Unable to forward port 53 via DMZ or NAT forwarding?! HELP!

Question

Unable to forward port 53 via DMZ or NAT forwarding?! HELP!

I just "upgraded" my home network to an airport extreme w/ gigabit, and have been trying to figure out for a week now why my DNS server (in the DMZ) wasn't working for outside lookups... The airport doesn't seem to forward that port because it has a DNS service of its own running on the WAN port!

Aaargh, I don't think I can properly express what an uncomfortable position this puts me in... I do not have a trivial setup. Is this considered a bug? Are they going to fix it?? Is there a workaround? If not, I'll have to replace this thing with a cheap linksys, and pronto!

(Since it wouldn't forward in the DMZ, I tried manually forwarding port 53 as a NAT rule. That didn't work either... the idiot little device still intercepts all inbound DNS traffic).

MacBook, Mac OS X (10.5.2)

Posted on Feb 18, 2008 8:43 PM

Reply

Answer 1

Best reply

Henry B.

Level 9

78,713 points

Feb 18, 2008 9:21 PM in response to JeremyHerbison

Interesting. I've been reading discussions in this forum for years, and haven't until now come across someone who wanted to allow inbound DNS requests to their private LAN.

Is it possible to configure your DNS to respond to requests on a port other than 53? If so, you could try configuring the base station's port mapping table so that it translates inbound port 53 requests to another port on your private LAN - though I don't know whether the Base Station would also block this workaround as well.

Reply

Answer 2

Feb 18, 2008 9:42 PM in response to Henry B.

I tried that; unfortunately it is as you suspected. I can understand that the airport has its own DNS resolver, but I'm sure confused as to why it is listening on the WAN side!

There are a number of posts around the 'tubes with people wondering why scans of their airport shows port 53 open. That's what pointed me toward this conclusion.

I don't expect I'm the only one trying to run a DNS server behind an apple router. For tonight, i've put my old router back on as a NAT gateway, and set the airport in bridge/DHCP mode. That'll work for now, but if there are no plans to fix this behaviour, it's going back to the dealer.

Reply

Answer 3

Cancan69

Level 1

5 points

Feb 19, 2008 8:11 AM in response to JeremyHerbison

Hi,

Is it possible that your ISP is blocking low end/well known traffic ports…? Many ISP's do this so you are more likely to use their online services.

I found that if I wanted to use port 53; I would forward to port 5053 and presto! I am in. This is all good but I don't use an AEBS. I use a high end Buffalo with DD-WRT firmware and I can access all devices on my LAN from the outside world.

If anyone is aware of a way to port forward with an AEBS well, I would be keen to upgrade to this device, simply for the draft N and gigabit ports.

Hope this helps and if you can explain to me if you can forward ports from say; 21 to 5021 on an AEBS, please advise.

Reply

Answer 4

Henry B.

Level 9

78,713 points

Feb 19, 2008 8:42 AM in response to Cancan69

The Airport Extreme Base Station does allow you to forward inbound requests from the internet on one port, to a different port on your private LAN.

If you are happy with your current Buffalo router, I recommend you not exchange it for an Airport Base Station. Undoubtedly the Buffalo router is a better and more fully-featured one than the rather basic router built into Airport Base Stations. If you want to use an Airport Base Station, cable it to one of the LAN ports on your Buffalo router and configure the Base Station for "bridge mode" thus disabling its built in router.

Reply

Answer 5

Feb 19, 2008 10:24 AM in response to Cancan69

The AEBS can configure a DMZ (forward all ports to a certain host) or do port-based forwarding for all protocols it appears EXCEPT DNS. This isn't my ISP filtering the port... the airport actually intercepts the DNS requests instead of forwarding them to the DMZ as it should, because it has its own DNS server running on the WAN port for some bizarre reason.

Port redirection won't work in this case because it intercepts all port-53 traffic before any NATing or port redirection take place. I know; I tried it.

Reply

Answer 6

shakkott

Level 1

0 points

Feb 25, 2008 8:13 AM in response to JeremyHerbison

Hi,

I am having the same problem as well. My university web server does a reverse DNS lookup before it permits me to connect to the mail-server. I recently switched to an airport extreme and found that I was unable to access the mail server.

After digging around, I realized that the airport extreme base-station (BS) is blocking incoming port 53 reverse dns lookups. From reading this thread, it looks like one fix would be to use my airport extreme BS as a bridge, and buy a separate (wired) router/NAT box that goes between the BS and the cable modem. Would this work if I have WDS running (I currently have two airport BS with the second being a relay).

Also, is there any solution if I do not want to buy new hardware 🙂 Thanks very much.

Regards,
Sanjay
--

Reply

Answer 7

Henry B.

Level 9

78,713 points

Feb 25, 2008 8:20 AM in response to shakkott

Yes, this would work just fine even if you have a WDS. You would need to configure your WDS main base station into "bridge mode" (ignoring any error messages when you make the change). It is often necessary to restart the remote base stations, to force them to obtain a new IP address from the router you have just installed.

Reply

Answer 8

Cancan69

Level 1

5 points

Feb 25, 2008 8:06 PM in response to Henry B.

Hi,
One quick Q. If I set up an AEBS as a "bridge" by hanging it off of; cable modem > LAN router > AEBS (bridge): Would there be any compromise in LAN/WAN speed? WDS will cut speed in half but with a bridged network do I risk compromising the speed the AEBS offers with gigabit ethernet and wireless N (only)?

Thanks,
Cc

Reply