Solved: How to close port 53

pointrider · ‎03-24-2015

I have a Cisco RV042 and need to close port 53. Can someone tell me how to do this?

cchamorr · ‎03-27-2015

Hello,

I have had some customer who experienced this issue.

The most likely cause is that one of the PC's on your network, not the router, is infected with a virus and it is generating this traffic, now, since the ISP is not able to see inside of your network, they are pointing to the gateway to your location which is the router.

You don't need to block port 53 on your router, but you do need to spot which one of your computers is generating this traffic.

I would recommend downloading Avast or AVG (Free) together with Malwarebytes (also free) on all the PC's in your network and I'm positive you will find the culprit.

You can rest assure that the router itself is not generating this traffic.

Also, on your RV042 you can enable the logs by going to Log and then system. log, under log settings enable all the options and save it.

Give it a few minutes and then click on the View system log button, This will show you a list of all the traffic and then you will need to see if there is a local IP from one of the PC's on your network appearing too many times. If that is the case then that PC will be a good starting point for you to see if it is the infected one or not.

Please let us know if this helps.

View solution in original post

SamirD · ‎03-25-2015

This port should be closed by default unless you opened it.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

pointrider · ‎03-25-2015

thanks, but that does not really help. My ISP has informed me that we have been hacked and that we need to close port 53. So, if you can tell me how to close it I would appreciate it.

SamirD · ‎03-27-2015

I think your ISP is trying to hack you, hahaha.

What tests have you run to show that port 53 is open?

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

pointrider · ‎03-27-2015

Haha- I had the same thought and had to make sure they really were my ISP.

Thanks for your help, here is the report they sent me:

The customers listed below have open DNS resolvers running on their devices,
and they are actively participating in a denial of service attack.

Please call or take the customers offline ASAP.

Attack summary:

2015-03-23 13:01:01 UTC mjob.net.cn 14 replies/sec 496 unique hostnames in 893 replies (%55.54 unique) to 50 clients

Attacking hosts:

184.183.21.6 2015-03-23 13:01:02 UTC mjob.net.cn

C:\WINDOWS\system32>nslookup google.com 184.183.21.6
Server: wsip-184-183-21-6.ph.ph.cox.net
Address: 184.183.21.6

Non-authoritative answer:
Name: google.com
Addresses: 2607:f8b0:4007:808::200e
216.58.217.206

SamirD · ‎03-27-2015

I think you've got an infected system on your network. Run a port scan from https://www.grc.com/x/ne.dll?bh0bkyd2 and see if you can find anything open. If you can't, then they're wrong, but your infected system on the network may be sending out enough to be spotted by your isp.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

pointrider · ‎03-27-2015

That test came up with this:

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

That said, I think we have something going on because in my DHCP status a client named DNS-325 keeps appearing. I can delete it but it comes back every day.

cchamorr · ‎03-27-2015

Hello,

I have had some customer who experienced this issue.

The most likely cause is that one of the PC's on your network, not the router, is infected with a virus and it is generating this traffic, now, since the ISP is not able to see inside of your network, they are pointing to the gateway to your location which is the router.

You don't need to block port 53 on your router, but you do need to spot which one of your computers is generating this traffic.

I would recommend downloading Avast or AVG (Free) together with Malwarebytes (also free) on all the PC's in your network and I'm positive you will find the culprit.

You can rest assure that the router itself is not generating this traffic.

Also, on your RV042 you can enable the logs by going to Log and then system. log, under log settings enable all the options and save it.

Give it a few minutes and then click on the View system log button, This will show you a list of all the traffic and then you will need to see if there is a local IP from one of the PC's on your network appearing too many times. If that is the case then that PC will be a good starting point for you to see if it is the infected one or not.

Please let us know if this helps.

pointrider · ‎03-31-2015

Thanks for all the help. We ran the Avast and Malwarebytes programs and found some problems. As usual, our ISP (Cox) doesn't really know what they are talking about.

cchamorr · ‎03-31-2015

Thank you so much for following my suggestion.

Im glad that you were able to find something in your network.

Thank you for taking the time to mark the answer as correct, it helps a lot.

Let us know if you have any more questions

SamirD · ‎03-28-2015

Good, that's what I was expecting it to come back with. The dns325 is a very good clue to the source.

Remove all the lan cables to the rv042 and clear out all dhcp addresses. Then, add the cables back one by one and refresh your dhcp list each time, checking for dns325. Once you plug in the cable that has dns325, remove it again, clear its dhcp and continue with the rest of the cables. If you don't see the dns325 again, I think you've found the culprit system. :) If you do see it again, repeat the step where you unplugged it again and skipped it.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com