDP, length 67
00:22:50.229684 IP IP-SLAVE.MYDOMAIN.DOM.11053 > 192.168.0.53.56017: UDP, length 71

#### IP-SLAVE.MYDOMAIN.DOM ####
00:22:50.207458 IP HOME-IP.56017 > IP-SLAVE.MYDOMAIN.DOM.11053: UDP, length 67
00:22:50.221446 IP IP-SLAVE.MYDOMAIN.DOM.11053 > HOME-IP.56017: UDP, length 71

But if I request test-priv-192-168.mydomain.dom on port 53, the client makes request to server, server then sends the response back to client, but the client never gets the response from server:

$ dig -p 53  test-priv-192-168.mydomain.dom @slave.mydomain.dom
; <<>> DiG 9.16.37-Debian <<>> -p 53 test-priv-192-168.mydomain.dom @slave.mydomain.dom
;; global options: +cmd
;; connection timed out; no servers could be reached

#### CLIENT ####
00:22:25.457221 IP 192.168.0.53.45027 > IP-SLAVE.MYDOMAIN.DOM.53: 36624+ [1au] A? test-priv-192-168.mydomain.dom. (67)
00:22:30.455415 IP 192.168.0.53.45027 > IP-SLAVE.MYDOMAIN.DOM.53: 36624+ [1au] A? test-priv-192-168.mydomain.dom. (67)
00:22:35.455231 IP 192.168.0.53.45027 > IP-SLAVE.MYDOMAIN.DOM.53: 36624+ [1au] A? test-priv-192-168.mydomain.dom. (67)

#### IP-SLAVE.MYDOMAIN.DOM ####
00:22:25.475327 IP HOME-IP.45027 > IP-SLAVE.MYDOMAIN.DOM.53: 36624+ [1au] A? test-priv-192-168.mydomain.dom. (67)
00:22:25.486875 IP IP-SLAVE.MYDOMAIN.DOM.53 > HOME-IP.45027: 36624 1/0/1 A 192.168.2.2 (71)
00:22:30.469225 IP HOME-IP.45027 > IP-SLAVE.MYDOMAIN.DOM.53: 36624+ [1au] A? test-priv-192-168.mydomain.dom. (67)
00:22:30.487988 IP IP-SLAVE.MYDOMAIN.DOM.53 > HOME-IP.45027: 36624 1/0/1 A 192.168.2.2 (71)
00:22:35.467271 IP HOME-IP.45027 > IP-SLAVE.MYDOMAIN.DOM.53: 36624+ [1au] A? test-priv-192-168.mydomain.dom. (67)
00:22:35.479780 IP IP-SLAVE.MYDOMAIN.DOM.53 > HOME-IP.45027: 36624 1/0/1 A 192.168.2.2 (71)

You can see, the client makes three DNS requests and server sends three answers with the IP 192.168.2.2, but you don’t see the responses on the client.

I hope the outputs are clear for you. If you don’t understand anything, just ask me, please.

Regards,

Robert.