So I have stopped and disabled dnsmasq and yet still, everytime the device has internet (in my case a Ubiquiti AP AC LR) I find port 53 opens again regardless of weather dnsmasq is running or not.
I do not want this device to have the capability to do DNS queries. How can I CLOSE DNS port 53 on ALL interfaces?
Thank you!
what kind of device ?
Android uses DoT, browsers use DoH, some device and apps have DNS IPs hardcoded.
As previously stated, its a Unify AP AC LR.
I want to disable DNS on the wifi ap completely.
Do you have lsof installed?
If so: lsof -i :53
That tells you which program binds on port 53, udp and tcp if i remember correctly
the message is written so it can be interpreted as there's a 2nd device connecting to the Unify .
anyway, remove the upstream DNS entries for it ? or provide bogus IPs.
what does /etc/resolv.conf contain ?
the local dnsmasq isn't really required for the DNS work for the device itself.
On default OpenWrt install, dnsmasq is the sole service binding to port 53. If it is indeed stopped and disabled, nothing should bind to it anymore.
Also please define "open". Does it reply to DNS queries or is nmap reporting "filtered"?
Edit: hmm, you wrote "I do not want this device to have the capability to do DNS queries". Does that mean you don't want the device (OpenWrt) itself to be able to do DNS queries? In this case disabling dnsmasq is not needed. Just set option peerdns 0 on your WAN interface. This should prevent the system from acquiring a valid DNS server entry.
Ok sorry, there is one other client connecting to it, and I am running a NMAP and using nslookup to confirm it is resolving hostnames.
Also, I have removed the upstream DNS entries, same thing
lsof: not found
You do need to be more precise I'm afraid. What is "it"? The OpenWrt access point or the client device? Where do you run nmap? On OpenWrt or on the client device? Who should be unable to resolve DNS? OpenWrt or the client device?
I dont want the AP to be resolving DNS queries.
DNS server should be pushed down by my DHCP and that is the ONLY DNS server that should be used,
I am running a nmap scan again the AP from a client device connected to it, and it says that port 53 is open on the AP
Then please run netstat -nltup | grep :53 on the AP to see which service is binding to port 53.
Ok that returned nothing, but I can still do resolutions using nslookup
post your nslookup result from the client, querying the Ubiquiti.
C:\Users\Dean>nslookup
Default Server: UnKnown
Address: 172.16.100.1
server 172.16.101.3
Default Server: [172.16.101.3]
Address: 172.16.101.3
google.com
Server: [172.16.101.3]
Address: 172.16.101.3
Non-authoritative answer:
Name: google.com
Addresses: 2404:6800:4003:c03::71
2404:6800:4003:c03::64
2404:6800:4003:c03::65
2404:6800:4003:c03::8a
74.125.24.101
74.125.24.102
74.125.24.113
74.125.24.138
74.125.24.139
74.125.24.100
seems you cut out some of the nslookup command ?
It is the local IP of the ubiquiti
Not shown: 877 closed tcp ports (reset), 119 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd (protocol 2.0)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
I should answer using a laptop, that would be easier... But lets get a few things straight. DNS info gets pushed by DHCP server (or configured manually).
This means your DNS IP is given to the client. You can then decide if you want to run one yourself, or just use a public one from your ISO, google, cloudflare,...
A client will send requests to the DNS server it got from DHCP or manually entered. No binding/blabla required.
If you do not want a device to be able to do DNS lookups, dont give it a DNS server (explained above). If however, the client has its own dns config, remove that. If you cant, you can use openWRT to block those requests. If, however, that client uses DNS over HTTPS and/or TCP, you will have to block that too.
But then my more fundamental question: why would you want to (only?) Block DNS traffic?
was the query made on the Ubiquiti, or the client ?
Im trying to block the AP itself from perform DNS queries. Meaning that all DNS queries are handled by the appropriate DNS server, in this case my router.
Therefor, if someone tries to use my AP 172.16.101.3 as a DNS server, it will fail as the device is not capable of resolving DNS queries.