I don't understand this rule
why is this not a src-nat, or a forward rule? the request goes from the client to the server back

my understanding is the request goes out the standard dns server, whatever is set, but on reply is when it get modified and sent to another dns server with the reply, how does the original client even get the request?


i don't understand how this rule works at all. any help??? i don't like blindly installing rules i don't understand

i always used dstnat to do port forwarding. i don't understand at all

dst-nat is used for redirect the traffic for an other ip, in this case is used for redirect the request dns for an other server dns

port forwarding is a redirect of the traffic for a internal ip adress.

These two rules (one for TCP and one for UDP) are redirecting any traffic to port 53 to port 53 at 192.168.88.1 which is presumably the DNS service on the routeros system.

I need a more technical answer. I understand how dst Nat works. I don't understand the traffic flow at all, port forward redirects to another server on an in coming request

This rules seems to do the same. I'm sorry I need. A better answer

These two rules (one for TCP and one for UDP) are redirecting any traffic to port 53 to port 53 at 192.168.88.1 which is presumably the DNS service on the routeros system.

I get that it is redirecting, but how the hell is the client getting a reply from the dns server. I could understand if it was a forward which pointed the request to a different server. But we are not doing that

The client gets a reply via the opened connection - it is just that 192.168.88.1 is servicing it.

I don't understand this rule

Code: Select all

In /ip firewall filter nat

add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=tcp dst-port=53 
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=udp dst-port=53 

Is this what happens when you select the option to allow DNS access from the outside world? I've seen an option when using Winbox (it is a check box).

Those rules force all DNS requests to use the routers DNS server.

The rules read: for any any specified destination address with destination port 53 (DNS) either TCP or UDP redirect the request to 192.168.88.1 port 53 (DNS)

Since 192.168.88.1 is the routers default internal LAN address (vs. the external one it gets from the upstream feed via DHCP or static config) this is probably just intended for requests from the LAN side.

I need a more technical answer. I understand how dst Nat works. I don't understand the traffic flow at all, port forward redirects to another server on an in coming request

This rules seems to do the same. I'm sorry I need. A better answer

You just answered your own question. you need to take a look at Packet Flow . in short, destination nat, is being applied before routing decision. routing facility or firewall, get the packets after destination nat has been applied. as far as they concern, they are getting the original packets. so they act accordingly.