Just Give Me the Beans!
After installing Ubuntu 12.04 yesterday and running an nmap scan I found that port 53/tcp is open: domain service. This was during a scan of the localhost. Another scan of my IP address is showing the same port and others open, but I am certain this second scan is showing my IP provider's end. So, why is port 53 open and how can I close it?
Systems Samurai
it is for DNS you want it open if you want DNS to workOriginally Posted by caffeinated blood
See this link Dangertux guide to firewall
Last edited by haqking; April 28th, 2012 at 05:22 PM.
Backtrack - Giving machine guns to monkeys since 2006
Kali-Linux - Adding a grenade launcher to the machine guns since 2013
Just Give Me the Beans!
Well that's great if port 53 is 'supposed' to be open. However, if this port needs to be open for internet use - Why has it never appeared in nmap scans on previous Ubuntu versions with fully functional internet access?
Spilled the Beans
I've been wondering this myself too.
Ubuntu addict and loving it
TCP port 53 is used for domain transfers; the only reason I can see it being open is if the OP is running a DNS server. DNS servers also listen on UDP port 53 to accept queries from client resolvers.
Port 53 was open on my 12.04 machine because I had an instance of bind9 running, and it was listening to that port. I probably installed it for testing purposes at some point or another. I stopped it (with 'sudo service bind9 stop') and confirmed I can still resolve names as I expected.
OP:
Run the command "sudo netstat -plnt" to see a list of which programs are listening on which TCP ports. (Replace "t" with "u" in the options to view TCP ports or use -plntu to see both.) What program is bound to port 53?
Last edited by SeijiSensei; April 28th, 2012 at 06:19 AM.
Spilled the Beans
I have a fresh install of 12.04.
Does this look normal:
Do you have any recommendations for me to block anything?Code:Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 938/smbd tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1803/dnsmasq tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1077/cupsd tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 938/smbd tcp6 0 0 :::139 :::* LISTEN 938/smbd tcp6 0 0 ::1:631 :::* LISTEN 1077/cupsd tcp6 0 0 :::445 :::* LISTEN 938/smbd
Ubuntu addict and loving it
OK, that's what I thought might be happening.Code:tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1803/dnsmasq
12.04 now runs dnsmasq, a compact DNS server. The reasoning for this, according to the developers, is to handle situations where your machine has multiple network interfaces with different DNS servers. This can pose problems for people using virtual private networks (VPNs) and in other so-called "multi-homed" contexts. (Personally, I think this approach is overkill since the proportion of users facing this problem is pretty small.)
So starting with 12.04 every Ubuntu machine will be running a local DNS server by default. However it should only be listening to port 53 on the localhost (127.0.0.1) interface as shown in the netstat results you posted. This doesn't pose a security threat since the localhost interface isn't visible from outside your machine. If you scan your machine from another machine on the network with a tool like nmap, you should not see an open port 53.
So, no, this isn't a security problem, but I'm sure it's going to confuse some people for a while.
(The decision to use resolvconf to rewrite /etc/resolv.conf, which is also discussed in Graber's post, has some significant "fallout" as well, but not relevant to the issue here.)
These are fairly major changes in the way Ubuntu handles name resolution, ones that make 12.04 different from all previous releases and from other Linux distributions. I've specifically disabled all of this stuff on my machine because I use my own custom resolv.conf file and my own local nameservers to resolve names. For people like me these changes created problems where none existed before.
The claim in Dangertux's firewalling howto that haqking linked to is definitely wrong. As caffeinated blood rightly observed, machines need not have either TCP or UDP port 53 open to resolve names successfully.
Last edited by SeijiSensei; April 28th, 2012 at 07:37 AM.
Systems Samurai
yeah sorry was confused here.
I was assuming it was seen as you were running a DNS service, as the only time a port is "open" is when a service is listening on it so i assumed you had DNS and therefore would require it.
I wasnt aware 12.04 had a DNS listening service running by default.
Peace
Last edited by haqking; April 28th, 2012 at 05:17 PM.
Backtrack - Giving machine guns to monkeys since 2006
Kali-Linux - Adding a grenade launcher to the machine guns since 2013
Ubuntu Cappuccino Scuro
Umm yes you do need it open outbound but not inbound. Feel free to bang your head against a wall with that though...
Last edited by Dangertux; April 28th, 2012 at 06:01 PM.
Ubuntu addict and loving it
large results over UDP, exceeding 512 bytes, can cause the results to be truncated or for the query to fail all together. The first time I came across this was on one my firewalls many years ago - with cnn and google - So, TCP is used in these cases.TCP port 53 is used for domain transfers; the only reason I can see it being open is if the OP is running a DNS server. DNS servers also listen on UDP port 53 to accept queries from client resolvers.
But there is no need to open 53/TCP INPUT - as it is covered by the normal "established/connected" behaviour of a masquerade for outgoing connections.
Last edited by iponeverything; April 28th, 2012 at 05:19 PM.
Posting Permissions
Adv Reply
Bookmarks