Current Open DNS reminders from IDnet

drifting · Feb 06, 2015, 10:44:12

Hi All.

Ok, understand the reason for sending out these reminders, must admit (Hold head in shame) That I was not aware of this being an issue.

Anyway, what I would appreciate is a suggestion for an ADSL, Router Modem that does NO NAT, and is capable of blocking port 53. So far not one of the older routers my customers are currently using are capable of that, as most when you turn the firewall on, want to use NAT. Suppose one to one Natting could be an option, but I am a great believer in KISS (Keep it simple stupid) Did think of telling the routers to resolve to the external address of the linux server gateways below the routers, as they block external requests?

So any suggestions?

P

Technical Ben · Feb 06, 2015, 19:13:46

What reminders?

Tacitus · Feb 07, 2015, 07:26:36

Quote from: Technical Ben on Feb 06, 2015, 19:13:46
What reminders?

I'm not the only who wondered

Neither can I see the connection between iDNet and OpenDNS other than you can use the latter instead of iDNet's DNS servers.

Gary · Feb 07, 2015, 07:45:24

I'm lost, what reminders and why?

drifting · Feb 07, 2015, 10:49:36

Slaps head, assuming I was not the only one to get one of these.

Dear Customer

Our scans have detected that your equipment is running software that is exploitable and can be used by hackers to mount a DOS attack on third parties. Please can you take all necessary steps to update and/or lock down all DNS Resolvers (including routers) on your network.

Affected services are listed below.

IP Address
Telephone
DSL Username
Address

It seems to affect early ADSL/Routers, in that if you use them in No NAT they still respond to a DNS request from the WAN. Had the same problem with another site that has a Mikrotik in No Nat, but luckily I managed to block all request on port 53 incoming.

P

Tacitus · Feb 07, 2015, 11:33:23

Quote from: drifting on Feb 07, 2015, 10:49:36
Our scans have detected that your equipment is running software that is exploitable and can be used by hackers to mount a DOS attack on third parties.

This doesn't look as though it's specifically related to Open DNS so I wonder if it's something to do with this? http://mis.fortunecook.ie also here: http://mis.fortunecook.ie/misfortune-cookie-tr069-protection-whitepaper.pdf

This exploit uses the TR-069 router remote management protocol to take over a machine, so I wonder if iDNet scan users IP address and the appropriate ports (7547?) looking to see if there is evidence of this vulnerability or any open ports that should be closed.

I temporarily used an Apple Airport with the Huawei modem when I first had Fibre and was astonished to find that whilst WAN facing ports were closed, none were stealthed. I concluded that whilst the Airport is a nice piece of kit, it's only really useful as a wireless access point.

Steve · Feb 07, 2015, 15:57:59

I think Apple's view is that NAT is sufficient plus there's obviously no firewall on the router, so it's down to your device for that security. I ran an AEBS for a while and never had an issue but of course there's always a feeling of discomfort over the lack of a firewall.

Tacitus · Feb 07, 2015, 17:33:58

Quote from: Steve on Feb 07, 2015, 15:57:59
I think Apple's view is that NAT is sufficient plus there's obviously no firewall on the router, so it's down to your device for that security. I ran an AEBS for a while and never had an issue but of course there's always a feeling of discomfort over the lack of a firewall.

I agree. As it happens I had got the machine's firewall switched on, but as you say you don't really feel comfortable with it. In the past I used the AEBS purely as a wireless access point as back then not many routers had built in wireless.

drifting · Feb 07, 2015, 17:45:41

This is not an OpenDNS conversation, it is about having a DNS that is an open resolver. Must admit I should have made it clearer in the first post. You mean you were not thinking what I was thinking? :-)

Here is one way of testing your router / server etc.

http://openresolver.com/

or

dig +short test.openresolver.com TXT @1.2.3.4 (IP address)

Annoying part is it is just the routers, and they in effect should not be responding to DNS anyway, but it seems lots do, even if I am only using them in effect to do a pppoa connection. None of the Linux boxes respond to the above test, just the damn routers! Sigh...
So back to my question, is anyone running NO NAT, and passed the above test on their router? What is the make? I need to buy some it seems in a hurry to placate IDnet.

P

Technical Ben · Feb 07, 2015, 22:02:50

Oooooohhhhhhh! I had a friend who's Linksys seems to have suffered from this exploit. The only advice I had at the time was to not use it until a firmware update was made (which was about am onth later, even their ISP could not help at the time and it was an ISP provided router, and it seems to get DNS hacked/re-directed every time we rebooted/reset it. The dns resolved to lots of fake banking/search engines and traced the ip to the eastern Europe or the far east).

[edit]
Ah, so it's not OpenDNS (sorry my fault for missing the space

) or a DNS exploit hack... but a problem with open (notice the space) DNS resolvers?

Thanks!

pukkahq · Mar 09, 2015, 08:18:21

Go have a look at a MikroTik router. If you have some old hardware kicking about, m0n0wall or pfsense

Paul

pctech · Mar 09, 2015, 17:58:40

I think what is being referred to are sweeps for recursive DNS?

This should explain http://www.dnsmadeeasy.com/authoritative-vs-recursive-dns-servers-whats-the-difference/

What type of routers are being used and what type of connections are they terminating?