User misconfiguration keeps port 53 open on the wan interface

fkl7834456 · January 24, 2023, 12:05pm

tcp (my ip given by ISP:53) 0.0.0.0 Listen
3434/dnsmasq

fkl7834456 · January 24, 2023, 12:07pm

installed luci-app-https-dns-proxy package

frollic · January 24, 2023, 12:08pm

there's already something listening on port 53, including the wan interface, https-dns-proxy or not.

post a screen shot from lanspy.

fkl7834456 · January 24, 2023, 12:09pm

https-dns-proxy

fkl7834456 · January 24, 2023, 12:22pm

LanSpy utility may be 18 years old, but simple and effective

fkl7834456 · January 24, 2023, 12:25pm

before I had a router behind a router and I didn’t pay attention to it, now I decided to leave one router with openwrt firmware and of course I scanned it just in case and found an open 53 tcp port, now I’m thinking how to close it, but nothing happens, I decided ask here

trendy · January 24, 2023, 12:34pm

That's not https dns proxy, it's dnsmasq. And it's weird that it's only TCP.
Anyway this should be blocked already on the firewall, so you accidentally opened it to the internet.

frollic · January 24, 2023, 12:35pm

unless it produces false positives ...

post your /etc/config/firewall

fkl7834456 · January 24, 2023, 12:42pm

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option family 'ipv4'
list network 'lan'
list network 'lan2'
option masq '1'
option mtu_fix '1'

config zone
option name 'wan'
option output 'ACCEPT'
option family 'ipv4'
option input 'REJECT'
option forward 'REJECT'
list network 'wan'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

fkl7834456 · January 24, 2023, 12:44pm

when removing or disabling the https-dns-proxy service, the port is closed, it is 100% it opens this port

frollic · January 24, 2023, 12:45pm

by default, https-dns-proxy isn't even listening on port 53, dnsmasq is ...

was that all the FW rules you had ?

fkl7834456 · January 24, 2023, 12:50pm

I realized that this is my cant, I opened nat and registered the left ip address, turned it off and everything was fine !
frollic, trendy Thanks for the idea !!

fkl7834456 · January 24, 2023, 12:55pm

I fought for two days and could not understand what's what :))

fkl7834456 · January 24, 2023, 6:27pm

It was possible to close the ports on only one router, I just did not understand how I did it, but on the other two routers it does not work. I put specially official firmware. Checked. By default, tcp ports 22, 53, 80, 443 are open, and open udp ports are 40380.
tcp port 53 using dnsmasq
So far, I have tcp 53 and 40 thousand udp ports open.
I want them all closed for safety.
You are cunning that by default all ports are closed, reproaching me for the fact that this is supposedly an ancient utility that I use to scan. For me, LanSpy is the best utility ever.

I don’t want to put the second router with official firmware from tp-link back, I had it first for security and there were 0 open ports and I configured it so that it was simply impossible to access it in any way from outside.

fkl7834456 · January 24, 2023, 6:31pm

That's right, you said it's dnsmasq.
I have 2 more routers and so far I can’t close this enemy port))

lleachii · January 24, 2023, 6:53pm

The question was: where did you initiate the LANSpy scan?

(Not where you believe the port is open.)

It seems you may be testing from LAN (i.e. using LAN firewall rules), can you confirm that you're not and testing from WAN?
That port is not open by default, did you edit your firewall?
The firewall you posted seems incomplete - but nothing seems open

That seems quite false regarding 40,000 UDP ports. Additionally, most scanners cannot inform you about UDP. I think you are misunderstanding the results.

rhester72 · January 24, 2023, 6:55pm

I think you are mistaking the results of an internal (from another internal device) and external scan.

Unless you have DNS services completely disabled, of course port 53 will be open internally - it has to be. It is the default firewall settings that prevent access to any ports externally.

There is no way to do an external scan from an internal device. You have to either use a web-based service or tether a computer to a hotspot and scan.

fkl7834456 · January 24, 2023, 7:51pm

Let's not argue, you have your imposed opinion, I have mine. Check easily open wan ports from lan using this utility that I wrote, you probably didn’t even use it in your life and don’t know how to configure it, by default, the utility settings will naturally show nothing, especially since I specifically checked the tcp port from a different provider 53 open

fkl7834456 · January 24, 2023, 7:53pm

I just closed all the udp ports, there is only one last tcp 53 left, so far I don’t know how to close it. That seems incredible to you, it just seems to you and nothing more, but I always look the truth in the eye

lleachii · January 24, 2023, 7:57pm

How, I'm curious - as you had no ports open in your firewall.
- I would simply suggest doing the same thing for TCP 53
Also, what server did you have running to answer 40,000 ports - you never told us?

Perhaps you should disable that service - instead of trying to close ports.

Lastly, you still failed to answer the question.

You were told by 3 posters that you can't test WAN from LAN in this manner
Yep, I surmised you're testing form LAN - thanks for verifying

Since you don't understand/agree with/believe us that testing WAN from the LAN won't provide accurate results - I'm not sure how the community can help you.