Cisco 877W acting a a DNS server. Does it answer external DNS queries coming from the WAN

jared.j01 · ‎10-11-2014

Hello,

I have a Cisco 877W running on my ADSL2+ service at home.

It is setup to act as a DNS server to answer DNS queries for my LAN and has the below commands as part of its configuration

ip dns server

!

ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
dns-server 8.8.8.8

My question is, when I scan my WAN IP for open ports, port 53 (DNS) is open. Does this mean my router will be acting as a DNS server for anyone on the internet who directs DNS queries to my WAN IP?

If so, am I able to turn off port 53 towards the Internet, or do I need to add an an access-list to only accept queries from my internal network.

Thanks for your feedback.

ghostinthenet · ‎10-11-2014

That's correct. The "ip dns server" command will answer queries on any interface.

Given that your DHCP server is telling your clients to use Google DNS and not your router, I would just turn the router's DNS server off with the "no ip dns server" command.

Setting up an ACL (and/or inspection or zone-based firewalling) on your Internet-facing interface is the best practice to protect your network in general, not just to prevent external DNS queries.

jared.j01 · ‎10-12-2014

Thanks very much for your reply.

I have disabled the router to be a DNS server and now the port is closed when I check using a website port scanner.

Will investigate ACL's/firewalls etc for general safety too.

Thanks again.

ghostinthenet · ‎10-12-2014

I'm glad I could be of help.

If you found the information useful, I would appreciate it if you would mark it as correct and rate it accordingly.