NAT translation timeout for DNS on linux

Question

In cisco routers they seem to be able to change the NAT translation timeout for DNS separately from udp.

When port translation is configured, there is finer control over translation entry timeouts, because each entry contains more context about the traffic using it. Non-DNS UDP translations time out after 5 minutes; DNS times out in 1 minute. TCP translations time out after 24 hours, unless a RST or FIN is seen on the stream, in which case it times out in 1 minute.

from: https://community.cisco.com/t5/networking-documents/quot-ip-nat-translation-timeout-quot-command/ta-p/3137012

How can I do this on linux?

When I do sysctl net.netfilter I can find conntrack timeout viables for each protocol such as

net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 120

but I can't find any settings for DNS.

Is there a way to change the DNS conntrack timeout viable independently from other udp traffic?

---

If this is not possible by changing the conntrack settings how can I change the DNS conntrack timeout? (I just want to try this for fun no big reason) Should I write some C code to check each udp packet that goes through the NAT using netfilter and then use conntrack to add it to the table with a different timeout variable?

I'm using Ubuntu 20.04

Answer 1

I was able to change the DNS timeout by using nfct

First create a special contrack timeout policy:

sudo nfct add timeout dns-timeout-test inet udp unreplied 20 replied 20

Then refer to this policy for DNS packages:

iptables -I PREROUTING -t raw -p udp --dport 53 -j CT --timeout dns-timeout-test

Then check the DNS conntrack entry with conntrack -E Packets with dport 53 will have timeout of 20 instead of the default 30.

[NEW] udp      17 20 src=someaddress dst=someaddress sport=someport dport=53 [UNREPLIED] src=someaddress dst=someaddress sport=53 dport=someaport