dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
431
share rss forum feed

justsoso
Premium
join:2013-08-19
united state

DNS PROXY

I'm trying to get a understanding on what exactly this is doing and what the options are if I don't want to use it. I have read that it is what relays the dns info to the connected devices. The thing I don't understand is, it opens port 53 up to the internet. This port is being used as a point of DNS Amplification attack. I need to close this port but still be able to allow the modem/router to hand out dns info to the connected devices. When disabling dns proxy, I can see that the modem still knows what the dns servers are even after a reboot so why can it not pass that info on without dns proxy enabled?


aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL
#1 I point to and quote from »Re: Modem/router(not in bridge mode) + router

quote:
There are some good reasons to have a modem bridge rather than route. I can't speak for all modems, but generally speaking:

1. Modems don't have much memory compared to a good router, so open a few sessions from the LAN and watch as connections get dropped, or worse, the modem/router just locks.

2. Modems tend to lack features compared to a good router. Things like QoS, DHCP reservation, VPN, uPNP, static routes, etc get left out. You can provide your own router behind the modem, as you did, but this can lead to other complications, such as

3. Double NAT. Most things can be made to work with double NAT, just as it's entirely possible to assemble a jigsaw puzzle while wearing oven mitts. It takes longer and the probability of making a mistake while setting it up or troubleshooting goes up. Simplicity is a good rule to live by when setting up networks.


#2 Advice:

a) Get your own RJ-45 WAN Port route

b) Get that modem into bridge mode. As how to do that, you may need help from your ISP.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.

justsoso
Premium
join:2013-08-19
united state
The modem is a combo modem/wireless router. It's not a option to put another router behind all the modems do to cost. Bridge mode is also not a option. This would cause multiple public IP's to be assigned to the modem. Each bridged device would be assigned its own public ip.


aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Ok.

What is the brand and model of this modem?

HELLFIRE
Premium
join:2009-11-25
kudos:18

1 recommendation

reply to justsoso
As aefstoggaflm See Profile says, may help to know what make / model of equipment you're talking about.
Also a screenshot of said setting would help.

said by justsoso:

I have read that it is what relays the dns info to the connected devices. The thing I don't understand is, it opens port 53 up to the internet. This port is being used as a point of DNS Amplification attack. I need to close this port but still be able to allow the modem/router to hand out dns info to the connected devices. When disabling dns proxy, I can see that the modem still knows what the dns servers are even after a reboot so why can it not pass that info on without dns proxy enabled?

Okay, there is so much misunderstanding in that paragraph... let's see if we can help you out.

A a base level, a proxy is a (trusted) middleman / 3rd party for a transaction.

A proxy cannot "open" a port directly, the devices in the path must have some way of determining whether
traffic is permitted or not (typically referred to as a firewall). Secondly the other key concept is WHICH
direction is the traffic flowing?

Yes, there is DNS amplification attacks, but you're going/thinking about this the wrong way.... or are
confused as to your endgoal. If you're concerned about stopping your internal hosts from being part
of a botnet to launch a DNS amp attack, the LAST thing you want to be messing with is the DNS proxy
setting(s). Rather, I'd get software or hardware to monitor and chart what traffic you've got running
around your network. If you've got an internal DNS server, then again, you're using the wrong tool
to prevent yourself from falling victim to a DNS amp attack.

The general traffic flow of said attack looks like this. So which scenario of the two above I outlined are you trying to
protect against?

Also, if this is for a home connection, or using ISP-supplied elcheapo gear, it's not going to do much
in stopping this sort of thing, inbound or outbound. I'd start with getting a better understanding of
networking basics and higher-end gear that CAN be configured to check / deny traffic both IN and OUTbound.

My 00000010bits

Regards

justsoso
Premium
join:2013-08-19
united state
said by HELLFIRE:

Yes, there is DNS amplification attacks, but you're going/thinking about this the wrong way.... or are
confused as to your endgoal. If you're concerned about stopping your internal hosts from being part
of a botnet to launch a DNS amp attack, the LAST thing you want to be messing with is the DNS proxy
setting(s). Rather, I'd get software or hardware to monitor and chart what traffic you've got running
around your network. If you've got an internal DNS server, then again, you're using the wrong tool
to prevent yourself from falling victim to a DNS amp attack.

Yes my network/hosts are part of the botnet attack. Yes there is always more to learn. It never stops. In my network port 53 is being used by the botnet to drown the dns server. The modem/router combo is the reason this is happening. Yes I can/have shut port 53 down at the edge router all together to stop the attack. The ellcheapo modem is the reason this attack is being allowed to happen. Most modems I have used are using the same broadcom chipset and the only difference is the internal memory/firmware. I have reached out to the manufacture of the modem and they were aware that their modems had a flaw concerning this open port(I guess its really a broadcom problem from what they said) and have sent me a patch to close the hole. Now I get to update a few hundred modems what fun. Anyone have a automated system that pushes updates to modems?

Thanks for all the reply's!

Ps even though using dns proxy should not have opened port 53 in the modem, it did. Whether it was because of the firmware or the chipset, I don't know.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to justsoso
said by justsoso:

I have reached out to the manufacture of the modem and they were aware that their modems had a flaw concerning this open port(I guess its really a broadcom problem from what they said) and have sent me a patch to close the hole. Now I get to update a few hundred modems what fun. Anyone have a automated system that pushes updates to modems?

So if I got this right, you're not doing this for a home setup, but for an ISP? And
you've got a batch of modems that can / have been used in a DNS-based DDOS attack?

I'm rather curious personally why a modem needs to even be talking port 53...
I'm guessing you're under NDA and can't release more information justsoso See Profile ? Now
you've piqued my interest.

Regards