DNS issue open port 53 udp

cyberurmel · ‎04-19-2017

Hi guys,

i have an issue with my config and probably not understand the whole thing right. Perhaps someone is able to open my eyes .. Thanks in advance :

So what is exactly the issue?

I have a router 2821 and firewall active . Also i have an acl for outgoing traffic on Dialer Interface "ip access group 200 in " where i allow

access-list 200 permit udp any eq domain any

also "ip inspect Firewall out " for tcp , udp, ftp

ok. Everything works fine as i have "ip dns server" globally enabled (as like a proxy for my internal net)

But now the issue seems that my port 53 udp is open and everyone ( isp said this) could use this DNS for some attacks and so on.

If i disable the dns service - my internal network is not able to resolving anymore and sucks.

So how it should work that everything which is need going out is working but in generally the port 53 udp is closed from outside?

thanks for help

Karsten Iwen · ‎04-19-2017

Your mentioned ACL-line is for allowing return-traffic for queries that are initiated from inside. This line also allows DNS-queries from the internet into your network/to your router. But as you are running a statefull firewall (ip inspect), you don't need these ACL-lines.

Can you show your complete dialer- and ACL/inspect-config to decide how to optimize that?

cyberurmel · ‎04-19-2017

Hello Karsten,

thanks..here we go : Meanwhile i read with dns view group and implemented that ..but that was after writing here and testing--port is still open in udp 53. Thats what i want to stop - nothing should be open for anyone outside .

greets

ip inspect name xx tcp
ip inspect name xx udp
ip inspect name xx ftp

interface Dialer0
description VDSL Einwahl Interface
ip address negotiated
ip access-group 200 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip inspect xx out
ip dns view-group dv1_secure-dns-proxy
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
no keepalive
login isp data
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
no cdp enable

Extended IP access list 200
    10 permit icmp any any administratively-prohibited
    20 permit icmp any any echo-reply
    30 permit icmp any any packet-too-big
    40 permit icmp any any time-exceeded
    50 permit icmp any any unreachable
    60 permit udp any eq domain any
    65 permit tcp any eq domain any
    70 permit udp any eq 5060 any
    79 permit udp host 130.149.17.8 eq ntp any
    80 permit udp host 192.53.103.104 eq ntp any
    90 permit igmp host IPTV any
    100 permit icmp host IPTV any
    110 permit igmp any 224.0.0.0 15.255.255.255
    120 permit udp any gt 40000 any
    130 deny ip any any (1845 matches)

Karsten Iwen · ‎04-19-2017

ok, here are some changes to the firewall-setup:

ip inspect name xx tcp router-traffic
ip inspect name xx tcp router-traffic
ip inspect name xx icmp router-traffic
ip inspect name xx ftp

With that you also inspect icmp (for pinging) and inspect traffic that is router-generated. With that you can remove the following lines from the ACL 200:

    20 permit icmp any any echo-reply 
    60 permit udp any eq domain any 
    65 permit tcp any eq domain any
    70 permit udp any eq 5060 any 
    79 permit udp host 130.149.17.8 eq ntp any
    80 permit udp host 192.53.103.104 eq ntp any

And I assume that the following line can also be remove:

    120 permit udp any gt 40000 any

cyberurmel · ‎04-20-2017

Hi Karsten,

thanks a lot. I will check that..but let my ask please to understand :

As i will change it from example tcp to tcp router-traffic as you mentioned or udp to udp router-traffic ..is then really the whole traffic under inspection or only the traffic which the router generates itself as a dns request (in my way) ? Thats a point where i havent understand yet. could you be so kind to verify or explain again? The difference between

normal ip inspect name xx tcp and :

ip inspect name xx tcp router-traffic

Thanks in advance

Regards

Cyb

Karsten Iwen · ‎04-20-2017

ip inspect name xx tcp

The router will only inspect traffic that flows *through* the router, but not traffic that is generated by the router.

ip inspect name xx tcp router-traffic

The router will inspect both traffic that flows through the router *and* traffic that is generated by the router.

BTW: cyberurmel ... the friend of cyberwawa?

EDIT: corrected syntax ... ;-)

cyberurmel · ‎04-20-2017

Hello Karsten ,,

thanks a lot..

but in your explanation you wrote the same syntax :) could you be so kind to adjust that for understanding??

That would be great..

As i changed that for udp to udp router-traffic ..the port 53 udp is still open .. is this a risk for attackers or did i something wrong ? I got a information from ISP with open 53 port so i should be save to that.

Thanks

No, sorry cyberwawa is not known by me.

greets

Cyb

Karsten Iwen · ‎04-20-2017

(syntax corrected)

Have you removed the ACL-lines that allowed the DNS-traffic in? That also needs to be done.

cyberurmel · ‎04-20-2017

Hi Karsten,

thanks again. Yes i removed all domain relevated out of acl. Nevertheless at this site https://support.nightlydev.org/tcp-udp-port-scan

my port 53 is open for udp ?? TCP is closed.

i am just a bit confused why ....

Best Regards
Cyb

Karsten Iwen · ‎04-20-2017

Can you show the resulting config?

And you activated your DNS-view on the dialer. Typically these are used on the interface where the DNS-querie originates which is typically a LAN-interface.

cyberurmel · ‎04-21-2017

Hi Karsten,

here my config due to the topic:

ip inspect name xx tcp
ip inspect name xx udp router-traffic
ip inspect name xx ftp

interface Dialer0
description VDSL Einwahl Interface
ip address negotiated
ip access-group 200 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip inspect xx out
ip dns view-group dv1_secure-dns-proxy
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
no keepalive
login ISP
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
no cdp enable

access-list 200 permit icmp any any administratively-prohibited
access-list 200 permit icmp any any echo-reply
access-list 200 permit icmp any any packet-too-big
access-list 200 permit icmp any any time-exceeded
access-list 200 permit icmp any any unreachable
access-list 200 permit udp any eq 5060 any
access-list 200 permit udp host 130.149.17.8 eq ntp any
access-list 200 permit udp host 192.53.103.104 eq ntp any
access-list 200 permit igmp host 10.246.63.254 any
access-list 200 permit icmp host 10.246.63.254 any
access-list 200 permit igmp any 224.0.0.0 15.255.255.255
access-list 200 permit udp any gt 40000 any
access-list 200 deny ip any any

What exactly do you mean with the DNS view.. ? Do you think its wrong on the Dialer as its should be to the interface to my LAN?

Get another info from ISP due to open port 53.. How can i close this for incoming requests?

Thanks a lot for your help

greets

Karsten Iwen · ‎04-21-2017

With the stateful firewall in place you don't need the following rules any more:

access-list 200 permit icmp any any echo-reply
access-list 200 permit udp any eq 5060 any
access-list 200 permit udp host 130.149.17.8 eq ntp any
access-list 200 permit udp host 192.53.103.104 eq ntp any
access-list 200 permit igmp host 10.246.63.254 any
access-list 200 permit icmp host 10.246.63.254 any
access-list 200 permit igmp any 224.0.0.0 15.255.255.255

This one could also be related to incoming DNS as it allows any UDP with source-port greater 40000:

access-list 200 permit udp any gt 40000 any

Perhaps it's also this line on the dialer that causes the problem:

ip dns view-group dv1_secure-dns-proxy

I have never used it that way and assume that it could have side-affects. Try removing it also.

cyberurmel · ‎04-22-2017

Hi Karsten,

i deleated all relevant now . Dialer the dns view and almost everything in my acl 200.

But by testing the port 53 udp :

53/udp open|filtered domain

how i can be sure for 100 % that the dns is not responding to requests from outside?? I dont want to get letters from lawyers that my ip is responsible for ddos or something like that.

Thanks a lot for your help.

greets