TURN on UDP/53 fails

For Workes & Pages, what is the name of the domain?

localhost

What is the error number?

No Error Number

What is the error message?

No Error Message

What is the issue or error you’re encountering

The TURN docs say that UDP/53 can be used as an alternative port but my testing shows it doesn’t work, I’ve tried accessing from multiple networks without success.

What steps have you taken to resolve the issue?

Using UDP/3478 works successfully, but UDP/53 does not.

What are the steps to reproduce the issue?

The following code works fine, but changing the port from 3478 to 53 fails to return any ICE candidates.

const conn = new RTCPeerConnection({
  "iceServers":[
    { urls: "turn:turn.cloudflare.com:3478?transport=udp", ...auth }
  ],
  "iceTransportPolicy": "relay"
})


conn.createDataChannel('example')
conn.onicecandidate = (ev) => {
  console.error('candidate', ev.candidate)
}

const offer = await conn.createOffer()
await conn.setLocalDescription(offer)

Screenshot of the error

Testing from command-line:

Port 3478 (this indicates a success, the 400 is due to lack of credentials)

turnutils_uclient -p 3478 -y turn.cloudflare.com
0: (18446744073709551615): INFO: error 400 ()
0: (18446744073709551615): INFO: error 400 ()

Port 53 (this indicates a failure, the session hangs)

turnutils_uclient -p 53 -y turn.cloudflare.com
^C

I tried to reproduce you issue with Pion’s turn client turn/examples/turn-client/udp/main.go at master · pion/turn · GitHub

For port 3478 I get the following result:

./udp -host turn.cloudflare.com -port 3478 -user test=test
2024/10/29 11:22:16 Failed to allocate: Allocate error response (error 400: )
panic: Failed to allocate: Allocate error response (error 400: )

For port 53 I get the same result:

./udp -host turn.cloudflare.com -port 53 -user test=test
2024/10/29 11:23:22 Failed to allocate: Allocate error response (error 400: )
panic: Failed to allocate: Allocate error response (error 400: )

If I use for example port 80 with UDP I do get an timeout as well.

Can you verify on the wire, for example with tcpdump, that your test client actually sends TURN packets out?

For the test with the browser: which browser do you actually use?

Forget about my question regarding the browser: port 53 is blocked by at least Firefox and Chrome net/base/port_util.cc - chromium/src.git - Git at Google

But assuming your ISP isn’t blocking access to port 53 your own test executables should be able to use port 53.

Hi Nils, Thanks for your swift reply.

I’m at home now and I’ve tried again, the issue is resolved.

So either something changed on your end or… (more likely) access to port 53 was being blocked in the cafe I was working from today.

turnutils_uclient -p 53 -y turn.cloudflare.com
0: (18446744073709551615): INFO: error 400 ()
0: (18446744073709551615): INFO: error 400 ()

and in fact it also works in Chrome & Firefox now using the connection string "turn:turn.cloudflare.com:53?transport=udp", where it didn’t before.

apologies for assuming it was on the CF end, I did try two different networks before opening the issue, apparently this is not uncommon.

yeah so… I (I guess wrongly!) assumed that:

  • port 53 would work on more networks than 3478 simply because otherwise DNS would be broken, this doesn’t seem to be true.
  • deep packet inspection is rare in places like cafes, this also doesn’t seem to be true, which is surprising.

thanks for your time

I will visit the cafe again tomorrow and post a bit more info in case other users have similar issues.

I suspect that it’s not actually doing any deep packet inspection, but instead the network admin has decided to restrict all outbound UDP/53 traffic to trusted domains in order to prevent security issues which could arise from assigning untrusted custom DNS servers.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.