Port 53 open on MX95 WAN

Solved
MSakr
Getting noticed

Port 53 open on MX95 WAN

Hi All

Our ISP was complaining about port 53 being open with an active dns resolver on it 

dnsmasq-2.85

Now this is a new firewall that went live a few days ago, there is no port forwarding rules configured there, so why port 53 is open.. i tested from another public IP and port 53 is indeed open..

  1. Why this is the case and what other ports are expected to be open?
  2. how to make sure all ports are closed from internet initiated traffic as these should be?

We don't have any DNS service exposed on the public IP nor any NAT other than WAN standard NAT is on for inbound LANs to access the internet.. the MX is in routed mode obviously

Thanks 

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

There is a ? On top of the dashboard screen. Then go to firewall info.

But i dont understand you L3 firewall dashboard view.  Afaik Inbound rules should be for ipv6 only not for ipv4 traffic.  Unless  you made/requested some changes to the default settings

Maybe you running the early access:  org>early access

"NAT Exceptions with Manual Inbound Firewall"

^^^

Looks like 'open port(s)' its related to above

View solution in original post

8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal

It is a DNS resolver, and has to be able to accept DNS replies.

I think it turns off when you don't have any DHCP scopes including the security appliance as a DNS server.

MSakr
Getting noticed

Hi @PhilipDAth 

I don't have any DHCP scopes set, all VLANs are configured not to respond to any DHCP requests..

MSakr_0-1714993044791.png

Nor are there setups pointing the appliance as a DNS relay or DNS.. I am pointing everywhere towards Google ones

 

ww
Kind of a big deal
Kind of a big deal

Im not running mx95 and i dont see port53 open from outside. 

You can take a look at ? > firewall info if that list port 53.

Otherwise create a support ticket and let them find out why its open

MSakr
Getting noticed

Hi @ww 

I don't see a Firewall>Info section under my mx95.. however the inbound L3 rules are set to the default deny..

MSakr_0-1714994288838.png

I don;t want to set an explicit deny for port 53 as this in theory might block all forwarder DNS traffic..

ww
Kind of a big deal
Kind of a big deal

There is a ? On top of the dashboard screen. Then go to firewall info.

But i dont understand you L3 firewall dashboard view.  Afaik Inbound rules should be for ipv6 only not for ipv4 traffic.  Unless  you made/requested some changes to the default settings

Maybe you running the early access:  org>early access

"NAT Exceptions with Manual Inbound Firewall"

^^^

Looks like 'open port(s)' its related to above

MSakr
Getting noticed

Yes indeed, I enabled the early access on this one.. this is why you see the IPV4 rules.. looks more professional for me this way 🙂 

Thanks for the pointer to the firewall info.. I found a strange snmp inbound rule there that isn't set anywhere in my rules to one public IP from a range routed to the WAN public IP with source the Meraki Networks.. no clue why this is there even though the target IP is not the WAN Ip

MSakr_0-1714998534513.png

 

MSakr
Getting noticed

Hi All

Still with Meraki support on this one, they are trying to figure it out why it is open and responding to such requests..

MSakr
Getting noticed

Update on this issue: After spending some time with Meraki support, they did indeed point out to the fact that the early access feature of the L3 inbound tules are the culprit, if no rules are configured, an explicit allow all kicks in..which you don't see in the inbound L3 rules as the default is deny, see previous post screenshot.. confusing.. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels