https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_DHCP_Serv...

I had validated this it is for inbound to outbound  access there is no issue related to this issue is from outbound to MX and MX acting as name server to respond dns query  

Do you have the NAT exceptions feature enabled?

During a recent penetration test, it was observed that the WAN IP of my Meraki MX is responding to DNS queries, even though the MX is not configured as a name server. This behavior is raising security concerns and impacting the test results.

Is this expected behavior for the MX? If not, is there a way to mitigate or disable this functionality to ensure the device does not respond to DNS queries on the WAN interface?

Thank you in advance for your guidance and any best practices you can share!

Did you check the link I sent you?

Yes thanks for the link will validate the setting in our environment first based on the document you shared

The Meraki MX should not typically respond to DNS queries on its WAN interface.

You can create a rule to deny inbound DNS requests (port 53) on the WAN interface. If the issue persists, it might be best to contact Meraki Support.

But the query is that only is Meraki MX responding on WAN IP over the public IP  

Did you test that from your lan side? Or from another public ip or public port scan tool?

From the outside everything should be denied. Unless you maybe enabled no nat

So like ww and JonnyM said it seems to be related to either the backend option "enable Layer 3 inbound firewall " OR the Early Access feature "NAT Exceptions with Manual Inbound Firewall". 

Now the question is why does the MX responds to DNS requests when either of these 2 features are enabled. It doesn't make much sense because the MX is not responding on the LAN interfaces so....

Ok. So I have Manual Inbound Firewall enabled.

If I add an Allow rule for udp/53 inbound, my MX also responds to dns queries on its WAN interface, from outside.

RHB@wopr ~ % dig @x.x.x.x google.dk A

; <<>> DiG 9.10.6 <<>> @x.x.x.x google.dk A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52324
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.dk.			IN	A

;; ANSWER SECTION:
google.dk.		81	IN	A	142.250.74.131

;; Query time: 159 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Thu Dec 19 21:59:23 CET 2024
;; MSG SIZE  rcvd: 54

RHB@wopr ~ % 

From the LAN side, the MX does not respond on its LAN Interface IP, nor on its WAN IP.

So it seems to only be from the outside on its WAN interface.

If I remove said allow rule on the inbound rules, it goes back to not responding to DNS queries.

I understand how it is working , but not why ? 

Why would we want the MX to respond to DNS requests on the WAN ?