some file

Quickstart: Private DNS Behind Routing Peers

If your DNS server is on a private network accessible only through a routing peer, you need to set up network routes and access control in addition to the nameserver configuration.

Scenario

You have:

  • DNS server: 192.168.0.32:53 on a private network
  • Routing peer: Can reach the 192.168.0.0/24 network
  • User peers: Need to query this DNS through the routing peer

Setup Steps

Step 1: Configure the Nameserver

Create a nameserver pointing to your private DNS:

  • DNS - Nameservers - Add nameserver - Custom DNS
  • IP: 192.168.0.32
  • Port: 53
  • Distribution groups: Your user peer groups (e.g., "Remote Developers")

For detailed instructions on creating nameservers, see Configuring Nameservers.

Step 2: Create a Network Route

Set up a NetBird Network so clients can reach the DNS server:

  • Networks - Add network
  • Network: e.g. "Office Network"
  • Add Resource: 192.168.0.32/32
  • Distribution groups: Internal DNS
  • Routing peer: The always-on peer that can access this network

For detailed instructions on creating network routes, see Routing Traffic to Private Networks.

Step 3: Configure Access Control

Create an access control rule allowing DNS traffic:

  • Source: User groups (e.g., "Remote Developers")
  • Destination: Internal DNS (the resource group)
  • Protocol: UDP
  • Port: 53

For detailed instructions on access control, see Manage Network Access.

Technical Details

DNS Forwarder Port

Technical detail: When using private DNS behind routing peers, NetBird uses a DNS forwarder on routing peers. Starting with v0.59.0, this forwarder uses port 22054 (changed from 5353) to avoid collisions with mDNS. For backward compatibility, port 5353 is used if any peer in your account runs below v0.59.0.

This forwarder port is internal to NetBird's routing mechanism - you don't need to configure it, but may see it in logs or network traces.

Next Steps