[SOLVED] ATT says they've discovered an open DNS server at my IP

Quakeboy02 · 01-20-2014, 09:04 AM

I got an email from ATT today containing this: "a device using your Internet connection is configured to run an open Domain Name System (DNS) resolver." Since I didn't configure my system that way, I'm at a loss. I am running two Debian Wheezy machines which were recently upgraded from Squeeze. I am using an Actiontec GT784WN Wireless N DSL Modem with the wireless disabled. Last year shortly after I moved here and got this new DSL modem, I noticed odd activity on my second machine, and found a DOS script running on it. I removed the hard drive and rebuilt the system on a different drive, and that's when I turned the wireless off. I haven't noticed any other odd activity since then.

So, any simple pointers to what to do next would be appreciated. I don't see any firmware upgrades on the Actiontec site if that's where the problem is. I may have been running "transmission" at the time indicated in ATT's letter if that's related.

smallpond · 01-20-2014, 09:44 AM

Check the "received from" headers to make sure the email is really from AT&T.
To find anything listening on port 53 (DNS) on your local machine:

Code:

netstat -tulpn | grep :53

or to test a device at an IP to see if it is listening:

Code:

telnet 192.168.0.1 53
^]close

If it accepts the connection, it is listening.

Quakeboy02 · 01-20-2014, 10:04 AM

Hi smallpond,

The email has my proper name in it, so I don't think it was a phishing attempt. I've forwarded the email to abuse@att.net as was suggested in the letter to see if they have anything useful to say. I did not click on any links in the email.

Here is the response to the two commands, so I don't think it's listening. I wonder if it was something in the "transmission" client?

Code:

bob@musem:~$ netstat -tulpn |grep :53
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:53306           0.0.0.0:*               LISTEN      -               
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -               
udp6       0      0 :::5353                 :::*                                -

Code:

bob@musem:~$ telnet 192.168.0.1 53
Trying 192.168.0.1...
telnet: Unable to connect to remote host: Connection refused

smallpond · 01-20-2014, 10:34 AM

The 192.168.0.1 address was just an example. Try it with the actual IP addresses of your wireless router and the other Debian system.

Quakeboy02 · 01-20-2014, 10:45 AM

I tried to telnet into my internet IP as follows, without the "53". As you can see, I got a response. Does this mean there is a door into my router from the internet?

Code:

telnet xxx.xxx.xx.xxx
Trying xxx.xxx.xx.xxx...
Connected to xxx.xxx.xx.xxx.
Escape character is '^]'.
BCM96328 Broadband Router
Login:

Quakeboy02 · 01-20-2014, 10:53 AM

OK, some more information. I'm looking at the router setup, and I see that port 53 incoming was enabled. I've just disabled that, along with some incoming ICMP ports. At this point there aren't any incoming ports enabled.

Added:
I see there is a "NAT only " security option on the router setup page which doesn't list any incoming or outgoing ports. Should I be using that?

Added:
I ran the test at http://www.openresolver.jp, and now that I turned off port 53, it no longer shows a potential open DNS resolver at my IP. I don't know if that resolves this, or not.

smallpond · 01-20-2014, 01:54 PM

Sounds like you fixed it. Another site for testing open ports is:

https://www.grc.com/shieldsup

Quakeboy02 · 01-20-2014, 01:58 PM

Thanks for giving me the clues I needed to fix this!