1

Im preparing to deploy about a thousand fanless machines running Debian. Each machine has 3 interfaces (eth0, eth1 and uap0). In many cases these machines will sit between a cable modem and a home router / network so I need to be transparent between eth0 and eth1. To this end I have setup dnsmasq in hopes of routing traffic and providing addresses.

My DNSMASQ.CONF file is fairly simple. Mostly all I've added were the lines:

interface=eth1
interface=uap0
no-dhcp-interface=uap0

In hopes of securing the machine I'm trying to lock down any ports available on eth0. Using nmap -v -p1-65535 <hostname> I see that ports 22, 53, 80 and 111 are answering on eth0. 22 and 80 I understand (ssh and httpd). What concerns me is port 53. lsof -i :53 shows that dnsmasq is answering there.

Why? Do I need to add iptables entries to block this? Will it still work if I do this?

ethrbunny
  • 2,369
  • 4
  • 41
  • 75

2 Answers2

3

Port 53 is used for DNS. It depends on your needs if you need it, or not.

You can configure dnsmasq to provide some outside (ISPs)DNS server to DHCP clients, and then you can disable DNS relaying on your box. If not, make sure to enable DNS relaying only for internal network.

mulaz
  • 10,682
  • 1
  • 31
  • 37
  • Right - I understand what's happening there. Im more worried about whether dnsmasq is responding to calls on ETH0 where it shouldn't be. – ethrbunny Apr 10 '13 at 17:34
  • 2
    you cen test it with dig (i think it's part of bind utils). Try running it from outside; if your external, eth0 ip address is 1.2.3.4, just do "dig @1.2.3.4 www.google.com". If you get a response, it's working on eth0 too. If you get a timeout, it's not. If you get something it's doing something (if you get an IP, it's also allowing recursion/relaying). – mulaz Apr 10 '13 at 17:42
  • Timed out. That's the test I was looking for. TY. – ethrbunny Apr 10 '13 at 17:52
1

What concerns me is port 53. lsof -i :53 shows that dnsmasq is answering there.

Port 53 is the standard port for DNS. Dnsmasq listens here by default.

Here are some relevant parts from the Dnsmasq documentation.

From http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

-p, --port=<port>
    Listen on <port> instead of the standard DNS port (53). Setting this to zero completely disables DNS function, leaving only DHCP and/or TFTP.

From http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq.conf.example

# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353
Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186