On 25 Jan 2013 17:23, "Michael Richardson" <mcr@sandelman.ca> wrote:

> It also seems that there is no control to keep dnsmasq from answering
> on my ge00.    I guess some trojans try to use me for DOS amplication by
> asking for isc.org continuously?
There is.

Although dnsmasq listens on 0.0.0.0:53 and :::53 it is not responding on
ge00.
Thanks to list notinterface       ge00 in /etc/config/dhcp

This means that port 53 is open, but DNS is not accessible from ge00, see:

solt@mkslnx004:~$ nmap -sV -p 53 A.B.C.D

Starting Nmap 5.21 ( http://nmap.org ) at 2013-01-25 18:55 CET
Nmap scan report for XXXXX (A.B.C.D)
Host is up (0.018s latency).
PORT   STATE SERVICE    VERSION
53/tcp open  tcpwrapped

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds

solt@mkslnx004:~$ nslookup kernel.org A.B.C.D
;; connection timed out; no servers could be reached

If you want to close that down you could be drop all on ge00 by: iptables
-I zone_wan -j DROP

or just filter 53.

Regards,
Maciej