Port 53 getting open without nat


I have an issue in Vyos. Few of my public IP’s are observed that port 53 is open with out allowing in the nat rule.

Can you suggest what need to be done.

Discovered open port 443/tcp on x.x.x.x

Discovered open port 53/tcp on x.x.x.x

Discovered open port 22/tcp on x.x.x.x

Discovered open port 8443/tcp on x.x.x.x

This issue is observed only on few IP’s in the subnet.

Maybe you have dns-server enabled on vyos and its listening on your public ip?
You have to show us your config for us to fully understand.
Show us that, and also output of sudo ss -tlnp and sudo ss -ulnp
Remember to hide your public addresses before posting.

Sure let me check .
I checked complete config no where dns is configured.
vbash-4.1# sh config comm | grep dns

I cant share config. But we have Int IP’s , Nat rules, ntp, syslog configured.

Nothing else configured.

vbash-4.1# ss -tlmp State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 : users:((“snmpd”,53043,14))
LISTEN 0 128 :2220 : users:((“sshd”,4701,3))
LISTEN 0 5 :domain : users:((“dnsmasq”,48882,5))
LISTEN 0 128 :::2220 :::
LISTEN 0 5 :::domain :::

Applied firewall rules and allowed only few tcp ports. But still port 53 is getting opened.

If you have DNS forwarding service turned on but don’t specify a listen-address, that will cause port 53 to be open. This has nothing to do with NAT.

I don’t have any dns service running.

set service snmp community xxxxxxxx client ‘10.x.x.x’
set service snmp community xxxxxxxx authorization ‘ro’
set service ssh port ‘2220’
set system ntp server ‘0.pool.ntp.org
set system ntp server ‘1.pool.ntp.org
set system ntp server ‘2.pool.ntp.org

I see you tried to grep dns, but what about grep 53?

sh config commands | grep 53
set nat destination rule 2050 translation address ‘10.x.x.x’
set nat destination rule 2055 translation address ‘10.x.x.x’
sh config commands | grep dns

Is there anything i need to check in the system level

what is your default action from wan (public) to firewall?
if its set to accept it may explain it? Only a hunch as generally if the policy is to drop as per usual, you explicitly have to open port 53/dns, or any other port for that matter.

Have you confirmed the dns port is actually open or if its the scanner you are using to scan your public ip.
i have had a false positive using GRC at https://www.grc.com/shieldsup - keeping in mind it only does tcp ports.

Default action is drop
sh config commands | grep firewall
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall name PUBLIC_NETWORK_IN default-action ‘drop’
set firewall name PUBLIC_NETWORK_IN rule 10 action ‘accept’
set firewall name PUBLIC_NETWORK_IN rule 10 protocol ‘all’
set firewall name PUBLIC_NETWORK_IN rule 10 state established ‘enable’
set firewall name PUBLIC_NETWORK_IN rule 10 state related ‘enable’
set firewall name production default-action ‘drop’
set firewall name production rule 10 action ‘accept’
set firewall name production rule 10 destination port ‘80,222,2220,22,443,8443,1194,1196’

set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set interfaces ethernet eth0 firewall ‘in’

Also not only in scan but when i telnet with port 53 from outside the It’s open

i like to keep it simple, but just making sure, when you are performing the testing are you possibly on a VPN to the network? Wireguard or other etc?

The other thing, not sure if you are in production, but i would remove this line for a test
set firewall name PUBLIC_NETWORK_IN rule 10 protocol ‘all’

the other thing is i would be checking any other public rules to internal network wherever you may have dns servers and check their default rules are drop too

also if i am not mistaken this line

set interfaces ethernet eth0 firewall ‘in’

should be something like? not logged into mine at the moment but… you should be able to use tab to auto complete each word and make sure its correct
This is ONLY if eth0 is your public/wan interface of course, just using what you put in and assuming its relevant

set interfaces ethernet eth0 firewall name ’PUBLIC_NETWORK_IN’

another thought, work backwards.
wherever you are having a dns server, run the command below on its interface…

show interfaces ethernet eth[x_whatever number interface]

check which firewalls you have set for the inbound/local sections, then go over those firewall rules with a fine tooth comb. should get you there faster

DNS server is not pointed to this vyos. Also the firewall rules were applied today.

welp, something is missing here as there is no config.
have a think about how to approach the issue logically.

easiest is to start from the tartget and work backwards if its complicated. trace the IP thats hitting your dns server. its port 53, you should be able to use wireshark to check what IP is hitting the dns server, etc etc and start narrowing it down where is it coming from.

Or try

show conntrack table ipv4

If its not too busy you may be able to pinpoint the IP’s. without much info still guessing its some sort of firewall allow rule allowing all sorts of traffic through by default along the way

Let me check the firewall rules