Problem
There are some outgoing TCP DNS requests in my Ubuntu server that I couldn't control them to be resolved by Unbound on 127.0.0.1:53 which uses 208.67.222.222 to resolve everything, and I see those TCP DNS packets finally going from my public IP address to famous DNS servers such as 8.8.8.8 and 1.1.1.1.
What I have done
ipset -N myipset iphash
ipset -A myipset 127.0.0.1
ipset -A myipset 208.67.222.222
iptables -t nat -D OUTPUT -m udp -p udp --dport 53 -m set ! --match-set myipset -j DNAT --to 127.0.0.1:53
iptables -t nat -D OUTPUT -m tcp -p tcp --dport 53 -m set ! --match-set myipset -j DNAT --to 127.0.0.1:53
I used OUTPUT because I believe PREROUTING doesn't affect them as they are locally-generated and to redirect them before they are sent out. But when I run these commands DNS for those TCP packets simply doesn't work, but dnslookup -vc using Unbound works.
My question
Should I do something special for these rules to work? Did I miss something? Maybe some more sysctl.conf stuff?
/etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv4.conf.all.route_localnet = 1
net.ipv4.conf.ens3.route_localnet = 1
/etc/unbound/unbound.conf
server:
port: 53
cache-min-ttl: 600
rrset-cache-size: 64m
msg-cache-size: 32m
prefetch: yes
serve-expired: yes
serve-expired-ttl: 86400
do-not-query-localhost: no
tcp-upstream: yes
outgoing-num-tcp: 2000
incoming-num-tcp: 2000
remote-control:
control-enable: yes
forward-zone:
name: "."
forward-addr: 208.67.222.222
Unbound is running on both TCP and UDP ports 53.
