Veteran Member
Join Date: Jun 2006
Location: Florida
|
Ok, this is driving me nuts. I originally mentioned this problem in the Airport thread but am moving here for further explanation and in hopes someone knows what is going on.
The long and the short is that on my new Airport Extreme 802.11n model, all ports return a stealth status (after NAT-PMP filtering is enabled) except Port 53. Port 53, evidently, is the DNS port and returns an open status. In my limited knowledge of networking this is a no-no when you want to secure your network. For the life of me (and some people on the Apple Discussion Forums for that matter) I cannot figure out why this port is open, how to return it as stealth, or what to do next. So far I have tried to forward port 53 to something so that it returns a stealth status but the Airport will not let me forward it because it is "in use by a service on the base station." I've tired to run through the logs to see what it is port 53 does but it doesn't make sense to me. Quote:
If anyone has any insight as to why this is returning an open port, what it does, and how to fix it I'll gladly respond with words of gratitude. |
|
quote |
Member
|
Here is a little info that may help
TCP Port Service or Protocol RFC Used By/Additional Info 53 Domain Name System(DNS) 1034 MacDNS UDP Port Service or Protocol Name RFC Used By/Additional Info 53 Domain Name System (DNS) 1034 This is what apple uses it for at least. |
quote |
Veteran Member
Join Date: Jun 2006
Location: Florida
|
I'm sorry but that might as well be Greek... I don't know what any of that means.
|
quote |
|
(I now enjoy my posting privileges, so here's the reply I sent yesterday as a private message)
_________ I don't know what you're trying to do exactly, but I'll explain my case (and how I solved it) 0) I host my own DNS/mail/web domain in a linux box at home. 1) I replaced my ol' router with a brand-new, sleeker Airport Express Base Station 802.11n 2) As I did before in the router, I forwarded all incoming traffic to my linux box (NAT-PMP) 3) DNS (port 53) name resolution uses UDP requests. 4) The ABS GUI wouldn't let me forward port 53 udp(!!). However, NAT seems to work just fine for http(s) and mail. As a result, my entire domain is down. Why did this happen? After much pain and woe, I found that the base station has a running, hidden and undocumented DNS caching/forwarding service, listening at port 53 udp. This service passes on all incoming DNS/UDP requests to the hosts specified in the configuration GUI. The problem was solved when I used my linux box internal IP as preferred (and only) DNS in the admin GUI. This is far from being a coherent solution, so my domain got back to Network Solutions' own servers. Another technical workaround would involve enabling two separate DNS views (Bind 9 or higher). One for dns name resolution requests coming from the Internet, and another one for the LAN. In other words: Apple thinks you're a lamer that only want to surf the Internet and use .Mac (no offense intended, but please allow me to go mental for a while) - What about an "advanced config" option? What about a product that satisfies both geeks' and regular users' needs. Well, hope this helps. //Nando Last edited by Nando : 2007-02-16 at 08:40. |
quote |
Veteran Member
Join Date: Jun 2006
Location: Florida
|
I'm a little confused as to exactly how you solved this problem. You used your internal IP for your machine as the IP for the AE?
|
quote |
|
I use my linux box IP (the one running DNS/mail/http, say 192.168.0.123) as the DNS IP address in the ABS. Nothing to do with the base station's internal IP, which is set to some default value (192.168.0.1 for my network) - Of course, my linux server doesn't use DHCP.
Last edited by Nando : 2007-02-16 at 10:56. |
quote |
|
I just started playing around more with the security settings on my Airport Extreme. Ports 53, 5009, and 65530 are open. Ports 139, 445, 548, 9100-9227, and 10000 show as stealth. Everything else shows as closed. While I'm not overly concerned over the differences between closed and stealth, I'm wondering why I have different results than the original poster. I've got NAT/PMP enabled.
Last edited by bjf123 : 2007-04-06 at 16:39. |
quote |
Veteran Member
Join Date: Jun 2006
Location: Florida
|
Airport Extreme firmware 7.1 was released today and Port 53 now returns as closed. Not stealth, but I'll take what I can get. For some reason Port 548 is now closed and not stealthed. At least it's basically secure now.
|
quote |
|
Thanks for the heads up. Everything is now closed except for 5009 and 65534. I'm not sure if those can be exploited in any way.
|
quote |
Posting Rules | Navigation |
|
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
USB hub with Airport Extreme? | Performa636CD | Apple Products | 12 | 2007-02-19 14:35 |
What's the name for an Airport Antenna? | swiftybilko | Genius Bar | 9 | 2005-12-11 11:43 |
Cannot connect to Internet with AirPort Extreme. | RTN | Genius Bar | 10 | 2005-10-26 08:43 |
A few earnest questions re: AirPort Express and Cinema Display hub... | psmith2.0 | Genius Bar | 7 | 2005-01-31 22:16 |
Something new for AirPort? | thefullm | Speculation and Rumors | 4 | 2004-11-22 10:46 |