Solved: Re: UDP Port 53 Open on External Interface - Unexpected DNS Service

mustafa.chapal · ‎11-13-2025

Hello,

I have encountered an issue with two routers showing UDP port 53 (DNS) open on their outside interfaces and I cannot determine why.

Devices and Software Versions:

Cisco ISR4431/K9 – IOS XE 16.09.07
Cisco ASR1001-X – IOS XE 16.09.08

Symptoms:

When I scan the outside interface IPs from an external IP, UDP port 53 appears open and I can even send DNS queries that get responses.
When I scan the same interface IPs from an internal IP, UDP port 53 appears closed.
There is no configuration on the routers referencing DNS services or port 53.
The command show ip sockets does not list any process bound to port 53.
I have disabled DNS lookup using no ip domain-lookup.
I also tried applying Control Plane Policing (CoPP) to block UDP/53 traffic, but the restriction had no effect, the port remains open externally.

What I have tried:

Verified running-config for any DNS-related features (none found).
Checked NAT rules (nothing referencing UDP/53).
Confirmed no DNS server or forwarding configuration.
Control-plane protection, still open externally.

It seems like the routers are responding to DNS requests even though no DNS service is configured or visible.

Has anyone seen similar behavior on IOS XE 16.09.x or have any insight into what could be causing UDP/53 to appear open externally? Could this be related to a system-level process or bug in this software train?

Any guidance or suggestions would be greatly appreciated.

Thanks in advance

mustafa.chapal · ‎11-20-2025

After further investigation, I can confirm that there was no issue with the routers themselves. Neither the ISR4431 nor the ASR1001-X had UDP port 53 or any DNS service open.

The behavior I was seeing was caused by my ISP, Comcast, intercepting traffic on UDP port 53 across all IPs, active or inactive and responding to it marking it as open port. This made it appear as though the routers were exposing the port, but in reality, the routers were secure and not responding to DNS queries.

This clarifies the situation and confirms that no changes or fixes are needed on the routers themselves.

View solution in original post

Ben Weber · ‎11-13-2025

The DNS Application Level Gateway (DNS ALG) may be configured in your NAT settings.

I would check with show running-config | include ip nat service dns. This should output information regarding whether the DNS ALG service is enabled for NAT.

- BW
Please rate posts if they have been helpful.

mustafa.chapal · ‎11-13-2025

Only this one line is appearing in the config and that too is being used in dhcp pool

show running-config | include dns
dns-server 8.8.8.8 1.1.1.1 8.8.4.4 1.0.0.1

mustafa.chapal · ‎11-20-2025

After further investigation, I can confirm that there was no issue with the routers themselves. Neither the ISR4431 nor the ASR1001-X had UDP port 53 or any DNS service open.

The behavior I was seeing was caused by my ISP, Comcast, intercepting traffic on UDP port 53 across all IPs, active or inactive and responding to it marking it as open port. This made it appear as though the routers were exposing the port, but in reality, the routers were secure and not responding to DNS queries.

This clarifies the situation and confirms that no changes or fixes are needed on the routers themselves.