Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 1190 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hosting an ACME-DNS server behind XG - any tricks for new players?

gavo_nz

Hi,

I have an XG Home edition running SFOS 19.0.1 MR-1-Build365. I have setup an ACME-DNS server on my LAN so that I can use it to authorise Lets Encrypt certificate issuing/renewals using the DNS-01 validation method. I have updated my external DNS zone to delegate a subdomain to my ACME-DNS server, using the public IP on my XG as the NS address for the delegated subdomain.

My problem is I can't seem to get connectivity working from the internet to my ACME-DNS server over UDP/53.

I used the Server Access Assistant (DNAT) wizard to setup the rule and specified the service as "DNS" which includes both TCP/UDP/53 as the destination port. TCP works fine and I can see the connection hit my ACME-DNS server, but I can't seem to get UDP connectivity working.

When I issue a DNS query over UDP (externally), I dont see any traffic hit either my server or the XG's WAN port (Port2_ppp in my case), but I do see the TCP traffic on port 53 hit both (using tcpdump). 

I have logging turned on in my FW rule, but dont see any messages in the logs about why this might be. I've poked around and scratched my head on this for a couple of hours but havent made any progress and so just wondered if anyone else was running a DNS server accessible from the internet behind their XG, and if so, if there is any trick to it. I'm sure I've just missed something simple, but havent been able to figure out what that is.

Cheers,



This thread was automatically locked due to age.
  • 0

    You are using your own DNS server for your own DNS entry? 

    I never approach this way, as i am always using the API of my DNS provider. What kind of DNS provider allows to publish own DNS sub domains? 

    __________________________________________________________________________________________________________________

  • 0

    If you can manage your external DNS why not use the following method:
    https://docs.certifytheweb.com/docs/dns/providers/acme-dns/

    In this way you do not need to create/enlarge attack surface on tour internal network.

     
    SFVH (SFOS 19.5.1 MR-1-Build278)  - Last (re)boot on Februari 20 2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • 0

    Hi team,

    Thanks for the suggestions, but I'd like to get to the bottom of why this isn't working. 

    An update. I created a new service on my firewall called UDP54, which was defined as a UDP port, any source port, destination port 54. I added this to my existing firewall and NAT rules (created by the wizard) and the traffic arrived at my internal host as expected (tcpdump). I was also able to observe it being accepted by looking at the firewall logs, and on my WAN interface (tcpdump)

    I have contacted my ISP to ask if they are blocking inbound UDP destination port 53 and although their support desk didn't believe so, they have asked the question of their network team, but I am yet to hear back.

    My conclusion is that either my ISP is blocking UDP/53, or the XG is dropping it silently for some reason (I have also setup a drop rule with logging just above the default drop rule). 

    I would be keen to hear if anyone else is running a DNS server behind their XG to confirm it isn't some kind of limitation of the firewall, but I will also wait to hear back from my ISP around their definitive answer on if they are blocking the port or now.

    Cheers,

  • 0 in reply to gavo_nz

    Just to be sure: Why should a DNS Request come to your Firewall? I want to make sure, we are not following a wrong path. So: You have a DNS Server hosted, and you have a Domain, lets call it example.com. Why should the internet ask your dns server for this dns server? 

    So to speak, do you have created a NS Record for your domain and point to your public IP? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi, yes, in your example, there is a NS record for example.com that points to myisp.nameserver.com. There is another NS record for auth.example.com that points to acme-dns.myselfhosted.nameserver.com - which is the public IP of my XG.

    That isn't really the issue I'm trying to solve however, it's that no UDP/53 traffic directed to the firewall appears to be getting passed to my server (acme-dns.myselfhosted.nameserver.com), but if I update the rules to also allow UDP/54 traffic, I do see that arriving.

    Its the weekend here now so I probably wont hear back from my ISP until Monday, but I am still interested in knowing if anyone here is running a publicly accessible DNS server behind their XG (to rule out an XG issue) and if there were any tricks to getting that working.

    Cheers,

  • +1

    Hi team,

    Just to close this out, it did turn out to be my ISP blocking inbound UDP/53. They unblocked it tonight and all is now working as expected - so no tricks for new players necessary Slight smile

    Cheers,

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?