Nmap open port 53/tcp

vlkon · June 29, 2021, 6:18pm

I was playing with nmap on my local network and I was wondering why all of my other devices have port 53/tcp open (router, 2 raspberry pies and an android phone). Only my main machine (source of nmap scan) did not show any open ports.

As far as I can tell when I was poking in my RPi with ss I was not able to find anything that was using port 53.

Is this normal? Is there other way how to find out why is port 53 considered open?
The command was sudo nmap -sT '192.168.0.0/24'

example

Nmap scan report for pio (*redacted_ip*)
Host is up (0.045s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
MAC Address: *redacted_mac* (Raspberry Pi Foundation)

SweSG · June 29, 2021, 6:28pm

Port 53 is usually DNS.

vlkon · June 29, 2021, 6:33pm

OK but I do not have any DNS server running as far as I can find. ss doesn’t show it and systemctl list-units | grep -i dns doesn’t show anything either.

SweSG · June 29, 2021, 6:39pm

I think it’s DNS anyway. Can you surf the net? Then you have a DNS.

vlkon · June 29, 2021, 6:54pm

I can’t see how is that connected. The port is open for incomming connection.
I get DNS from my ISP I do not need DNS active on my device to access net. My main machine does not have this port open and the net works just fine.

Besides only installed package with dns in it on the RPi is

pie:~ >>> aptitude search '~i dns'
i   libdns-export1104                 - Exported DNS Shared Library

Is this the culprit that keeps port open?

onyxnz · June 29, 2021, 9:18pm

ss | grep 53

Will show you the processes running that are using port 53.

dalto · June 29, 2021, 9:22pm

Run the command sudo netstat -lep on one of the machines with port 53 open. That should show you what is listening on that port.

Also, having local firewalls on those machines would stop the traffic even if something was listening.

Pudge · June 29, 2021, 10:00pm

According to this list, port 53 is DNS.

Pudge

vlkon · June 29, 2021, 10:06pm

Trying on the device which should have port 53 open according to nmap.

This gives me nothing relevant

u_str   ESTAB    0         0                                          * 61531                                                  * 0

Neither this

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 0.0.0.0:mysql           0.0.0.0:*               LISTEN      mysql      13175      620/mysqld
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      root       13124      546/sshd
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      root       17776      993/exim4
tcp6       0      0 localhost:9665          [::]:*                  LISTEN      jdown      41944      14484/java
tcp6       0      0 localhost:9666          [::]:*                  LISTEN      jdown      44504      14484/java
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      root       13126      546/sshd
tcp6       0      0 [::]:42553              [::]:*                  LISTEN      jdown      44503      14484/java
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN      root       17777      993/exim4
udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                           root       12861      521/dhcpcd
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7           root       12865      521/dhcpcd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ACC ]     STREAM     LISTENING     61530    19824/systemd        /run/user/1000/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     61535    19824/systemd        /run/user/1000/gnupg/S.dirmngr
unix  2      [ ACC ]     STREAM     LISTENING     61536    19824/systemd        /run/user/1000/gnupg/S.gpg-agent
unix  2      [ ACC ]     STREAM     LISTENING     61537    19824/systemd        /run/user/1000/gnupg/S.gpg-agent.browser
unix  2      [ ACC ]     STREAM     LISTENING     61538    19824/systemd        /run/user/1000/gnupg/S.gpg-agent.extra
unix  2      [ ACC ]     STREAM     LISTENING     61539    19824/systemd        /run/user/1000/gnupg/S.gpg-agent.ssh
unix  2      [ ACC ]     STREAM     LISTENING     9679     1/init               /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     9686     1/init               /run/systemd/fsck.progress
unix  2      [ ACC ]     SEQPACKET  LISTENING     9697     1/init               /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     9701     1/init               /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     13486    1/init               /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     12793    521/dhcpcd           /var/run/dhcpcd.sock
unix  2      [ ACC ]     STREAM     LISTENING     12794    521/dhcpcd           /var/run/dhcpcd.unpriv.sock
unix  2      [ ACC ]     STREAM     LISTENING     13146    532/python3          /var/run/fail2ban/fail2ban.sock
unix  2      [ ACC ]     STREAM     LISTENING     13176    620/mysqld           /run/mysqld/mysqld.sock

Also ufw is up and running

Status: active
Logging: on (low)
Default: reject (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    *redacted_ip*/24            # ssh
42553/tcp                  ALLOW IN    *redacted_ip*/24            # MyJdownloader
5201                       ALLOW IN    *redacted_ip*/24            # iperf3 - network speed test
3306                       ALLOW IN    *redacted_ip*/24            # mariadb

dalto · June 29, 2021, 10:18pm

This person reported erroneous nmap results on port 53 when they were connected to a vpn on the machine running the scan.

I am not sure I understand why that would matter but I thought it might be worth pointing out.

ReemZ · June 29, 2021, 10:19pm

I couldn't not...

vlkon · July 1, 2021, 3:05am

Mystery solved.
I totaly forgot that some years ago I was messing with my router NAT settings and it was redirecting all dns requests to correct dns server. So that machines on my network would not call dns like 8.8.8.8. For example a call to 192.168.0.5:53 (which has no port opened) would end in 192.168.0.1:53 which has port 53 opened.

Disabling this feature shows correct results from nmap.
Why am I doing things like this to myself?

system · July 3, 2021, 3:05am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.