Superhub Port 53 open by default on SH2?

RainmakerRaw · 11-02-2014, 17:04

I just ran a quick port scan on GRC/ShieldsUp after shutting down my IPFire machine and switching on routing for the SH2 again for a test. With the firewall off on the SH2 the scan showed all ports as closed except 53 (DNS) which was open. Since I don't run any DNS servers I was wondering about this, and after double checking nothing was running on 53 on my local machines (eg VPN) I turned on the SH2 firewall to 'Low'. Now the following appears:

What gives? Is port 53 open by default on the SH2 or have I missed something else locally? Since even without the firewall enabled the SH2 has NAT, and UPnP is disabled, I can't see how the port could be forwarding from a local machine and it turns to stealth once the SH2 firewall is enabled. So I'm guessing it has to be the SH2 broadcasting on 53? I use Google DNS set individually per NIC btw. Thanks in advance for any ideas.

SnoopZ · 11-02-2014, 18:47

Mine is also open, most other ports are stealth as they should be though. Not sure why i have several showing as closed, i need to look into this.

RainmakerRaw · 11-02-2014, 20:16

Quote:

Originally Posted by SnoopZ

Mine is also open, most other ports are stealth as they should be though. Not sure why i have several showing as closed, i need to look into this.

Most likely a SH2 thing then, though interesting your ports seem to differ to mine regards stealth etc. With the SH2 firewall set to off, every single port in the first 1024 was simply closed except for 53, which was open. Once the firewall went onto low the pattern posted above applied. Cheers for the reply.

As for the whole stealth v closed thing though, it's not really as big a deal as is made out at times. Or at least if you listen to Kaspersky et al. who stopped their firewall 'stealthing' ports in 2009.

They argue (and I would agree) that a 'stealthed' system is the opposite of invisible. If you ping/telnet/whatever a node on the internet standard network protocol dictates you get a 'pong'/reply, or else a 'host unreachable' if it doesn't exist. With a 'stealth' machine the ping is simply dropped silently; automatically, therefore, confirming that there is a machine but that it's refusing to answer either way.

Some info.
Some more.

Better to have all unneeded ports closed properly and secured with a good hardened firewall (ideally a decent hardware appliance like IPFire, pfSense, etc but at least be behind NAT and have a reputable software firewall on top). I digress.

Milambar · 11-02-2014, 20:50

A networking expert friend of mine reliably informs me that "stealth" breaks the internet, as the RFC says the port should reply as open or closed. A minor point I guess.

RainmakerRaw is absolutely correct that a stealthed port is more noticable than a closed one, for the very fact that it indicates there IS a machine there, in order to silently drop the packet, rather than just reply unreachable. Stealh is NOT better, despite what GRC says.

Personal opinion:
The majority of the information pushed out by shieldsup et-al, are truths or partial truths misrepresented in such a way as to sensationalize things that aren't really an issue at all, in such a way as to bring people to his website, thus increasing his ad-revenue.

qasdfdsaq · 12-02-2014, 02:46

Quote:

Originally Posted by RainmakerRaw

As for the whole stealth v closed thing though, it's not really as big a deal as is made out at times. Or at least if you listen to Kaspersky et al. who stopped their firewall 'stealthing' ports in 2009.

They argue (and I would agree) that a 'stealthed' system is the opposite of invisible. If you ping/telnet/whatever a node on the internet standard network protocol dictates you get a 'pong'/reply, or else a 'host unreachable' if it doesn't exist. With a 'stealth' machine the ping is simply dropped silently; automatically, therefore, confirming that there is a machine but that it's refusing to answer either way.

Theoretically that's how it's supposed to work but it never works that way in practice.

Virtually all major providers do not propagate "Host unreachable" messages outside the local network. Hence, in almost all cases where the source is outside the LAN, both non-existent and "stealth" machines respond in exactly the same way, both dropping silently and not giving a host unreachable response.

---------- Post added at 01:46 ---------- Previous post was at 01:42 ----------

Quote:

Originally Posted by Milambar

A networking expert friend of mine reliably informs me that "stealth" breaks the internet, as the RFC says the port should reply as open or closed. A minor point I guess.

RainmakerRaw is absolutely correct that a stealthed port is more noticable than a closed one, for the very fact that it indicates there IS a machine there, in order to silently drop the packet, rather than just reply unreachable. Stealh is NOT better, despite what GRC says.

See above. As a result of the vast majority of providers already not operating in the "correct" fashion, the internet is already broken. But there is nothing of importance that relies on proper responses in this regard anyway. Host unreachable messages are only of real importance to administrators of the network concerned, and not to external/consumer applications.

That said I've repeatedly pointed out to some chagrin from others that adding various sites you don't want to access to your hosts file under "127.0.0.1" also "breaks" the internet, technically, but nobody seems to care.

Kushan · 12-02-2014, 12:11

Liberal usage of the term "break" there, I think. It's not broken, it's just doing something different to what the spec says. If it was broken it wouldn't work at all.

Out of curiosity, does IPv6 have any impact at all on how ports are used/opened/forwarded/etc.?