Triage and Remediation
Remediation
Using Console
Using Console
To remediate the DNS Port Should Not Be Open misconfiguration in GCP using the GCP console, please follow the below steps:
- Login to the GCP console.
- Navigate to the VPC Network page by clicking on the hamburger menu in the top left corner and then selecting “VPC Network” under the “NETWORKING” section.
- Select the VPC network that needs to be remediated.
- Click on the “Firewall rules” tab.
- Identify the firewall rule that is allowing DNS traffic.
- Click on the edit button (pencil icon) for that firewall rule.
- In the “Targets” section, select “Specified target tags” and remove the tag that allows DNS traffic.
- In the “Protocols and ports” section, remove the port that allows DNS traffic.
- Click on the “Save” button to save the changes.
- Verify that the DNS port is no longer open by running a port scan on the instance.
Using CLI
Using CLI
To remediate the DNS Port Should Not Be Open misconfiguration in GCP using GCP CLI, follow these steps:Replace [FIREWALL_RULE_NAME] with the name of the firewall rule that allows DNS traffic on all ports.
- Open the Cloud Shell in the GCP Console.
- Run the following command to list all the firewall rules in your project:
- Identify the firewall rule that allows DNS traffic on all ports.
- Run the following command to delete the firewall rule:
- Confirm the deletion of the firewall rule by typing “Y” when prompted.
- Run the following command to verify that the firewall rule has been deleted:
- If the firewall rule still exists, repeat steps 4-6 until the firewall rule has been successfully deleted.
- Verify that the DNS port is no longer open by running a port scan on your GCP instances from an external network.
Using Python
Using Python
To remediate the DNS port open misconfiguration in GCP using Python, you can follow these steps:Note: Make sure to test the script in a test environment before running it in production. Also, keep in mind that removing the firewall rule that allows DNS traffic may impact the functionality of your VM instances, so make sure to verify that the DNS traffic is not required before removing the rule.
- First, you need to get the list of all the VM instances in your GCP project. You can use the
google-cloud-sdkandgoogle-authPython packages to authenticate and access the GCP resources.
- Next, for each VM instance, you need to check if the DNS port (port 53) is open. You can do this by checking the firewall rules associated with the instance.
- If the DNS port is open for any instance, you can remove the firewall rule that allows the DNS traffic.