Forum Discussion

Redlinexyzzy's avatar
Redlinexyzzy
Tuning in
2 years ago

Open DNS Resolver

Long story short(ish) - I recently changed my old router after a situation where my original started to fail DHCP requests. I also ended up with a new hub, but, the installer was also seeing that problem that he couldn't immediately fix.

Since that router change I also started to receive Open DNS resolver messages and letters from VM. The config was a mirror of what I previously used with minimal WAN side services being used. Tests showed that port 53 wasn't open, yet, my router was indeed continuing to respond to and serving incoming DNS requests (checked from multiple IP addresses using nslookup). I did many tests including removing all devices on my local network, yet, the external DNS responses were still given.

I raised the issue with the vendor and had no success so far and have asked for escalation today.

Yesterday I SSH'd into the router and analysed what ports on which IP addresses were being monitored, and indeed, both my primary WAN and backup WAN connections were listed. This is from inside the router, not an external view.

I have found a config on the router where the DNS provides only Server Fail messages, but this still leaves other vulnerabilities and probably ongoing messages and letters from VM. I suspect that it revolves around defining which DNS my internal devices use (having had numerous problems previously with VM DNS).

I won't name the vendor and router yet, but, I think I may need to do that soon to get some attention from them. However, I see a number of other posts about the same manufacturer. 

I know their emails and letters will be automatically generated, but, there is little point in keeping on telling me while I try to mitigate and fix the problem.
Is there any way of advising VM that I am aware of the problem and am dealing with it? 

  • efpk1959's avatar
    efpk1959
    2 years ago

    Yes it is.  I have just been in touch with retailer and they have agreed to a refund, as long as I have a case number from the manufacturer showing that I have tried to resolve the issue with their technical department.

  • Hello Redlinexyzzy.

    Thank you for your post.

    With this being a 3rd party device, it would be best to continue with your current contact methods.

    Can you please keep us updated on how you get on.

    Gareth_L

  • efpk1959's avatar
    efpk1959
    On our wavelength

    I too have received emails and letters from Virgin Media about Open DNS Resolver after installing a new router.  I have done test on Openresolver.com and that shows no issue.  I have also tested port 53, which is closed.  I have now gone back to my old  TP-Link router, as I received another email from VM 2 days ago.  I don’t know how to fix the problem.  I have configured OpenVPN server and Instant Guard VPN on the new router, other than that most other settings are default.  It has never been an issue on the old router.

    • Redlinexyzzy's avatar
      Redlinexyzzy
      Tuning in

      Just because port 53 doesn't report as open, it doesn't mean that DNS requests to your IP address are rejected. I previously did a port scan across all common ports against my router. Nothing showed as open.

      If you can, get someone to run a terminal command nslookup using the format 

      nslookup URL (eg bbc.co.uk) your_IP_address

      If you get any response, your router is still processing DNS requests on port 53. You can do it from your own network, but, that may not be conclusive. If you do get a response, turn off every device on your network so only the router is running and redo the nslookup. That will prove you don't have any internal devices running a DNS service. I also logged into my router using SSH and showed that the linux OS was listening to port 53 on my WAN IP address. dnsmasq is the process that runs DNS on may systems. That had a major vulnerability problem in 2021. In theory, that has been fixed on the version of firmware I have, but, two other major vulnerabilities still exist. The vendor has been somewhat less than interested in either accepting the problem or doing something about it. I have passed the information onto a personal contact at GCHQ. Having vendors put product out that can be compromised on a large scale is something I think they may take an interest in. I also expect that VM are passing on the details of their testing although they would never admit it.

      • efpk1959's avatar
        efpk1959
        On our wavelength

        Thank you for the reply.

        I have done as you suggested and it is definitely the router that is at fault.  I have been on to the manufacturers technical support over the past two to three weeks, and I don’t think they know what the problem is.  I have changed settings they suggest and the problem still persists.  I have done exactly the same tests on my old TP-Link router and that is fine.  I will wait for a new firmware update before I try the new router again.