Why is the WAN IP of my Meraki MX responding to DNS queries and acting as a name server?

srajiwate
Conversationalist

Why is the WAN IP of my Meraki MX responding to DNS queries and acting as a name server?

Why is the WAN IP of my Meraki MX responding to DNS queries and acting as a name server?

I noticed that the WAN IP configured on my Meraki MX is responding to DNS queries and appears to be acting as a name server. Is this expected behavior, and if not, how can I disable this functionality or secure it properly? Are there specific configurations or best practices to prevent this from happening?

12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal

Yes, It is probably configured in the MX configuration to use it as a proxy.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

alemabrahao_0-1734547239736.png



https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_DHCP_Serv...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
srajiwate
Conversationalist

I had validated this it is for inbound to outbound  access there is no issue related to this issue is from outbound to MX and MX acting as name server to respond dns query  

JonnyM
Getting noticed

Do you have the NAT exceptions feature enabled?

srajiwate
Conversationalist

During a recent penetration test, it was observed that the WAN IP of my Meraki MX is responding to DNS queries, even though the MX is not configured as a name server. This behavior is raising security concerns and impacting the test results.

Is this expected behavior for the MX? If not, is there a way to mitigate or disable this functionality to ensure the device does not respond to DNS queries on the WAN interface?

Thank you in advance for your guidance and any best practices you can share!

alemabrahao
Kind of a big deal
Kind of a big deal

Did you check the link I sent you?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
srajiwate
Conversationalist

Yes thanks for the link will validate the setting in our environment first based on the document you shared

alemabrahao
Kind of a big deal
Kind of a big deal

The Meraki MX should not typically respond to DNS queries on its WAN interface.

 

You can create a rule to deny inbound DNS requests (port 53) on the WAN interface. If the issue persists, it might be best to contact Meraki Support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
srajiwate
Conversationalist

But the query is that only is Meraki MX responding on WAN IP over the public IP  

ww
Kind of a big deal
Kind of a big deal

Did you test that from your lan side? Or from another public ip or public port scan tool?

 

From the outside everything should be denied. Unless you maybe enabled no nat

RaphaelL
Kind of a big deal
Kind of a big deal

I have a spare MX on my LAN at home and the MX is also responding to DNS queries on the 'WAN' interface but not on it's "LAN" interfaces.

 

Run a DHCP Server is not enabled.

rhbirkelund
Kind of a big deal
Kind of a big deal

I just did a lookup on my lab MX WAN IP, from outside.

It doesn't resolve addresses on DNS.

 

RHB@wopr ~ % dig @x.x.x.x google.dk A

; <<>> DiG 9.10.6 <<>> @x.x.x.x google.dk A
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
RHB@wopr ~ % 
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Get notified when there are additional replies to this discussion.