How can I configure Peplink devices to prevent TCP port 53 scans from detecting any vulnerabilities, while ensuring that the overall network architecture remains unchanged?
Hello @bit.gao,
Are you referring to the WAN or LAN side?
- On the WAN side, port 53 is closed unless you manually reconfigure the Peplink routers with rules to use that port.
- On the LAN side, port 53 is required for outbound DNS requests to operate via the router; it is a crucial part of the IP standards and is necessary if you want your devices to be able to access any external domain names via the router unless you are manually defining DNS settings for your LAN network external to the router. If you define external DNS settings for your LAN network, the router’s DNS will not be used. Port 53 can not be closed on the LAN side of the router.
Happy to Help,
Marcus 
We appreciate your response. Our initial assessment was aligned with yours. Nevertheless, the scan results conclusively show that the WAN port is flagged by the scanning tool as having the DNS TCP 53 port enabled. Upon a thorough examination of the Peplink configuration, we’ve found no setting to disable this port. We would be grateful for any advice you could offer.
I don’t see that on my Peplink…
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-27 17:56 EDT
Nmap scan report for 100.126.170.201
Host is up (0.0058s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp filtered http
443/tcp open https
2022/tcp open down
5000/tcp filtered upnp
I only show port 53 as open on a peplink WAN side when I am port forwarding.
I’m going to suggest that you run a packet capture on your WAN link and look to see if the packets are actually returned by your router and not being answered by some other network intermediary. Some ISPs and other routers will intercept DNS queries and serve them from local cache. I have had some professional network scanning services tell me that port 53 is open when all of the evidence I can gather from clean ISP links show that it is not. I also have to remember that you cannot test raw DNS requests from AT&T wireless since they intercept port 53… they also intercept and analyze port 80 and 443 which causes other odd behaviors with test tools.
1 Like
Hello @bit.gao,
I agree with @Paul_Mossip that what you have shown us looks more like your ISP intercepting the traffic.
The only true way to test is to disconnect the port and plug a port scanner directly into the WAN port without the ISP in the way.
If the open port shows up with a direct connection, then you have something, most likely port forwarding, and you need to look into the router’s Advanced networking setup.
What version of forward are you running?
What is the model/SKU of your Peplink device?
Have you reached out to your Peplink supplier? If they are a certified Peplink Supplier, they will have at least one qualified Peplink Engineer on staff with a current PCE. If not, you will need to escalate for support through your supply channel. They will need the details of the device, including configuration, diagnostic files (from the status page), and information on how you are doing the test.
Before pursuing any of the above, I recommend you talk with your ISP; feel free to inform your ISP of this Peplink forum thread.
Happy to Help,
Marcus
I encountered the same issue after testing.
I assume you are using inbound load balancing as that’s the only logical reason for a Peplink to present port 53 on its WANs without manual port forwarding enabled…
1 Like
Dear @mldowling .
The Peplink device, model 580, running firmware version 8.4.1, is the scanned IP that provides internet access and acts as a DNS server simultaneously.
Dear Peplink Teams.
Given that the primary DNS A record is hosted on the Peplink and TCP port 53 is currently open, we would like to inquire about the possibility of implementing a mechanism to disable TCP port 53.
A temporary hotfix or beta version would be acceptable if necessary.
@Paul_Mossip Dear Sir.
Although my laptop is directly connected to the Peplink without any intermediate devices, I’m able to scan and confirm that TCP port 53 for DNS is open on the Peplink. What steps should I take to address this?
Hello @bit.gao,
Please submit a ticket to Peplink.
or
https://ticket.peplink.com/ticket/new/public
Include in your ticket a URL of this Peplink Community discussion.
Also, add your ticket number here so the forum moderators can reference it.
Happy to Help,
Marcus
I think Martin has it right that it is a feature of your 580.
This website says that you can unmap the dns service from the affected WANs.
Otherwise I would look at the inbound service firewall rules. I don’t have a peplink with that feature to test.
1 Like