FreeNAS 11 RC1 and RC2 both have an open DNS Resolver (port 53)

[Nicholas M]

FreeNAS 11 RC1 and RC2 both have an Open DNS Resolver (port 53) installed. My network security team are not happy and are threatening to block ethernet connectivity.

FN9.10U3 (e1497f269) does NOT have this service.

Is this intentional - does any one know the justification for running this service? Our security team typically don't like anyone running DNS resolvers as they are (usually) easily compromised.

I can't figure out any reason why Freenas 11 needs to run such a service.

Code:

Shiny:~ nicholas$ nslookup bbc.co.uk xxx.xxx.193.23

Server:		xxx.xxx.193.23

Address:	xxx.xxx.193.23#53


Non-authoritative answer:

Name:	bbc.co.uk

Address: 212.58.246.79

Name:	bbc.co.uk

Address: 212.58.244.23

Name:	bbc.co.uk

Address: 212.58.244.22

Name:	bbc.co.uk

Address: 212.58.246.78

 

[m0nkey_]

Raise a bug ticket at https://bugs.freenas.org

As for a listening DNS resolver, it's likely Unbound is turned on by default. Unbound is the FreeBSD default local resolver.

In your case, revert back to 9.10 until the issue is resolved.

 

[Nicholas M]

Thankyou ever so much for the response. I have raised: https://bugs.freenas.org/issues/24053