Solved Use DoT/DoH but keep UDP Port 53 free on Debian

Solved issue
Thank you again for your work you put into this. After sleeping one night, I went back to my idea about port sharing I mentioned earlier in this thread. So I went ahead an tried to make openvpn listen to my WAN IP and some DNS service on localhost. This is my netstat output now:


Code: 
netstat -tulpn | grep :53
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      334/systemd-resolve
tcp        0      0 127.0.0.54:53           0.0.0.0:*               LISTEN      334/systemd-resolve
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      334/systemd-resolve
udp        0      0 192.168.0.7:53          0.0.0.0:*                           1497/openvpn       
udp        0      0 127.0.0.54:53           0.0.0.0:*                           334/systemd-resolve
udp        0      0 127.0.0.53:53           0.0.0.0:*                           334/systemd-resolve
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           334/systemd-resolve

You said that ports cannot be shared, but after a good nights sleep I figured I should try anyway. So far it looks good to me and the first tests resulted in a good outcome. Unfortunately, I cannot test this proberly due to the networks I have currently available and they don't like connections to UDP port 53. I may test this in the future more thoroughly.
 


@Harhkl
From your netstat output the reason why "port sharing" works is because openvpn listens on 192.168.0.7 address that is different from unbound address which is 127.0.0.1.

But otherwise if both would listen on same address then either one of them would fail to listen, it would not open the port, the first one to open it would work and the port would be reserved so the second one to try to open it wold fail.

While your idea works know that you won't be able to listen for DNS querries on LAN or WAN, only loopback.
I know that's fine with you but if you want to be pedantic admin then I suggest you to redirect DNS querries as I've shown you in previous post.
Note that my sample nftables works only for loopback.
 
Harhkl said:
Hi there,

I would like to host a Debian mail server, where additionally an OpenVPN server instance is listening on UDP Port 53. The server itself should use DoH if possible, else DoT. I can not get it to work however.

I tried using resolved, but without avail. Can someone point me in the right direction?
Click to expand...
I think the easiest way for you is to bind the dns server to a lan ip and port. So you can UDP Port 53 inside your vpn .
 
vs2-free-users said:
I think the easiest way for you is to bind the dns server to a lan ip and port. So you can UDP Port 53 inside your vpn .
Click to expand...
It won't work because DNS querries would still be directed to port 53 regardless of the listening address being set.
I tested this scenario as well on my system yesterday.
 
@Harhkl
Btw I see you have systemd-resolved installed, this means you now have 2 DNS resolvers, that one and unbound which makes no sense, I would use only one.

I don't know if systemd-resolved is able to listen on other ports but it's certainly not as advanced as unbound, ex. no DNSSEC and perhaps not DoH\DoT not sure.

EDIT:
Actually it does:
 
unbound is installed on the test AWS machine. systemd-resolved is installed on my production debian machine. I would suggest keeping this thread closed as of now, to not populate it more. My case is solved for now.
 
You must log in or register to reply here.

Members online

Total: 713 (members: 2, guests: 711)

Latest posts

Top