My BIND service shows up as filtered in Nmap
I'm running a BIND service on port 53 (UDP) but when I scan it using Nmap it shows up as "open|filtered". Is Linode blocking traffic to that port?
1 Reply
I think the issue here is with how Nmap determines if an UDP port is open or closed. Basically, empty UDP probes will usually get dropped without any response which is also how firewalls behave (As in, they also drop packets without providing a response). This is why Nmap sets the status of UDP ports to "open|filtered" when used without any options.
However, Nmap knows how to construct non-empty probes for popular UDP services, which does evoke a response. The "-V" will the option to use to make Nmap figure out the appropriate probe to send. Here's an example using one of our name servers:
Without using -V:
root@evaldez:~# nmap -sU ns1.linode.com -p 53
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-30 16:14 UTC
Nmap scan report for ns1.linode.com (162.159.27.72)
Host is up (0.00041s latency).
Other addresses for ns1.linode.com (not scanned): 2400:cb00:2049:1::a29f:1a63
PORT STATE SERVICE
53/udp open|filtered domain
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
Using -V:
root@evaldez:~# nmap -sUV ns1.linode.com -p 53
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-30 16:14 UTC
Nmap scan report for ns1.linode.com (162.159.27.72)
Host is up (0.00047s latency).
Other addresses for ns1.linode.com (not scanned): 2400:cb00:2049:1::a29f:1a63
PORT STATE SERVICE VERSION
53/udp open domain (unknown banner: Salt-master)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-UDP:V=7.70%I=7%D=4/30%Time=5EAAF951%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReq,36,"\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07version\x04bind\0
SF:\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\x01Q\x80\0\x0c\x0bSalt-master")%r(NB
SF:TStat,32,"\x80\xf0\x80\x15\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAA
SF:AAAAAAAAA\0\0!\0\x01");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.07 seconds
You can read much more about this topic in nmap's online book. Specifically, their UDP scan section.