Open DNS resolver

cal2600

I received a notice from my ISP (AT&T) yesterday that my external IP address was tested for an Open DNS relay which they apparently found.  In the answer section of the test they came back with 127.0.0.2 as the open relay. I have both  Allow DNS server list to be overridden by DHCP/PPP on WAN and Do not use the DNS Forwarder as a DNS server for the firewall.
We are using their DNS servers and we forward all internet traffic to their scanning service through the upstream proxy service. We average about 200 people per day going through the captive portal and the users change daily no one is ever the same so I cannot use authentication.
Is there a firewall rule or setting I an change to prevent this from happening.

Thank You

johnpoz

"In the answer section of the test they came back with 127.0.0.2 as the open relay"

And your isp is managed by who exactly?  Clearly they don't have a clue if they are complaining that your running an open relay on 127.0.0.2

127.0.0.0/8 is for loopback purposes. Nice for them to let you know their machine is an open relay ;) ???

cal2600

AT&T provides the service and the upstream proxy filtering. Are there specific firewall rules to allow or disallow traffic to them on port 53.?

Thank You

johnpoz

By default all inbound unsolicited traffic into your wan (internet connections) would be blocked..  So have you created an wan firewall rules that allow dns (tcp/udp) 53?  Have you created any nats to 53?

Here is the thing - the fact that they told you your running anything on 127.0.0.2 tells me they don't have a clue to what they are talking about. the whole 127.x.x.x network is reserved for LOOPBACK!!  That means the LOCAL machine - there is no way to route 127.x.x.x – so there is no way that anyone other than yourself on your own local machine could talk to an address that starts with 127.x.x.x

If they told you they were talking to a box on 127.0.0.2 and that it was a open relay - they were talking to themselves ;)

If you want to feel better PM me your actual public IP and I will test if your running listening on dns and allow for me to query recursive from you.

Unless you created specific wan or nats to 53 there is no way anyone could query your box or even network for dns.  What do your wan and nat rules look like - post them.

jimp

That may not be what they means.

Often with an RBL, a reply of 127.0.0.2 in the DNS reply means that an entry was matched and is present in the RBL.

What they sent you probably meant one of two things:

1. They queried an RBL that lists open relays, and your IP returned a positive result indicating that it was present in that RBL.
2. They queried your IP to see if they could perform a recursive lookup, and they were able to receive a valid DNS reply.

If your WAN rules block DNS, you should be OK though, but you may want to run a multi-RBL check on your IP to see if you're on any lists, assuming you have a static IP.

johnpoz

So he PM'd me the letter and it clearly listed his public IP, and yes you are correct the 127.0.0.2 was the answer to their query.

He has something messed up with his interfaces..  He has rules such as this on his WAN.

Here are the firewall rules as they exist today (WAN)

X            Block RFC 1918
X            Reserved/not assigned by IANA

IPv4* TCP        WAN Address      *        Restricted Hosts              *        None
            IPv4*              LAN Net              *          *                *              *          None                                Default Allow

He says when he removes the LAN Net source rule from his WAN he looses internet..  So something is really messed up..  I hope to team viewer in some time today and take a look - because it is cleary messed up.  And yes he is public IP can be used as a open resolver so the letter is correct - just not sure why he jumped on the answer to the query they clearly listed vs his public IP address for what to post ;)

cal2600

I removed and reconfigured both the LAN and WAN interfaces this morning, also removed any additional WAN rules other than the default. I can access the internet now, also my MBUF Usage has dropped by 50 %. It looks like it may be fixed thanks to Johnpoz.
AT&T will test it again soon we will see what they say. I have been watching traffic for about an hour and a half and no calls from users.

johnpoz

so I got your PM and tested to the IP you sent me - and show it not answering dns queries..  So you should be fine, unless your public IP is something different now.. If you pm me if it has and will check that IP for you as well.

C:>dig @12.xx.xx.xx www.google.com

; <<>> DiG 9.9.4 <<>> @12.xx.xx.xx www.google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

C:>