10-11-2014 03:22 AM - edited 03-04-2019 11:57 PM
Hello,
I have a Cisco 877W running on my ADSL2+ service at home.
It is setup to act as a DNS server to answer DNS queries for my LAN and has the below commands as part of its configuration
ip dns server
!
ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
dns-server 8.8.8.8
My question is, when I scan my WAN IP for open ports, port 53 (DNS) is open. Does this mean my router will be acting as a DNS server for anyone on the internet who directs DNS queries to my WAN IP?
If so, am I able to turn off port 53 towards the Internet, or do I need to add an an access-list to only accept queries from my internal network.
Thanks for your feedback.
10-11-2014 05:58 AM
That's correct. The "ip dns server" command will answer queries on any interface.
Given that your DHCP server is telling your clients to use Google DNS and not your router, I would just turn the router's DNS server off with the "no ip dns server" command.
Setting up an ACL (and/or inspection or zone-based firewalling) on your Internet-facing interface is the best practice to protect your network in general, not just to prevent external DNS queries.
10-12-2014 03:55 AM
Thanks very much for your reply.
I have disabled the router to be a DNS server and now the port is closed when I check using a website port scanner.
Will investigate ACL's/firewalls etc for general safety too.
Thanks again.
10-12-2014 05:23 AM
I'm glad I could be of help.
If you found the information useful, I would appreciate it if you would mark it as correct and rate it accordingly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide