Meraki

Community

Why is the WAN IP of my Meraki MX responding to DNS queries and acting as a name server?

srajiwate
Conversationalist
yesterday
yesterday

Why is the WAN IP of my Meraki MX responding to DNS queries and acting as a name server?

Why is the WAN IP of my Meraki MX responding to DNS queries and acting as a name server?

I noticed that the WAN IP configured on my Meraki MX is responding to DNS queries and appears to be acting as a name server. Is this expected behavior, and if not, how can I disable this functionality or secure it properly? Are there specific configurations or best practices to prevent this from happening?

0 Kudos
12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Yes, It is probably configured in the MX configuration to use it as a proxy.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

alemabrahao_0-1734547239736.png



https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_DHCP_Serv...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
srajiwate
Conversationalist
yesterday
yesterday

I had validated this it is for inbound to outbound  access there is no issue related to this issue is from outbound to MX and MX acting as name server to respond dns query  

0 Kudos
In response to srajiwate
JonnyM
Getting noticed
yesterday
yesterday

Do you have the NAT exceptions feature enabled?

0 Kudos
In response to alemabrahao
srajiwate
Conversationalist
yesterday
yesterday

During a recent penetration test, it was observed that the WAN IP of my Meraki MX is responding to DNS queries, even though the MX is not configured as a name server. This behavior is raising security concerns and impacting the test results.

Is this expected behavior for the MX? If not, is there a way to mitigate or disable this functionality to ensure the device does not respond to DNS queries on the WAN interface?

Thank you in advance for your guidance and any best practices you can share!

0 Kudos
In response to srajiwate
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Did you check the link I sent you?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
srajiwate
Conversationalist
yesterday
yesterday

Yes thanks for the link will validate the setting in our environment first based on the document you shared

0 Kudos
In response to srajiwate
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

The Meraki MX should not typically respond to DNS queries on its WAN interface.

 

You can create a rule to deny inbound DNS requests (port 53) on the WAN interface. If the issue persists, it might be best to contact Meraki Support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
srajiwate
Conversationalist
yesterday
yesterday

But the query is that only is Meraki MX responding on WAN IP over the public IP  

0 Kudos
In response to srajiwate
ww
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Did you test that from your lan side? Or from another public ip or public port scan tool?

 

From the outside everything should be denied. Unless you maybe enabled no nat

0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I have a spare MX on my LAN at home and the MX is also responding to DNS queries on the 'WAN' interface but not on it's "LAN" interfaces.

 

Run a DHCP Server is not enabled.

0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
17m ago
17m ago

I just did a lookup on my lab MX WAN IP, from outside.

It doesn't resolve addresses on DNS.

 

RHB@wopr ~ % dig @x.x.x.x google.dk A

; <<>> DiG 9.10.6 <<>> @x.x.x.x google.dk A
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
RHB@wopr ~ %
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.