DNS Port Should Not Be Open

More Info:

Determines if TCP or UDP port 53 for DNS is open to the public.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the DNS Port Should Not Be Open misconfiguration in GCP using GCP CLI, follow these steps:

Open the Cloud Shell in the GCP Console.
Run the following command to list all the firewall rules in your project:

gcloud compute firewall-rules list

Identify the firewall rule that allows DNS traffic on all ports.
Run the following command to delete the firewall rule:

gcloud compute firewall-rules delete [FIREWALL_RULE_NAME]

Replace [FIREWALL_RULE_NAME] with the name of the firewall rule that allows DNS traffic on all ports.

Confirm the deletion of the firewall rule by typing “Y” when prompted.
Run the following command to verify that the firewall rule has been deleted:

gcloud compute firewall-rules list

If the firewall rule still exists, repeat steps 4-6 until the firewall rule has been successfully deleted.
Verify that the DNS port is no longer open by running a port scan on your GCP instances from an external network.

By following these steps, you will have successfully remediated the DNS Port Should Not Be Open misconfiguration in GCP using GCP CLI.

Using Python

To remediate the DNS port open misconfiguration in GCP using Python, you can follow these steps:

First, you need to get the list of all the VM instances in your GCP project. You can use the google-cloud-sdk and google-auth Python packages to authenticate and access the GCP resources.

from google.oauth2 import service_account
from googleapiclient.discovery import build

# Authenticate using a service account key file
credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account_key.json')

# Create a compute engine client
compute = build('compute', 'v1', credentials=credentials)

# List all VM instances in the project
project_id = 'your-project-id'
zones = ['us-central1-a', 'us-central1-b', 'us-central1-c']  # list of zones to check
instances = []
for zone in zones:
    result = compute.instances().list(project=project_id, zone=zone).execute()
    if 'items' in result:
        instances.extend(result['items'])

Next, for each VM instance, you need to check if the DNS port (port 53) is open. You can do this by checking the firewall rules associated with the instance.

for instance in instances:
    instance_name = instance['name']
    instance_zone = instance['zone'].split('/')[-1]
    firewall_rules = compute.firewalls().list(project=project_id).execute()['items']
    for rule in firewall_rules:
        if 'allowed' in rule and rule['allowed'] and 'ports' in rule['allowed'][0]:
            if 'tcp:53' in rule['allowed'][0]['ports'] or 'udp:53' in rule['allowed'][0]['ports']:
                print(f"Instance {instance_name} in zone {instance_zone} has DNS port open")

If the DNS port is open for any instance, you can remove the firewall rule that allows the DNS traffic.

for instance in instances:
    instance_name = instance['name']
    instance_zone = instance['zone'].split('/')[-1]
    firewall_rules = compute.firewalls().list(project=project_id).execute()['items']
    for rule in firewall_rules:
        if 'allowed' in rule and rule['allowed'] and 'ports' in rule['allowed'][0]:
            if 'tcp:53' in rule['allowed'][0]['ports'] or 'udp:53' in rule['allowed'][0]['ports']:
                print(f"Instance {instance_name} in zone {instance_zone} has DNS port open")
                rule_name = rule['name']
                print(f"Removing firewall rule {rule_name}")
                operation = compute.firewalls().delete(project=project_id, firewall=rule_name).execute()
                print(f"Firewall rule {rule_name} deleted")

Note: Make sure to test the script in a test environment before running it in production. Also, keep in mind that removing the firewall rule that allows DNS traffic may impact the functionality of your VM instances, so make sure to verify that the DNS traffic is not required before removing the rule.

Additional Reading:

https://cloud.google.com/vpc/docs/using-firewalls

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

DNS Port Should Not Be Open

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: