Incoming connections from 1.1.1.1 or 1.0.0.1 port 53 UDP

gbtest85 · December 26, 2025, 10:43am

Hello, I’ve found in my logs incoming connections from 1.1.1.1 or 1.0.0.1 port 53 UDP:

X.X.X.X is my static IP

2025-12-24 13:07:04 firewall,info INPUT WAN 53 UDP input: in:pppoe-out-openfiber out:(unknown 0), connection-state:new src-mac A.B.C.D:E:F, proto UDP, 1.0.0.1:53->X.X.X.X:41033, len 88
2025-12-24 13:07:04 firewall,info INPUT WAN 53 UDP input: in:pppoe-out-openfiber out:(unknown 0), connection-state:new src-mac A.B.C.D:E:F, proto UDP, 1.0.0.1:53->X.X.X.X:41033, len 88
2025-12-25 00:17:37 firewall,info INPUT WAN 53 UDP input: in:pppoe-out-openfiber out:(unknown 0), connection-state:new src-mac A.B.C.D:E:F, proto UDP, 1.1.1.1:53->X.X.X.X:41673, len 112
2025-12-25 00:17:37 firewall,info INPUT WAN 53 UDP input: in:pppoe-out-openfiber out:(unknown 0), connection-state:new src-mac A.B.C.D:E:F, proto UDP, 1.1.1.1:53->X.X.X.X:41673, len 112
2025-12-25 03:58:02 firewall,info INPUT WAN 53 UDP input: in:pppoe-out-openfiber out:(unknown 0), connection-state:new src-mac A.B.C.D:E:F, proto UDP, 1.1.1.1:53->X.X.X.X:41354, len 112
2025-12-25 03:58:02 firewall,info INPUT WAN 53 UDP input: in:pppoe-out-openfiber out:(unknown 0), connection-state:new src-mac A.B.C.D:E:F, proto UDP, 1.1.1.1:53->X.X.X.X:41354, len 112
2025-12-25 13:10:27 firewall,info INPUT WAN 53 UDP input: in:pppoe-out-openfiber out:(unknown 0), connection-state:new src-mac A.B.C.D:E:F, proto UDP, 1.0.0.1:53->X.X.X.X:41306, len 88
2025-12-25 13:10:27 firewall,info INPUT WAN 53 UDP input: in:pppoe-out-openfiber out:(unknown 0), connection-state:new src-mac A.B.C.D:E:F, proto UDP, 1.0.0.1:53->X.X.X.X:41306, len 88

I registered a domain on Cloudflare, is it possible that they are trying to reach my IP?

Or is it a DNS amplification attack?

I drop those connections in a following rule, should I allow them?

Thank you!

Giorgio

pe1chl · December 26, 2025, 11:28am

Thise are not incoming connections, they are replies to outgoing queries you are doing.

When they get blocked by your firewall, you have configured it incorrectly. You best add an “accept established/related” rule at the top of the input chain, it is there by default.

BartoszP · December 26, 2025, 11:31am

Hi,

do not allow any DNS queries from WAN side. It's not needed.
I have noticed that 8.8.8.8 from time to time scans devices for active (?) services from time to time. Do not know why and why from the 8.8.8.8 address but they have been doing that. Who knows, maybe 1.1.1.1 does checks if you are just a "DNS consumer" or "DNS provider"?

pe1chl · December 26, 2025, 11:50am

Note that his log lines say: 1.1.1.1:53->X.X.X.X:41354 so they are not queries, they are replies to his queries. Should be allowed by “established,related” rule in the firewall.

Maybe in some cases the reply arrives so late that the firewall connection tracking rule has expired already. It can help to increase udp-timeout in firewall connection tracking. The default has increased to 10 seconds (from 5), but older routers of course have the old value.

About 8.8.8.8: I think those are guys having fun with naive operators who put sources of telnet traffic in a blocklist. They send spoofed syn packets with source 8.8.8.8 everywhere, and then those copying bad advise will lock themselves out of DNS. Fun!

gbtest85 · December 26, 2025, 12:16pm

The state of connection is new, so I did not consider them as replies.

I do have the default rule to accept established and related.

My UDP timeout is already 10 seconds.

The particular thing is that these connections where made at 13.07 at 24th December and 13.10 25th December after 24 hours, like if it is a scheduled task…

Now I’ve set a Packet Sniffer to capture those packets and check if these connections are related to my domain name hosted by Cloudflare.