OpenWrt Forum Archive

Topic: DNS on WAN port open -> allows local nameresolution from WAN

The content of this topic has been archived on 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Dear Community,

I'm experiencing an issue on my OpenWRT system (bleeding edge, r28202) installed on a DLink-Dir300 Rev.B.

I accidently found out that my box resolves local (and all other) hostnames on the wan-port. Here an example from an external host:

--
root@vps:~$ nslookup gateway.lan my.dyndns.org
Server:         my.dyndns.org
Address:       x.x.x.x#53

Name:   gateway.lan
Address: 192.168.1.1
--

When I google for this problem I only find two threads where the issue is fixed by updating the software. But these threads are at least 2 years old...

I tried to block this by adding some lines in the firewall, but I had no success with that:

--
root @ OpenWrt ~ # cat /etc/config/firewall
...
config rule
        option src              wan
        option src_dport        53
        option proto            udp
        option target           DROP
...
--

Any help for fixing this is appreciated.

I guess you have an incomplete rule somewhere which actually opens all ports.

Okay, so I'll drop the trousers and show you my whole firewall-config:
(Before you ask: /etc/firewall.user is empty)

---

root @ OpenWrt ~ # cat /etc/config/firewall
config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        option network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config zone
        option name             wan
        option network          'wan'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user

### Customized Rules
# port redirect of remapped ssh port (2201) on wan
# SSH auf localhost
config redirect
        option src              wan
        option src_dport        2201
        option dest             lan
        option dest_port        22
        option dest_ip          192.168.1.1
        option proto            tcp

# diese Regel sollte ueberfluessig sein
config rule
        option src              wan
        option src_dport        2201
        option target           ACCEPT

# port redirect of remapped ssh port (2222) on wan
# SSH auf p3-roemer2201-laptop
config redirect
        option src              wan
        option src_dport        2222
        option dest             lan
        option dest_port        22
        option dest_ip          192.168.1.201
        option proto            tcp

# port redirect of remapped ssh port (22) on wan
# SSH auf Homeserver
config redirect
        option src              wan
        option src_dport        22
        option dest             lan
        option dest_port        22
        option dest_ip          192.168.1.200
        option proto            tcp

# port redirect of remapped web port (80) on wan
# HTTP auf Homeserver
config redirect
        option src              wan
        option src_dport        80
        option dest             lan
        option dest_port        80
        option dest_ip          192.168.1.200
        option proto            tcp

# OpenVPN auf Bastelnetzwerk
config redirect
option src              wan
option src_dport        1194
option dest             lan
option dest_port        1194
option dest_ip          192.168.1.201
option proto            udp


config rule
        option src              wan
        option src_dport        53
        option proto            udp
        option target           DROP

### EXAMPLE CONFIG SECTIONS
# left out due to commented out
...

---

If you need this:

---

root @ OpenWrt ~ # cat /etc/config/dhcp

config 'dnsmasq'
        option 'domainneeded' '1'
        option 'boguspriv' '1'
        option 'filterwin2k' '0'
        option 'localise_queries' '1'
        option 'rebind_protection' '1'
        option 'rebind_localhost' '1'
        option 'local' '/lan/'
        option 'domain' 'lan'
        option 'expandhosts' '1'
        option 'nonegcache' '0'
        option 'authoritative' '1'
        option 'readethers' '1'
        option 'leasefile' '/tmp/dhcp.leases'
        option 'resolvfile' '/tmp/resolv.conf.auto'

config 'dhcp' 'lan'
        option 'interface' 'lan'
        option 'start' '110'
        option 'limit' '199'
        option 'leasetime' '12h'

config 'dhcp' 'wan'
        option 'interface' 'wan'
        option 'ignore' '1'

config 'host'
        option 'name' 'girlfriend-mobilephone'
        option 'ip' '192.168.1.9'
        option 'mac' 'B8:F9:34:1C:81:36'

# more static hosts
...

---

The rule "# diese Regel sollte ueberfluessig sein" is causing it. The option "src_dport" is not defined for rules (its "dest_port" there), therfore it actually means "wan ACCEPT all"

Vielen Dank!

This problem is fixed. So I can go to bed and rest assured! :-)

Thank you!

Well, I ran into another problem. I commented this lines out and there is no global name-resolution anymore, but I can not connect to my OpenWRT box from wan. I thought that these lines would help, but actually they didn't:

---
config rule
        option src              wan
        option dest_port        2201
        option proto            tcp
        option target           ACCEPT
---

(Last edited by roemer2201 on 11 Jan 2012, 01:33)

Well, I did not find any working port-forwarding solution for wan:2201 to lan/localhost:22

So I told my dropbear to  listen on port 2201:

----
root @ OpenWrt ~ # cat /etc/config/dropbear
config dropbear
        option PasswordAuth 'on'
        option RootPasswordAuth 'on'
        option Port         '22'
#       option BannerFile   '/etc/banner'
config dropbear
        option PasswordAuth 'on'
        option RootPasswordAuth 'on'
        option Port         '2201'
#       option BannerFile   '/etc/banner'
----

After that the only needed firewall-rule is:

----
config rule
        option src              wan
        option dest_port        2201
        option target           ACCEPT
        option proto            tcp
----

The discussion might have continued from here.