Port 53 DNS attack

We have a number of TRB140 devices set up with public IP addresses. They are all using the latest firmware TRB1_R_00-07.07.1. The Mobile Data usage is very high, although there has not been any significant data download or upload to the single device connected to the TRB140 LAN port. I therefore think the IP addresses are under attack.

In the RUTOS Web interface I can list current connections to TRB140. After a few seconds there are more than 1000 connections to port 53 from IP addresses all over the world (primarily CH, BR etc.). In TRB140 port 53 seems to be blocked from WAN (doesn’t show up as an open port when running an NMAP scan), but still I think all these DNS requests are counting as data usage on the cellular network. At least this is the only explanation I can find for the excessive data usage. The data usage is approx. 9 MB per hour, i.e. more than 6 GB per month.
Here is an extract of the list of connections (xxx.xx.x.xx is the public IP address of TRB140):

This situation is very expensive for us, as the units are abroad and we are paying per MB used.
So, my question is, can I do something to prevent this activity?
I have already configured the Firewall with all the available attack prevention options enabled. I have also set up “DNS” to what is shown below, but it didn’t have any effect on the data usage.

My DNS settings look like this.
All default - with no custom DNS servers on mobile interface - means using ISP assigned DNS servers.

Do you really need to work with routeable public IP’s or could you ‘hide’ behind CGNAT 100.x.x.x IP’s which would automatically protect you from these DNS requests coming from public?
Depends on your setup and desired services of course…

  1. I only changed to Google DNS (8.8.8.8) in an attempt to see if it made any difference and it didn’t.

  2. Well yes, we need public IPs to contact the devices. We could use zeroTier on a CGNAT’ed connection, but that also implies a quite high idle data consumption and doesn’t work with DDNS. Furthermore it is more difficult to use for our customers.

I believe that I might have to ask the ISP to block port 53.
I just wanted to ask here, if someone could confirm, that this is the only option or something else could be done in the TRB140 settings?
As I wrote, I see that ALL our devices are hit by these attacks, so I guess that someone else using public IP addresses would experience the same on their devices.

Hello,

When you enable a static IP, you increase your vulnerability to unknown attacks. However, there are steps you can take to reduce this risk:

  1. Block incoming traffic from the WAN on Port 53: To do this, create a traffic rule that drops incoming traffic to Port 53. You can create rules in Network → Firewall → Traffic rules. The rule itself should look like this:

  1. Strengthen your security with Attack Prevention services. These can be accessed via Network → Firewall → Attack Prevention. SYN flood and ICMP request protection are enabled by default, but you can adjust limits. Additionally, you can turn on Port Scanning Prevention as well as protection for SSH, HTTP, and HTTPS.

Best regards,

Thank you for your answer.
I somehow assumed that port 53 was blocked per default from WAN and it was the connection attempts themselves that created the data usage on the mobile network.
I also earlier created a similar rule, but then I might have used “To lan port 53” instead of “To device port 53”, at least it didn’t solve the problem at that time.
I now made the Traffic Rule and rebooted the device and it seems to have removed the problem.

Hello,

I’m glad to hear that the firewall rule worked! If you have any other questions, please don’t hesitate to reach out.

Best regards,