[SOLVED] ATT says they've discovered an open DNS server at my IP
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ATT says they've discovered an open DNS server at my IP
I got an email from ATT today containing this: "a device using your Internet connection is configured to run an open Domain Name System (DNS) resolver." Since I didn't configure my system that way, I'm at a loss. I am running two Debian Wheezy machines which were recently upgraded from Squeeze. I am using an Actiontec GT784WN Wireless N DSL Modem with the wireless disabled. Last year shortly after I moved here and got this new DSL modem, I noticed odd activity on my second machine, and found a DOS script running on it. I removed the hard drive and rebuilt the system on a different drive, and that's when I turned the wireless off. I haven't noticed any other odd activity since then.
So, any simple pointers to what to do next would be appreciated. I don't see any firmware upgrades on the Actiontec site if that's where the problem is. I may have been running "transmission" at the time indicated in ATT's letter if that's related.
The email has my proper name in it, so I don't think it was a phishing attempt. I've forwarded the email to abuse@att.net as was suggested in the letter to see if they have anything useful to say. I did not click on any links in the email.
Here is the response to the two commands, so I don't think it's listening. I wonder if it was something in the "transmission" client?
Code:
bob@musem:~$ netstat -tulpn |grep :53
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:53306 0.0.0.0:* LISTEN -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp6 0 0 :::5353 :::* -
Code:
bob@musem:~$ telnet 192.168.0.1 53
Trying 192.168.0.1...
telnet: Unable to connect to remote host: Connection refused
I tried to telnet into my internet IP as follows, without the "53". As you can see, I got a response. Does this mean there is a door into my router from the internet?
Code:
telnet xxx.xxx.xx.xxx
Trying xxx.xxx.xx.xxx...
Connected to xxx.xxx.xx.xxx.
Escape character is '^]'.
BCM96328 Broadband Router
Login:
OK, some more information. I'm looking at the router setup, and I see that port 53 incoming was enabled. I've just disabled that, along with some incoming ICMP ports. At this point there aren't any incoming ports enabled.
Added:
I see there is a "NAT only " security option on the router setup page which doesn't list any incoming or outgoing ports. Should I be using that?
Added:
I ran the test at http://www.openresolver.jp, and now that I turned off port 53, it no longer shows a potential open DNS resolver at my IP. I don't know if that resolves this, or not.
Last edited by Quakeboy02; 01-20-2014 at 11:14 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.