Received abuse complaint from ISP regarding open DNS resolver

Vodafone wrote email offener Open DNS Resolver

Vodafon close Port 53

dig cert-bund.de @109.193.xx.xx

no line found
;; WARNING: recursion requested but not available

no Firewallrule activ

found in unbound.conf
Allow access from everywhere
access-control: 0.0.0.0/0 allow

Thanks Alpensegler

Hi,

yes, they periodically scan their customers networks (or process reports
from people who do so, such as Shadowserver)
and inform them about potential misconfigurations or vulnerabilities.

To my knowledge, access to Unbound is limited by firewall rules by default
so no access from RED network is possible. Could you run the dig command
against the current public IPv4 address of your DSL/cable connection again
and post the results here?

(From my own experience: Do you have a PlayStation/xBox or similar hardware
running in your network? Those unfortunately open up port 53 for multicast
purposes via UPnP. IPFire does not support this, but the router you got from
Vodafone probably does.)

Vodafon[e] close[d] Port 53

Yes, that’s their way of dealing with abuse coming from their own customers:
If they detect an open resolver, telnet server or similar and have access to
your device by TR-069 or other protocols, they close the corresponding port
there.

This again suggests you are running IPFire behind another router. Please
give us some more details regarding your setup.

Thanks, and best regards,
Peter Müller

Salut Peter Müller,

Modem(kabelbw)—ipfire(core144) 3 ipsec tunnel
3 debian Server 1 laptop no xbox

[root@fw ~]# dig # cert-bund.de @109.193.179.19

; <<>> DiG 9.11.18 <<>># dnsnamen-bund @109.193.179.19
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22962
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnsname. IN A

;; ANSWER SECTION:
dnsadress. 775 IN A 159.69.62.252

;; Query time: 0 msec
;; SERVER: 109.193.179.19#53(109.193.179.19)
;; WHEN: Wed May 13 18:08:30 CEST 2020
;; MSG SIZE rcvd: 57

[root@fw ~]#

Modem(kabelbw)—ipfire(core144) 3 ipsec tunnel
3 debian Server 1 laptop no xbox

Which network zones are configured at the IPFire? Where are the servers located?

[root@fw ~]# dig # cert-bund.de @109.193.179.19

I assume the second ‘#’ is a typo. Of course, this command will succeed if you execute it
on the firewall itself. Since Vodafone closed port 53, it makes no sense to attempt querying
that IP address from any other host on the internet.

Unfortunately I have no idea of what went wrong here. The default firewall ruleset makes it
very hard to set up an open resolved exposed on RED.

Thanks, and best regards,
Peter Müller

red green blue(hostap) yellow.
The Servers on green; blue for smartphone; yello nothing,

I am install core144, after restore the backup.
All working fine.

I dont understand this with port53
My english is not so good

Thanks, and best regards,
alpensegler

Hi,

I dont understand this with port[ ]53

to test whether something responds to DNS queries on port 53, you would
normally run dig @[your public IP] example.com. But since Vodafone closed
port 53 on your router, this is not possible.

If I got it right, your IPFire is located behind their route. So, if the
IPFire system is the open DNS resolver, you should be able to test this:
Connect a computer to the Vodafone router, and run dig @[RED IP address of your IPFire] example.com.

Could you please post the output of that command here?

Thanks, and best regards,
Peter Müller

Salü, Peter Müller

i forget an old snat rule in

/etc/sysconfig/firewall.local

something is o.k. port 53 closed

Many thanks

Lothar

Please do not add your own iptables rules unless you know what you are doing and have them peer reviewed.

1 Like

Hi,

thanks for your reply. Glad this problem is now solved. You might want to inform your
ISP about that, as Vodafone refuses to do any customer support (especially if the customer
is complaining about bandwidth issues) until all abuse cases have been solved.

Thanks, and best regards,
Peter Müller