User misconfiguration keeps port 53 open on the wan interface

tcp (my ip given by ISP:53) Listen

1 Like

installed luci-app-https-dns-proxy package

there's already something listening on port 53, including the wan interface, https-dns-proxy or not.

post a screen shot from lanspy.

1 Like


LanSpy utility may be 18 years old, but simple and effective

before I had a router behind a router and I didn’t pay attention to it, now I decided to leave one router with openwrt firmware and of course I scanned it just in case and found an open 53 tcp port, now I’m thinking how to close it, but nothing happens, I decided ask here

That's not https dns proxy, it's dnsmasq. And it's weird that it's only TCP.
Anyway this should be blocked already on the firewall, so you accidentally opened it to the internet.


unless it produces false positives ...

post your /etc/config/firewall

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'
option flow_offloading '1'
option flow_offloading_hw '1'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option family 'ipv4'
list network 'lan'
list network 'lan2'
option masq '1'
option mtu_fix '1'

config zone
option name 'wan'
option output 'ACCEPT'
option family 'ipv4'
option input 'REJECT'
option forward 'REJECT'
list network 'wan'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

when removing or disabling the https-dns-proxy service, the port is closed, it is 100% it opens this port

by default, https-dns-proxy isn't even listening on port 53, dnsmasq is ...

was that all the FW rules you had ?

1 Like

I realized that this is my cant, I opened nat and registered the left ip address, turned it off and everything was fine !
frollic, trendy Thanks for the idea !!

I fought for two days and could not understand what's what :))

It was possible to close the ports on only one router, I just did not understand how I did it, but on the other two routers it does not work. I put specially official firmware. Checked. By default, tcp ports 22, 53, 80, 443 are open, and open udp ports are 40380.
tcp port 53 using dnsmasq
So far, I have tcp 53 and 40 thousand udp ports open.
I want them all closed for safety.
You are cunning that by default all ports are closed, reproaching me for the fact that this is supposedly an ancient utility that I use to scan. For me, LanSpy is the best utility ever.

I don’t want to put the second router with official firmware from tp-link back, I had it first for security and there were 0 open ports and I configured it so that it was simply impossible to access it in any way from outside.

That's right, you said it's dnsmasq.
I have 2 more routers and so far I can’t close this enemy port))

The question was: where did you initiate the LANSpy scan?

(Not where you believe the port is open.)

  • It seems you may be testing from LAN (i.e. using LAN firewall rules), can you confirm that you're not and testing from WAN?
  • That port is not open by default, did you edit your firewall?
  • The firewall you posted seems incomplete - but nothing seems open

That seems quite false regarding 40,000 UDP ports. Additionally, most scanners cannot inform you about UDP. I think you are misunderstanding the results.


I think you are mistaking the results of an internal (from another internal device) and external scan.

Unless you have DNS services completely disabled, of course port 53 will be open internally - it has to be. It is the default firewall settings that prevent access to any ports externally.

There is no way to do an external scan from an internal device. You have to either use a web-based service or tether a computer to a hotspot and scan.


Let's not argue, you have your imposed opinion, I have mine. Check easily open wan ports from lan using this utility that I wrote, you probably didn’t even use it in your life and don’t know how to configure it, by default, the utility settings will naturally show nothing, especially since I specifically checked the tcp port from a different provider 53 open

I just closed all the udp ports, there is only one last tcp 53 left, so far I don’t know how to close it. That seems incredible to you, it just seems to you and nothing more, but I always look the truth in the eye

  • How, I'm curious - as you had no ports open in your firewall.
    • I would simply suggest doing the same thing for TCP 53
  • Also, what server did you have running to answer 40,000 ports - you never told us?

Perhaps you should disable that service - instead of trying to close ports.

Lastly, you still failed to answer the question.

  • You were told by 3 posters that you can't test WAN from LAN in this manner
  • Yep, I surmised you're testing form LAN - thanks for verifying

:spiral_notepad: Since you don't understand/agree with/believe us that testing WAN from the LAN won't provide accurate results - I'm not sure how the community can help you.