ATT says they've discovered an open DNS server at my IP
I got an email from ATT today containing this: "a device using your Internet connection is configured to run an open Domain Name System (DNS) resolver." Since I didn't configure my system that way, I'm at a loss. I am running two Debian Wheezy machines which were recently upgraded from Squeeze. I am using an Actiontec GT784WN Wireless N DSL Modem with the wireless disabled. Last year shortly after I moved here and got this new DSL modem, I noticed odd activity on my second machine, and found a DOS script running on it. I removed the hard drive and rebuilt the system on a different drive, and that's when I turned the wireless off. I haven't noticed any other odd activity since then.
So, any simple pointers to what to do next would be appreciated. I don't see any firmware upgrades on the Actiontec site if that's where the problem is. I may have been running "transmission" at the time indicated in ATT's letter if that's related. |
Check the "received from" headers to make sure the email is really from AT&T.
To find anything listening on port 53 (DNS) on your local machine: Code:
netstat -tulpn | grep :53 Code:
telnet 192.168.0.1 53 |
Hi smallpond,
The email has my proper name in it, so I don't think it was a phishing attempt. I've forwarded the email to abuse@att.net as was suggested in the letter to see if they have anything useful to say. I did not click on any links in the email. Here is the response to the two commands, so I don't think it's listening. I wonder if it was something in the "transmission" client? Code:
bob@musem:~$ netstat -tulpn |grep :53 Code:
bob@musem:~$ telnet 192.168.0.1 53 |
The 192.168.0.1 address was just an example. Try it with the actual IP addresses of your wireless router and the other Debian system.
|
I tried to telnet into my internet IP as follows, without the "53". As you can see, I got a response. Does this mean there is a door into my router from the internet?
Code:
telnet xxx.xxx.xx.xxx |
OK, some more information. I'm looking at the router setup, and I see that port 53 incoming was enabled. I've just disabled that, along with some incoming ICMP ports. At this point there aren't any incoming ports enabled.
Added: I see there is a "NAT only " security option on the router setup page which doesn't list any incoming or outgoing ports. Should I be using that? Added: I ran the test at http://www.openresolver.jp, and now that I turned off port 53, it no longer shows a potential open DNS resolver at my IP. I don't know if that resolves this, or not. |
|
Thanks for giving me the clues I needed to fix this!
|
All times are GMT -5. The time now is 02:39 AM. |