Opened port 53 is problem?

General discussion
21

Based on the picture “Any tcp, udp, From any host in wan, To any router IP on this device” is the most likely reason for issue. You can disable that rule and save&apply that and then check with “iptables -v -L” command that the rules have disappeared from the kernel’s active firewall.

22

It is as you say, this day I learned something.

Thank you for your advice and patience.

Youre - 64 years old - civil engineer :slight_smile: .

23

I had the same problem. My ISP (Netbox) found security issue. The UDP port 53 on my router was opened for WAN requests. But I found easy solution.

Router includes running Knot DNS resolver called kresd. The Foris GUI in DNS section states:

“Router Turris uses its own DNS resolver with DNSSEC support. It is capable of working alone or it can forward your DNS queries through your internet service provider’s DNS resolver.”

I verified by SSH terminal access that the resolver daemon is listening on UDP 53:

root@turris_jis:~# netstat -anpu | grep :53

udp        0      0 0.0.0.0:53      0.0.0.0:*      17108/kresd
udp        0      0 :::53           :::*           17108/kresd
root@turris_jis:~#

My role was to block the DNS service access from WAN interface.
I added new firewall traffic rule to position #1 using LuCI. See screenshot:

Snímek obrazovky pořízený 2017-01-03 01-03-28.png702×308 24.5 KB

Save and apply.

Verification by SSH:

root@turris_jis:~# iptables-save | grep "port 53" -A zone_wan_input -p tcp -m tcp --dport 53 -m comment --comment "DNS IN block JiS" -j DROP -A zone_wan_input -p udp -m udp --dport 53 -m comment --comment "DNS IN block JiS" -j DROP root@turris_jis:~#

Then I asked ISP helpdesk guy to test if my router has no opened port 53 on WAN interface. The test was successful, DNS port is blocked. My new firewall rule works as I suppose.

24

You can make it yourself - test opened port on [https://www.grc.com/x/ne.dll?rh1dkyd2](http://GRC -ShieldsUp)

25

Thanks for hint! Added this rule as well :wink:

26

Yes, you are right. In normal circumstances I can make it myself.
But I could not do it because my ISP set new firewall rule on his (ISP) firewall immediately when he found my UDP 53 is opened. The DNS requests and scanning from WAN side were blocked in fact and I was not able to scan port 53 until ISP FW rule is active.
Therefore I have asked ISP helpdesk to disable ISP rule and to check my port.