Close DNS 53 on LAN

deanfourie · August 5, 2022, 10:57am

Well, the query was made on the client using the AP 172.16.101.3 as the server.

deanfourie · August 5, 2022, 10:58am

So its like

Hey AP im laptop can I know where google.com is
AP, yea sure its at 1.2.3.4

where it should be

Hey AP im laptop can I know where google.com is.
AP, ahhh what do you mean Im not a DNS server man!

harrydg · August 5, 2022, 11:29am

Is your AP running openwrt and playing DHCP server? Do you want that? It looks like it, because who else would give the AP IP as a DNS server...

deanfourie · August 5, 2022, 11:30am

ahhh, someone malicious

In fact this is exactly how DNS amplification attacks work for just one small example.

I can think of about 100 more

harrydg · August 5, 2022, 11:53am

Whooow... I must have missed something here. I dont get your logic here, but i'm pretty sure its wrong. (And as previous "offensive security guy", i think i know a little bit about the subject).

So i will stop the discussion as i think there is way too much misunderstanding and misinformation to even begin debunking myths

dave14305 · August 5, 2022, 12:15pm

This was the result of nmap scan against the OpenWrt AP IP? Where is Ubuntu in your network?

mk24 · August 5, 2022, 12:58pm

A dumb AP must not run a DHCP server, because it will also incorrectly advertise itself as the default gateway instead of the network's main router.

The simple answer here (as the OP's title of the thread suggests) is to firewall block LAN input to port 53, or really block all ports except 22 and / or 80. The only reason a dumb AP holds an IP on the LAN is so that an administrator can log into it. The dumb AP does not route anything from clients, it bridges at layer 2. The Windows PC need not even be aware that there is a device at x.x.x.3. The PC would then use the main router for DNS, or some external DNS that may be configured into its OS.

harrydg · August 5, 2022, 6:07pm

I may have not been constructive and i want to help here...

I think there is a lot of misunderstanding in this conversation and it should be cleared out, but clearly a public forum doesnt fit this use case. So if you want, you can send me a PM and i will give you my phone number so we can have a realtime chat and i will try to help you find a solution to your problem.

Once this has taken place, we should share results with the community. (Fyi, i'm Belgian, just to manage timing/location issues)

deanfourie · August 6, 2022, 2:00pm

I might talk your ear off