BSNL intercepting in-bound DNS traffic over port 53?

  • Thread starter Thread starter varkey
  • Start date Start date
  • Replies Replies 31
  • Views Views 4,987
Last night I was just curious and did a simple default nmap scan of my BSNL public IPv4 address from another network and I was surprised to see that port 53 is open.
I tried querying with dig and it did return a response. Quickly I reviewed my firewall rules and by default, everything is blocked and there is no rule allowing port 53 traffic. But I could still query my public IP address and get valid responses from an external non-BSNL network. I then shut down the dnsmasq instance but I could still get a valid response.

Then I tried an nmap scan of another IP address which doesn't even ping and looks un-allocated as of now. Even that responds to DNS requests. It appears to me they are intercepting any port 53 traffic on their IP space and redirecting it to some other working resolver. Please note this is only for inbound requests ie from the external internet to BSNL.

The below is an IP address that was allocated to me before which is now in the pool and doesn't appear to be allocated to anybody yet.

Code: 
[root@varkey-minipc ~]# nmap -Pn 117.215.188.107

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 15:47 IST
Nmap scan report for 117.215.188.107
Host is up (0.077s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
53/tcp open  domain

Nmap done: 1 IP address (1 host up) scanned in 3.89 seconds

Code: 
[root@varkey-minipc ~]# dig google.com +short @117.215.188.107
172.217.167.174
[root@varkey-minipc ~]# dig dns.google +short @117.215.188.107
8.8.4.4
8.8.8.8
[root@varkey-minipc ~]#

However, it appears to work only from Indian source IP addresses. Cause I tried querying from my VM with Hetzner, but it fails.

Code: 
root@s1 ~ # nmap -Pn 117.215.188.107

Starting Nmap 7.60 ( https://nmap.org ) at 2020-04-05 12:18 CEST
Nmap scan report for 117.215.188.107
Host is up (0.40s latency).
All 1000 scanned ports on 117.215.188.107 are filtered

Nmap done: 1 IP address (1 host up) scanned in 9.21 seconds
root@s1 ~ # dig dns.google +short @117.215.188.107

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> dns.google +short @117.215.188.107
;; global options: +cmd
;; connection timed out; no servers could be reached
root@s1 ~ #
 
Last edited:
Click to expand...
I too have noticed 53 opened while doing an external port scan.
Ignored that thinking this might be due to some options I enabled in Netlink ONU 🤐.
 
What are the potential security risks implications of this? Assuming on the user end, there's no issue.
 
end user will have a danger of dns highjack which is harmful as the use of dns cache to exploit the correct dns query to a malicious website.
dnssec helps to eliminate this at the highest domain order TLD.
 
@popcorn I guess, if the user is using custom DoH, DoT or DNSCrypt/DNSSEC capable resolver on router level at the very least, they should be fine.

I might be wrong though.
 
There is very less chance user can use these technologies on home routers ! Firefox supports the dnssec go to options-Network you wil find their default disabled, but if you enable it, you can use cloudflare ddnssec as pre installed config. You can manually also use opendns if you wish. But I have seens few antivirus suits hate such dns !!
 

popcorn said:
end user will have a danger of dns highjack which is harmful as the use of dns cache to exploit the correct dns query to a malicious website.
dnssec helps to eliminate this at the highest domain order TLD.
Click to expand...

Maybe I misunderstood, but how would an end-user have the danger of DNS hijack due to this particular issue.
 
Ok, but how would this specific issue help in that? This resolver is not on the end user's network, the DNS traffic to the IP address never reaches the end-user. I don't see how this could help in DNS hijack for an end-user.

Sure, having an open resolver would help someone to run an amplification attack (if the resolver doesn't try to mitigate or rate limit such requests), but the end user here ie the BSNL FTTH/broadband user isn't really affected is he?
 
The DNS use time to propagate and also depend on network cache. This time to propagate & use of the cache is the period when the attackers inject the IP address of malicious website instead on genuine IP of the domain which is asked for. DNSSec is method to validate this. It is done at the domain registrar level where a private key is exchanged with the hosting service. The end user is not involved here. But it is always good practice of a end user to use a resolver on router which is from OpenDNS/cloudflare/google.
End user can check at this website DNSSEC Resolver Test
 
Did the same test No ports are open. Tested from DO BLR
Update- Tested from Jio 4G
@varkey nmap shows all ports open

Source


From BSNL -
Code: 
nmap -Pn 117.206.xx.xxx
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-06 13:22 IST
Nmap scan report for 117.206.xx.xxx
Host is up (0.0023s latency).
Not shown: 999 filtered ports
PORT     STATE  SERVICE
5060/tcp closed sip

Nmap done: 1 IP address (1 host up) scanned in 188.63 seconds
 
Last edited:

Similar threads

R
Evading DNS interception
2 3 4 5
Replies
64
Views
10,117
royalroy
JB701
  • Article Article
Installing AdGuard Home on PFSense
2 3 4 5
Replies
70
Views
76,161
nishantt6969
thesuleman
Speed Up Torrent Downloads!
2
Replies
18
Views
12,373
adi420
Top