My BIND service shows up as filtered in Nmap

Linode Staff

I'm running a BIND service on port 53 (UDP) but when I scan it using Nmap it shows up as "open|filtered". Is Linode blocking traffic to that port?

1 Reply

I think the issue here is with how Nmap determines if an UDP port is open or closed. Basically, empty UDP probes will usually get dropped without any response which is also how firewalls behave (As in, they also drop packets without providing a response). This is why Nmap sets the status of UDP ports to "open|filtered" when used without any options.

However, Nmap knows how to construct non-empty probes for popular UDP services, which does evoke a response. The "-V" will the option to use to make Nmap figure out the appropriate probe to send. Here's an example using one of our name servers:

Without using -V:

root@evaldez:~# nmap -sU ns1.linode.com -p 53
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-30 16:14 UTC
Nmap scan report for ns1.linode.com (162.159.27.72)
Host is up (0.00041s latency).
Other addresses for ns1.linode.com (not scanned): 2400:cb00:2049:1::a29f:1a63

PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds

Using -V:

root@evaldez:~# nmap -sUV ns1.linode.com -p 53
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-30 16:14 UTC
Nmap scan report for ns1.linode.com (162.159.27.72)
Host is up (0.00047s latency).
Other addresses for ns1.linode.com (not scanned): 2400:cb00:2049:1::a29f:1a63

PORT   STATE SERVICE VERSION
53/udp open  domain  (unknown banner: Salt-master)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-UDP:V=7.70%I=7%D=4/30%Time=5EAAF951%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReq,36,"\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07version\x04bind\0
SF:\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\x01Q\x80\0\x0c\x0bSalt-master")%r(NB
SF:TStat,32,"\x80\xf0\x80\x15\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAA
SF:AAAAAAAAA\0\0!\0\x01");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.07 seconds

You can read much more about this topic in nmap's online book. Specifically, their UDP scan section.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct