<p dir="ltr"><br>
On 25 Jan 2013 17:23, "Michael Richardson" <<a href="mailto:mcr@sandelman.ca" target="_blank">mcr@sandelman.ca</a>> wrote:</p>
<p dir="ltr">> It also seems that there is no control to keep dnsmasq from answering<br>
> on my ge00. I guess some trojans try to use me for DOS amplication by<br>
> asking for <a href="http://isc.org" target="_blank">isc.org</a> continuously?<br>
There is. <br></p><p dir="ltr">Although dnsmasq listens on <a href="http://0.0.0.0:53">0.0.0.0:53</a> and :::53 it is not responding on ge00.<br>Thanks to list notinterface ge00 in /etc/config/dhcp</p><p dir="ltr">
This means that port 53 is open, but DNS is not accessible from ge00, see:</p><p dir="ltr">solt@mkslnx004:~$ nmap -sV -p 53 A.B.C.D<br><br>Starting Nmap 5.21 ( <a href="http://nmap.org">http://nmap.org</a> ) at 2013-01-25 18:55 CET<br>
Nmap scan report for XXXXX (A.B.C.D)<br>Host is up (0.018s latency).<br>PORT STATE SERVICE VERSION<br>53/tcp open tcpwrapped<br><br>Service detection performed. Please report any incorrect results at <a href="http://nmap.org/submit/">http://nmap.org/submit/</a> .<br>
Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds<br></p><p dir="ltr">solt@mkslnx004:~$ nslookup <a href="http://kernel.org">kernel.org</a> A.B.C.D<br>;; connection timed out; no servers could be reached<br><br>
</p><p dir="ltr">If you want to close that down you could be drop all on ge00 by: iptables -I zone_wan -j DROP</p><p dir="ltr">or just filter 53.</p><p dir="ltr">Regards,<br>Maciej<br></p>