More Info:

Determines if TCP or UDP port 53 for DNS is open to the public.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the DNS Port Should Not Be Open misconfiguration in GCP using the GCP console, please follow the below steps:
  1. Login to the GCP console.
  2. Navigate to the VPC Network page by clicking on the hamburger menu in the top left corner and then selecting “VPC Network” under the “NETWORKING” section.
  3. Select the VPC network that needs to be remediated.
  4. Click on the “Firewall rules” tab.
  5. Identify the firewall rule that is allowing DNS traffic.
  6. Click on the edit button (pencil icon) for that firewall rule.
  7. In the “Targets” section, select “Specified target tags” and remove the tag that allows DNS traffic.
  8. In the “Protocols and ports” section, remove the port that allows DNS traffic.
  9. Click on the “Save” button to save the changes.
  10. Verify that the DNS port is no longer open by running a port scan on the instance.
By following the above steps, you can remediate the DNS Port Should Not Be Open misconfiguration in GCP using the GCP console.

To remediate the DNS Port Should Not Be Open misconfiguration in GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to list all the firewall rules in your project: 
gcloud compute firewall-rules list
  1. Identify the firewall rule that allows DNS traffic on all ports.
  2. Run the following command to delete the firewall rule: 
gcloud compute firewall-rules delete [FIREWALL_RULE_NAME]
Replace [FIREWALL_RULE_NAME] with the name of the firewall rule that allows DNS traffic on all ports.
  1. Confirm the deletion of the firewall rule by typing “Y” when prompted.
  2. Run the following command to verify that the firewall rule has been deleted: 
gcloud compute firewall-rules list
  1. If the firewall rule still exists, repeat steps 4-6 until the firewall rule has been successfully deleted.
  2. Verify that the DNS port is no longer open by running a port scan on your GCP instances from an external network.
By following these steps, you will have successfully remediated the DNS Port Should Not Be Open misconfiguration in GCP using GCP CLI.
To remediate the DNS port open misconfiguration in GCP using Python, you can follow these steps:
  1. First, you need to get the list of all the VM instances in your GCP project. You can use the google-cloud-sdk and google-auth Python packages to authenticate and access the GCP resources.
from google.oauth2 import service_account
from googleapiclient.discovery import build

# Authenticate using a service account key file
credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account_key.json')

# Create a compute engine client
compute = build('compute', 'v1', credentials=credentials)

# List all VM instances in the project
project_id = 'your-project-id'
zones = ['us-central1-a', 'us-central1-b', 'us-central1-c']  # list of zones to check
instances = []
for zone in zones:
    result = compute.instances().list(project=project_id, zone=zone).execute()
    if 'items' in result:
        instances.extend(result['items'])
  1. Next, for each VM instance, you need to check if the DNS port (port 53) is open. You can do this by checking the firewall rules associated with the instance.
for instance in instances:
    instance_name = instance['name']
    instance_zone = instance['zone'].split('/')[-1]
    firewall_rules = compute.firewalls().list(project=project_id).execute()['items']
    for rule in firewall_rules:
        if 'allowed' in rule and rule['allowed'] and 'ports' in rule['allowed'][0]:
            if 'tcp:53' in rule['allowed'][0]['ports'] or 'udp:53' in rule['allowed'][0]['ports']:
                print(f"Instance {instance_name} in zone {instance_zone} has DNS port open")
  1. If the DNS port is open for any instance, you can remove the firewall rule that allows the DNS traffic.
for instance in instances:
    instance_name = instance['name']
    instance_zone = instance['zone'].split('/')[-1]
    firewall_rules = compute.firewalls().list(project=project_id).execute()['items']
    for rule in firewall_rules:
        if 'allowed' in rule and rule['allowed'] and 'ports' in rule['allowed'][0]:
            if 'tcp:53' in rule['allowed'][0]['ports'] or 'udp:53' in rule['allowed'][0]['ports']:
                print(f"Instance {instance_name} in zone {instance_zone} has DNS port open")
                rule_name = rule['name']
                print(f"Removing firewall rule {rule_name}")
                operation = compute.firewalls().delete(project=project_id, firewall=rule_name).execute()
                print(f"Firewall rule {rule_name} deleted")
Note: Make sure to test the script in a test environment before running it in production. Also, keep in mind that removing the firewall rule that allows DNS traffic may impact the functionality of your VM instances, so make sure to verify that the DNS traffic is not required before removing the rule.

Additional Reading: