Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open DNS resolver

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 3 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cal2600
      last edited by

      I received a notice from my ISP (AT&T) yesterday that my external IP address was tested for an Open DNS relay which they apparently found.  In the answer section of the test they came back with 127.0.0.2 as the open relay. I have both  Allow DNS server list to be overridden by DHCP/PPP on WAN and Do not use the DNS Forwarder as a DNS server for the firewall.
      We are using their DNS servers and we forward all internet traffic to their scanning service through the upstream proxy service. We average about 200 people per day going through the captive portal and the users change daily no one is ever the same so I cannot use authentication.
      Is there a firewall rule or setting I an change to prevent this from happening.

      Thank You

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "In the answer section of the test they came back with 127.0.0.2 as the open relay"

        And your isp is managed by who exactly?  Clearly they don't have a clue if they are complaining that your running an open relay on 127.0.0.2

        127.0.0.0/8 is for loopback purposes. Nice for them to let you know their machine is an open relay ;) ???

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          cal2600
          last edited by

          AT&T provides the service and the upstream proxy filtering. Are there specific firewall rules to allow or disallow traffic to them on port 53.?

          Thank You

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            By default all inbound unsolicited traffic into your wan (internet connections) would be blocked..  So have you created an wan firewall rules that allow dns (tcp/udp) 53?  Have you created any nats to 53?

            Here is the thing - the fact that they told you your running anything on 127.0.0.2 tells me they don't have a clue to what they are talking about. the whole 127.x.x.x network is reserved for LOOPBACK!!  That means the LOCAL machine - there is no way to route 127.x.x.x – so there is no way that anyone other than yourself on your own local machine could talk to an address that starts with 127.x.x.x

            If they told you they were talking to a box on 127.0.0.2 and that it was a open relay - they were talking to themselves ;)

            If you want to feel better PM me your actual public IP and I will test if your running listening on dns and allow for me to query recursive from you.

            Unless you created specific wan or nats to 53 there is no way anyone could query your box or even network for dns.  What do your wan and nat rules look like - post them.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              That may not be what they means.

              Often with an RBL, a reply of 127.0.0.2 in the DNS reply means that an entry was matched and is present in the RBL.

              What they sent you probably meant one of two things:

              1. They queried an RBL that lists open relays, and your IP returned a positive result indicating that it was present in that RBL.
              2. They queried your IP to see if they could perform a recursive lookup, and they were able to receive a valid DNS reply.

              If your WAN rules block DNS, you should be OK though, but you may want to run a multi-RBL check on your IP to see if you're on any lists, assuming you have a static IP.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                So he PM'd me the letter and it clearly listed his public IP, and yes you are correct the 127.0.0.2 was the answer to their query.

                He has something messed up with his interfaces..  He has rules such as this on his WAN.

                Here are the firewall rules as they exist today (WAN)

                X            Block RFC 1918
                X            Reserved/not assigned by IANA

                IPv4* TCP        WAN Address      *        Restricted Hosts              *        None
                            IPv4*              LAN Net              *          *                *              *          None                                Default Allow

                He says when he removes the LAN Net source rule from his WAN he looses internet..  So something is really messed up..  I hope to team viewer in some time today and take a look - because it is cleary messed up.  And yes he is public IP can be used as a open resolver so the letter is correct - just not sure why he jumped on the answer to the query they clearly listed vs his public IP address for what to post ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • C
                  cal2600
                  last edited by

                  I removed and reconfigured both the LAN and WAN interfaces this morning, also removed any additional WAN rules other than the default. I can access the internet now, also my MBUF Usage has dropped by 50 %. It looks like it may be fixed thanks to Johnpoz.
                  AT&T will test it again soon we will see what they say. I have been watching traffic for about an hour and a half and no calls from users.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    so I got your PM and tested to the IP you sent me - and show it not answering dns queries..  So you should be fine, unless your public IP is something different now.. If you pm me if it has and will check that IP for you as well.

                    C:>dig @12.xx.xx.xx www.google.com

                    ; <<>> DiG 9.9.4 <<>> @12.xx.xx.xx www.google.com
                    ; (1 server found)
                    ;; global options: +cmd
                    ;; connection timed out; no servers could be reached

                    C:>

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.