port 53 open despite firewall rules

torgr2019 · April 2, 2021, 12:25pm

These are my first 4 firewall rules in ip>firewall>filter

add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp

No other rules above them.

Despite that, port 53 (both tcp and udp) in port scanning with nmap is open. Any ideas, how to filter that port?

anav · April 2, 2021, 12:45pm

Yes, quite correct, the router is alive and has a mind of its own.
You are just a pawn in the evil plans of the router.

Post the complete config
/export hide-sensitive file=anynameyouwish

tdw · April 2, 2021, 12:50pm

Most likely the interface you are scanning through is not a member of the WAN interface list, just conjecture without seeing the configuration.

torgr2019 · April 2, 2021, 2:10pm

Here is my setup.
Internet is coming in through ethernet 1
I added also 2 drop rules in the forward chain, but same results.

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add comment=“WAN interface” interface=ether_01 list=WAN
add interface=bridge_lan list=LAN

/ip dhcp-client
add disabled=no interface=ether_01 use-peer-dns=no

/ip dns
set servers=1.1.1.1

/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN log=yes
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

jvanhambelgium · April 2, 2021, 3:24pm

/ip dns
set servers=1.1.1.1

And what else if configured ?? “Allow remote requests” ???

2frogs · April 2, 2021, 3:40pm

Is this your full export? I also do not see any of your LAN settings. No bridge_lan or ports connected to it. No DHCP Server.

From what you have posted, you don’t have DNS running on your device.

/ip dns
set allow-remote-requests=yes

Or you would see this present.

Jotne · April 2, 2021, 3:46pm

Post the complete configuration.

/export hide-sensitive

torgr2019 · April 2, 2021, 4:27pm

ip dns set allow-requests=no

I have declare DNS 1.1.1.1
dig google.com shows as dns server the 1.1.1.1 and i am just fine with that.

Why do you need my LAN config for a firewall problem?
The ether 1 is the WAN and all the others lan ports in bridge are LAN. Not so complicated.

All the relevant info is there.

The most interesting thing is that with exactly the same config in another mikrotik machine (RB941) the 53 port is filtered in nmap scanning. The machine with the open port is RB4011. I have also take a backup and RESET configuration. With the default config is the exact SAME problem.
Also if the scanning is : nmap - Pn -p 53 the port is closed. If the scanning is nmap -sS (or -sU) -Pn -p 53 the port is open.

Jotne · April 2, 2021, 4:39pm

It gets a better overall picture on what is going on.
What other ports open/service running.
How the bridge/ports are configured.

If you post /export hide-sensitive and remove all sensitive IP, I do not see any reason for not posting your config.
At the same time post what version of RouterOS you are running on and what hardware.

torgr2019 · April 2, 2021, 5:34pm

Here is the complete export
RB 4011
apr/02/2021 20:05:20 by RouterOS 6.47.9

/interface bridge

add admin-mac=******** auto-mac=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge_lan vlan-filtering=yes

/interface ethernet

set [ find default-name=ether1 ] name=ether_01

set [ find default-name=ether2 ] name=ether_02

set [ find default-name=ether3 ] name=ether_03

set [ find default-name=ether4 ] name=ether_04

set [ find default-name=ether5 ] name=ether_05

set [ find default-name=ether6 ] name=ether_06

set [ find default-name=ether7 ] name=ether_07

set [ find default-name=ether8 ] name=ether_08

set [ find default-name=ether9 ] name=ether_09

set [ find default-name=ether10 ] name=ether_10

/interface vlan

add interface=bridge_lan name=vlan_50_management vlan-id=50

add interface=bridge_lan name=vlan_10 vlan-id=10

add interface=bridge_lan name=vlan_11 vlan-id=11

add interface=bridge_lan name=vlan_12 vlan-id=12

/interface ethernet switch port

set 0 default-vlan-id=0

set 1 default-vlan-id=0

set 2 default-vlan-id=0

set 3 default-vlan-id=0

set 4 default-vlan-id=0

set 5 default-vlan-id=0

set 6 default-vlan-id=0

set 7 default-vlan-id=0

set 8 default-vlan-id=0

set 9 default-vlan-id=0

set 10 default-vlan-id=0

set 11 default-vlan-id=0

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

/ip pool

add name=dhcp_pool_vlan_50_management ranges=192.168.50.2-192.168.50.254

add name=dhcp_pool_vlan_10 ranges=192.168.10.2-192.168.10.254

add name=dhcp_pool_vlan_11 ranges=192.168.11.2-192.168.11.254

add name=dhcp_pool_vlan_12 ranges=192.168.12.2-192.168.12.254

/ip dhcp-server

add address-pool=dhcp_pool_vlan_50_management disabled=no interface=vlan_50_management name=dhcp_vlan_50_management

add address-pool=dhcp_pool_vlan_10 disabled=no interface=vlan_10 name=dhcp_vlan_10

add address-pool=dhcp_pool_vlan_11 disabled=no interface=vlan_11 name=dhcp_vlan_11

add address-pool=dhcp_pool_vlan_12 disabled=no interface=vlan_12 name=dhcp_vlan_12

/interface bridge port

add bridge=bridge_lan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether_02 pvid=50

add bridge=bridge_lan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether_03 pvid=10

add bridge=bridge_lan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether_04 pvid=11

add bridge=bridge_lan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether_05 pvid=12

add bridge=bridge_lan comment=defconf disabled=yes interface=ether_06

add bridge=bridge_lan comment=defconf disabled=yes interface=ether_07

add bridge=bridge_lan comment=defconf disabled=yes interface=ether_08

add bridge=bridge_lan comment=defconf disabled=yes interface=ether_09

add bridge=bridge_lan disabled=yes interface=ether_10

/ip neighbor discovery-settings

set discover-interface-list=none

/interface bridge vlan

add bridge=bridge_lan tagged=bridge_lan untagged=ether_02 vlan-ids=50

add bridge=bridge_lan tagged=bridge_lan untagged=ether_03 vlan-ids=10

add bridge=bridge_lan tagged=bridge_lan untagged=ether_04 vlan-ids=11

add bridge=bridge_lan tagged=bridge_lan untagged=ether_05 vlan-ids=12


/interface list member

add comment="WAN interface" interface=ether_01 list=WAN

add interface=vlan_50_management list=LAN

add interface=vlan_10 list=LAN

add interface=vlan_11 list=LAN

add interface=vlan_12 list=LAN

add interface=bridge_lan list=LAN

/ip address

add address=192.168.50.1/24 interface=vlan_50_management network=192.168.50.0

add address=192.168.10.1/24 interface=vlan_10 network=192.168.10.0

add address=192.168.11.1/24 interface=vlan_11 network=192.168.11.0

add address=192.168.12.1/24 interface=vlan_12 network=192.168.12.0

/ip cloud

set update-time=no

/ip dhcp-client

add disabled=no interface=ether_01 use-peer-dns=no

/ip dhcp-server network

add address=192.168.50.0/24 gateway=192.168.50.1 netmask=24

add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24

add address=192.168.11.0/24 gateway=192.168.11.1 netmask=24

add address=192.168.12.0/24 gateway=192.168.12.1 netmask=24

/ip dns

set servers=1.1.1.1

/ip firewall filter

add action=drop chain=input dst-port=53 in-interface-list=WAN log=yes protocol=tcp

add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp

add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp

add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp

add action=accept chain=input connection-state=established,related

add action=drop chain=input connection-state=invalid

add action=accept chain=input protocol=icmp

add action=accept chain=input dst-address=127.0.0.1

add action=drop chain=input in-interface-list=!LAN log=yes

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip firewall service-port

set ftp disabled=yes

set tftp disabled=yes

set irc disabled=yes

set h323 disabled=yes

set sip disabled=yes

set pptp disabled=yes

set udplite disabled=yes

set dccp disabled=yes

set sctp disabled=yes

/ip service

set telnet disabled=yes

set ftp disabled=yes

set www disabled=yes

set ssh disabled=yes

set www-ssl address=************************ certificate=******************* disabled=no tls-version=only-1.2

set api disabled=yes

set winbox address=****************************************************************

set api-ssl disabled=yes

/ip ssh

set strong-crypto=yes

/system clock

set time-zone-name=*****************************

/system console

add disabled=no port=serial1

/system identity

set name=*****************************

/system ntp client

set enabled=yes server-dns-names=pool.ntp.org

/system package update

set channel=long-term

/tool bandwidth-server

set enabled=no

/tool mac-server

set allowed-interface-list=none

/tool mac-server mac-winbox

set allowed-interface-list=LAN

/tool mac-server ping

set enabled=no

Jotne · April 2, 2021, 5:37pm

Edit your post.
Select the code part and click the code button. </>

Do you scan the router on the WAN or LAN side?

jvanhambelgium · April 2, 2021, 5:44pm

Can you post some logging ? And also enable the logging for the other 3 rules below.
Then basically perform this nmap scan from exterior and post some logging ? Just to make sure these rules are effectively hit ?

add action=drop chain=input dst-port=53 in-interface-list=WAN log=yes protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp

Since there is for these rules no “state” flags selected (eg. new,invalid,…) I would assume ANY state would be dropped in the incoming packets, so that should not be a problem.

torgr2019 · April 2, 2021, 5:46pm

Here is the command in nmap and the result:

sudo nmap -sS -sU -sV -Pn -p 53 (from a machine outside the LAN)
Starting Nmap 7.70 ( https://nmap.org ) at 2021-04-02 19:55 EEST
Nmap scan report for ******************************
Host is up (0.0025s latency).

PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.79
53/udp open domain dnsmasq 2.79
MAC Address: ******************* (Unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.34 seconds

torgr2019 · April 2, 2021, 5:52pm

How can i filter the logs only for port 53 in firewall?

Jotne · April 2, 2021, 6:16pm

Configuration looks OK. Normally you should not need to block port 53 on outside, nor should it be open by it self.
I have no linux server outside, so can not test my port.

Do you see any count increase on your firewall rule when you test port 53?

torgr2019 · April 2, 2021, 6:23pm

No, the counters are freeze.
I think that the whole process of nmap is not reaching the firewall rules. Have no idea why.
It is something more fundamental wrong, beneath the user configuration, maybe a security flaw.

jvanhambelgium · April 2, 2021, 6:42pm

https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

Just try a free scan ? It will test 53 also in the “free” edition
In my case I have 0 ports open so that’s good.

torgr2019 · April 2, 2021, 6:50pm

It is not helpful. If you scan with classic nmap query “sudo nmap -sV -p 53 ”
without the -Pn then the answer is that the host seems down.
Just try a nmap scan even from a raspberry pi…Ideally in a RB4011 because another RB that i have behave normally

Jotne · April 2, 2021, 6:52pm

Did test my server with the same command as above.

nmap -sS -sU -sV -Pn -p 53 92.220.xx.yy
Starting Nmap 7.80 ( > https://nmap.org > ) at 2021-04-02 20:43 CEST
Nmap scan report for x.y.z(92.220.xx.yy)
Host is up.

PORT STATE SERVICE VERSION
53/tcp filtered domain
53/udp open|filtered domain

Service detection performed. Please report any incorrect results at > https://nmap.org/submit/ > .
Nmap done: 1 IP address (1 host up) scanned in 104.45 seconds

So from this test it looks up, but DNS does not resolve anything.

nslookup

server 92.220.xx.yy
Default server: 92.220.xx.yy
Address: 92.220.xx.yy#53
google.com
;; connection timed out; no servers could be reached

Another thing I did see, is that IP entered my block list.
I have a rule that if someone tries any port on my router that is not open, it will be blocked for 24 hour on all port, even open ports.
So this may just be some ghost errors. Do not think anything are in dangerous.

PS no need to quote the post above, use Post Reply under the post to reply to it.

torgr2019 · April 2, 2021, 6:57pm

Your results are different.
TCP filtered means blocked by firewall.
UDP open/filtered means no response from the server ==> blocked by firewall.

Your machine seems to work as expected.

In my 4011 when i perform the test:

The ports are open, that means that the router responds with an ACK to the SYN of the nmap. Its not false positive.
The firewall counters are not catching anything. And the rules are at the TOP. That means that something is wrong inside the routerOS that we cannot see.

Any ideas how can i check it or solve it?