Skip to content
jganzi's profile

New Contributor

 • 

2 Messages

Tuesday, July 21st, 2015 9:00 AM

PCI Compliance failing on port 53 UDP

Hello, we are a bar/restaurant and are required to have out network scanned for PCI compliance.  When our network is scanned, we are failing on "Firewall UDP Packet Source Port 53 Ruleset Bypass".  We are definitely NOT running a public DNS server as port 53 UDP would indicate.  As a test, we disconnected every ethernet cable from the gateway and re-ran the scan.  Same result!  Is Comcast redirecting port 53 UDP?  It is clearly not a device on our network causing this issue and we need to be able to pass these scans to stay compliant.  Any help would be greatly appreciated!

Problem solver

 • 

326 Messages

9 years ago

You don't say where the scan is being made from, and it's not clear when you say you disconnected everything from the gateway whether you rmaking the scan from the outside or the inside.  (if from the inside then how can you scan anything when the machine doing the scanning is not plugged into the gateway?!)

 

The error message is also not clear at all, basically there is no generally accepted network issue that would meet that explanation.

 

I'm going to assume the following here:

 

1) your running some kind of pci complaince scanner software on a PC that is plugged into the gateway and using DHCP

 

2) The gateway is hot and on the Internet and is able to surf the web.

 

3) Your using the DNS server IP addresses on the PC of the gateway

 

4) The PCI complaince scanner software is bitching that the gateway IP address 10.0.10.1 (or whatever) is basically acting as a crappy DNS server.

 

if all that is true, then your never going to pass PCI complaince with that software and that gateway.  What the PCI compliance software is basically trying to say (I think) is that the DNS server on the gateway is a P.O.S. and is suceptible to DNS spoofing attacks - meaning that a remote attacker could poison the DNS server on the gateway to make it hand out different Ip addresses for a particular domain name than what the IP addresses really are supposed to be.

 

You can see how this would be a problem if you were to load up a web browser and go to "takemycreditcard.com" and enter in a card number and instead of actually entering a card number into the real website your entering it into the attackers website!  Obviously this would only be a problem if your PC was using the gateway as it's DNS server but if the PC is using the gateway as a DHCP server then the usual thing would be for that to be the case.

 

You need to shut off the DNS server on the Gateway.  That isn't possible to do unless you do the following workaround:

 

Set the gateway into True Bridged Mode (call comcast for this)

Plug a real router into the gateway like a Netgear WNDR3400 or something

Make sure the Netgear is obtaining a real public IP on it's WAN  (not a private IP) and that it's using the

real Comcast DNS servers 75.75.x.x

Shut off the main wireless on the Netgear  (Point of Sale registers should never be plugged into a wireless network.  I don't care that your cash register doesn't have an ethernet cable to it.  Run one.)

 

I would recommend contacting the PCI Compliance sotware manufacturer and asking for a router recommendation for a router that won't trigger their compliance software as well.  (ie: a router that has a half-decent DNS server in it)  If their going to bitch about other people's routers then they darn well better tell you what routers they think are good.

 

Needless to say this means you will NOT be able to use a static IP address.

 

Problem solver

 • 

326 Messages

9 years ago

By the way, this would also apply if you were scanning from a host OUTSIDE your network and it's complaining about the Comcast gateway's outside address acting as a DNS server.  You have to get DNS turned off on the gateway and the only way to do that is turn the gateway into a "dumb" device that just forwards packets to a 'real" router plugged into the gateway.

 

It is considered bad form for these routers/gateways to respond to DNS queries of any kind that come from the Internet.  Most of these devices (including the Comcast gateway) act as DNS caches by running DNS caching software on the gateway but that software is only supposed to respond to port 53 queries that originate from the INSIDE network.

 

It would be very helpful if you could supply the following:

 

Model # of the Comcast gateway

whether the PCI scan is originating from the inside or the outside

 

New Contributor

 • 

2 Messages

9 years ago

Good morning and thank you for the reply.  The scan is being performed from OUTSIDE.  We are using a service called Hacker Guardian that was provided to us by our credit card processor.  It is scanning our public, static IP.

 

To clarify what I did as far as unplugging everything, after close of business on Saturday night, I disconnected the POS (on it's own subnetwork to separate from public internet), the cameras, and the Cisco wireless AP effectively leaving nothing at all plugged into the Comcast gateway.  I went home and initiated the scan on the bar's public IP.  It failed with the exact same error message.  It seems as though the gateway is responding to EXTERNAL DNS requests.

 

I will get the model# of the gateway this evening and post.  In the mean time, your suggestion of bridge mode and running my own firewall sounds like the easiest option.  Thanks again.