Hello,
i have configured DNS forwarding on the internal interfaces (like eth0) with the directive “listen-on” but if i look at “show system connection” there are opened connections on all interfaces, also external interface (like pppoe). Moreover if i try a nmap scan on my external ip i can see two ports opened 53/tcp and 53/udp and if i try to use nslookup with dns server set to my external ip it resolves my queries (on udp port, tcp i didn’t try)
What version are you running?
‘show version’
Now i’m running 999.lithium.01180015 but it’s presented also in 1.1.1
SOLUTION
It’s a mistake.
Vyos doesn’t reply to 53/udp or 53/tcp if you try to contact it outside your internal network.
http://bugzilla.vyos.net/show_bug.cgi?id=442
Thanks to Alex Harpin 
Easy one to make though, especially when you can see that the service appears to be listening on interfaces other than those you’ve configured. As I said on that one, it the way dnsmsaq works, listening on all interfaces and then dropping anything it’s not supposed to answer, rather than filtering at the kernel level. It can be set up that way, to only bind to a specified interface, but that can add extra complications if interfaces change (so DHCP etc).