https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_DHCP_Serv...

I had validated this it is for inbound to outbound  access there is no issue related to this issue is from outbound to MX and MX acting as name server to respond dns query  

Do you have the NAT exceptions feature enabled?

During a recent penetration test, it was observed that the WAN IP of my Meraki MX is responding to DNS queries, even though the MX is not configured as a name server. This behavior is raising security concerns and impacting the test results.

Is this expected behavior for the MX? If not, is there a way to mitigate or disable this functionality to ensure the device does not respond to DNS queries on the WAN interface?

Thank you in advance for your guidance and any best practices you can share!

Did you check the link I sent you?

Yes thanks for the link will validate the setting in our environment first based on the document you shared

The Meraki MX should not typically respond to DNS queries on its WAN interface.

You can create a rule to deny inbound DNS requests (port 53) on the WAN interface. If the issue persists, it might be best to contact Meraki Support.

But the query is that only is Meraki MX responding on WAN IP over the public IP  

Did you test that from your lan side? Or from another public ip or public port scan tool?

From the outside everything should be denied. Unless you maybe enabled no nat

Hi srwjiwate,

Can you replicate this from a source client that is not connected to any Meraki infrastructure or Cisco Umbrella?

I suspect the following is happening. The pen testing tool is sourcing from a network that uses Meraki infrastructure that has Cisco Umbrella enabled. When it DNS queries, the Meraki infra hijacks the DNS request and sends to Umbrella. Umbrella resolves and replies to the meraki infras, which re-writes the DNS response to look like it came from the proper name server. Here is an example of me asking non-existent name servers to resolve different names and they work

U:\>nslookup abc.com 86.75.30.9
Server: UnKnown
Address: 86.75.30.9

Non-authoritative answer:
Name: abc.com
Addresses: 3.162.3.125
3.162.3.49
3.162.3.100
3.162.3.119

U:\>nslookup cbs.com 1.2.3.4
Server: UnKnown
Address: 1.2.3.4

Non-authoritative answer:
Name: cbs.com
Addresses: 2600:1901:0:626a::
34.149.41.86

U:\>nslookup nbc.com 7.0.0.56
Server: UnKnown
Address: 7.0.0.56

Non-authoritative answer:
Name: nbc.com
Addresses: 23.223.17.138
23.223.17.140

Here is Umbrella resolving them:

if you wireshark capture on your penteset tool everything looks normal, even though it is weird AF. But if you capture on your remote MX WAN interface, you won't see any of these DNS requests get there.

It's a tricky one. Let me know if that makes sense.

Also, I see the MX WAN interface resolving DNS when it is connected to the Internet, but not associated to a template/has no network config.

So like ww and JonnyM said it seems to be related to either the backend option "enable Layer 3 inbound firewall " OR the Early Access feature "NAT Exceptions with Manual Inbound Firewall". 

Now the question is why does the MX responds to DNS requests when either of these 2 features are enabled. It doesn't make much sense because the MX is not responding on the LAN interfaces so....

Ok. So I have Manual Inbound Firewall enabled.

If I add an Allow rule for udp/53 inbound, my MX also responds to dns queries on its WAN interface, from outside.

RHB@wopr ~ % dig @x.x.x.x google.dk A

; <<>> DiG 9.10.6 <<>> @x.x.x.x google.dk A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52324
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.dk.			IN	A

;; ANSWER SECTION:
google.dk.		81	IN	A	142.250.74.131

;; Query time: 159 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Thu Dec 19 21:59:23 CET 2024
;; MSG SIZE  rcvd: 54

RHB@wopr ~ % 

From the LAN side, the MX does not respond on its LAN Interface IP, nor on its WAN IP.

So it seems to only be from the outside on its WAN interface.

If I remove said allow rule on the inbound rules, it goes back to not responding to DNS queries.

I understand how it is working , but not why ? 

Why would we want the MX to respond to DNS requests on the WAN ?