How to prevent dnsmasq listening on WAN IP address?

[huxuan]

I am not sure this is a bug or my incorrect configuration, but on my merlin router, dnsmasq will listen on `127.0.0.1`, `192.168.50.1` (my router LAN IP) and `X.X.X.X` (my WAN IP). This is kind of exposure, because I can even trigger the DNS request from remote VPS to my router by command `dig google.com @X.X.X.X`. I tried to add `listen-address=192.168.50.1` to `/jffs/configs/dnsmasq.conf.add` but it does not help. Any ideas?

 

[huxuan]

The auto generated `dnsmasq.conf` for me is listed as following.
Seems the problem is caused by `interface=ppp0` and `interface=ppp1` but actually I have disabled `Dual WAN`, I do not know where there is still a `ppp1` exists.

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=ppp0
interface=ppp1
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=router.huxuan.org
expand-hosts
bogus-priv
domain-needed
local=/router.huxuan.org/
dhcp-range=lan,192.168.50.128,192.168.50.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.50.1
dhcp-option=lan,15,router.huxuan.org
dhcp-option=lan,44,192.168.50.1
dhcp-option=lan,252,"\n"
dhcp-option=lan,42,0.0.0.0
dhcp-authoritative
address=/use-application-dns.net/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp

 

[RMerlin]

This is kind of exposure, because I can even trigger the DNS request from remote VPS to my router by command `dig google.com @X.X.X.X`.

It shouldn't, because the default firewall rules do not open port 53.

 

[ColinTaylor]

interface=ppp0
interface=ppp1

These appear to be IPSec VPN interfaces.

 

[huxuan]

interface=ppp0
interface=ppp1

These appear to be IPSec VPN interfaces.

Yeah, I do have enabled IPSec VPN so I can access LAN from outside, so this is an side effect？ How should I deal with it？

 

[huxuan]

It shouldn't, because the default firewall rules do not open port 53.

I suppose so, but I can not come up with it where I accidentally make it happen.

 

[ColinTaylor]

Yeah, I do have enabled IPSec VPN so I can access LAN from outside, so this is an side effect？ How should I deal with it？

I'm not sure I understand the problem. If you enable the VPN server then you are enabling access to your entire LAN (including dnsmasq) to a VPN client that has successfully connected to your server. That doesn't expose anything to anyone else on the internet.

 

[huxuan]

I'm not sure I understand the problem. If you enable the VPN server then you are enabling access to your entire LAN (including dnsmasq) to a VPN client that has successfully connected to your server. That doesn't expose anything to anyone else on the internet.

Currently, since dnsmasq is listening on wan interface, and the iptables magically does not block access to 53 port from outside, so I found my DNS is becoming an open one.

Maybe the problem is not located at dnsmasq but iptables? I must have messed up some configuration.

 

[ColinTaylor]

Currently, since dnsmasq is listening on wan interface, and the iptables magically does not block access to 53 port from outside, so I found my DNS is becoming an open one.

Maybe the problem is not located at dnsmasq but iptables? I must have messed up some configuration.

I can't see any evidence from what you've posted so far that dnsmasq is listening on your WAN interface. How are you testing this?

 

[huxuan]

I can't see any evidence from what you've posted so far that dnsmasq is listening on your WAN interface. How are you testing this?

`netstat -ntpl | grep dnsmasq` shows that dnsmasq is listening on three addresses:127.0.0.1, 192.168.50.1 (My router LAN IP) and X.X.X.X (My WAN IP).

I also tried to trigger a DNS request from one of my remote VPS with command `dig google.com @X.X.X.X` and it works.

 

[ColinTaylor]

`netstat -ntpl | grep dnsmasq` shows that dnsmasq is listening on three addresses:127.0.0.1, 192.168.50.1 (My router LAN IP) and X.X.X.X (My WAN IP).

What output do you get from the following commands?

nvram get wan0_ifname
nvram get wan_ifnames

I also tried to trigger a DNS request from one of my remote VPS with command `dig google.com @X.X.X.X` and it works.

Is your VPS connected to your router's IPSec VPN server? If so then this is working as expected. Try accessing port 53 from canyouseeme.org.

 

[huxuan]

What output do you get from the following commands?

nvram get wan0_ifname
nvram get wan_ifnames

Is your VPS connected to your router's IPSec VPN server? If so then this is working as expected. Try accessing port 53 from canyouseeme.org.

Both of the commands above returns `eth0` and the VPS is NOT connected via VPN. `canyouseeme.org` also says that the 53 port is open. Actually, I just find the problem from another similar port open check tool.

 

[dave14305]

He’s not lying. I just looked up his router name with dig pointing to his WAN IP, which can be guessed by his dnsmasq.conf.

 

[huxuan]

He’s not lying. I just looked up his router name with dig pointing to his WAN IP, which can be guessed by his dnsmasq.conf.

Yeah, I also have DDNS configured. I guess I must have messed up something. Maybe I have to do a factory reset finally.

 

[ColinTaylor]

Both of the commands above returns `eth0` and the VPS is NOT connected via VPN. `canyouseeme.org` also says that the 53 port is open. Actually, I just find the problem from another similar port open check tool.

Very strange. I can't see any reference to eth0 in the dnsmasq.conf you posted.

Also as RMerlin said, the firewall should be blocking external connections to port 53 anyway. Have you disabled the router's firewall?

 

[huxuan]

Have you disabled the router's firewall?

Forgive silly me! I just find my firewall is disabled unexpectedly. Enable it saves me.

Thanks!