Ensure that Google Cloud VPC network firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP and UDP port 53 in order to reduce the attack surface and protect the virtual machine (VM) instances associated with these rules. TCP/UDP port 53 is used by the Domain Name System during DNS resolution (DNS lookup), when the requests are sent from clients to DNS servers or between DNS servers.
Allowing unrestricted DNS access to your Google Cloud virtual machines (VMs) through VPC network firewall rules can increase opportunities for malicious activities such as Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks. VPC firewall rules should be configured so that access to specific resources is restricted to just those hosts or networks that have a legitimate business requirement for access.
To determine if your Google Cloud VPC firewall rules allow unrestricted access on TCP and/or UDP port 53, perform the following actions:
Remediation / Resolution
To update your VPC network firewall rules configuration in order to restrict Domain Name System (DNS) access to trusted entities only (i.e. authorized IP addresses or IP ranges), perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Check for Unrestricted DNS Access
Risk level: High