Ok - so here's a curiousity - I have a routerboard 433 setup - and we have this company doing an audit of the system - they claim there are 2 critical errors with our setup (that they can see from the outside)
they are both related to DNS issues
220.127.116.11 Medium domain (53/udp) DNS Server Cache Snooping Remote Information Disclosure
18.104.22.168 Medium domain (53/udp) DNS Server Recursive Query Cache Poisoning Weakness
I have the internal network on a NAT setup with DNS (allow remote requests on)
I have setup a firewall to drop packets from the WAN port on port 53 both TCP and UDP (this is supposed to drop all DNS requests coming to the routerboard from the internet), and the packet counters go up when I run nmap to see what ports are still open. nmap reports DNS/53 is "filtered" even though I'm dropping all packets and it still doesn't pass the audit due to those two issues above.
does anyone have any suggestions on how to totally limit port 53 visibility on the WAN port so we can pass this PCI compliance test?