10-11-2014 03:22 AM - edited 03-04-2019 11:57 PM
Hello,
I have a Cisco 877W running on my ADSL2+ service at home.
It is setup to act as a DNS server to answer DNS queries for my LAN and has the below commands as part of its configuration
ip dns server
!
ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
dns-server 8.8.8.8
My question is, when I scan my WAN IP for open ports, port 53 (DNS) is open. Does this mean my router will be acting as a DNS server for anyone on the internet who directs DNS queries to my WAN IP?
If so, am I able to turn off port 53 towards the Internet, or do I need to add an an access-list to only accept queries from my internal network.
Thanks for your feedback.
10-11-2014 05:58 AM
That's correct. The "ip dns server" command will answer queries on any interface.
Given that your DHCP server is telling your clients to use Google DNS and not your router, I would just turn the router's DNS server off with the "no ip dns server" command.
Setting up an ACL (and/or inspection or zone-based firewalling) on your Internet-facing interface is the best practice to protect your network in general, not just to prevent external DNS queries.
10-12-2014 03:55 AM
Thanks very much for your reply.
I have disabled the router to be a DNS server and now the port is closed when I check using a website port scanner.
Will investigate ACL's/firewalls etc for general safety too.
Thanks again.
10-12-2014 05:23 AM
I'm glad I could be of help.
If you found the information useful, I would appreciate it if you would mark it as correct and rate it accordingly.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: