To just blok it:
/ip firewall filter add chain=forward in-interface=LAN protocol=udp dst-port=53 connection-state=new action=drop
To intercept it and redirect it to your own server:
/ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=dst-nat to-address=IP.OF.DNS.SERVER
To force proxy resolver on the Mikrotik itself:
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
-----> be sure that your input chain blocks new DNS connecions incoming on the WAN interface. Test this with http://openresolver.com/
EDIT: if enforcing that DNS queries go to some internal host, be sure that the internal host itself is exempted from the above rules with an accept rule for DNS traffic from its/their IP address(es).
To just block it:
/ip firewall filter add chain=forward in-interface=LAN protocol=udp dst-port=53 connection-state=new action=drop
To intercept it and redirect it to your own server:
/ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=dst-nat to-address=IP.OF.DNS.SERVER
To force proxy resolver on the Mikrotik itself:
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
-----> be sure that your input chain blocks new DNS connecions incoming on the WAN interface. Test this with http://openresolver.com/
EDIT: if enforcing that DNS queries go to some internal host, be sure that the internal host itself is exempted from the above rules with an accept rule for DNS traffic from its/their IP address(es).
Hi, have realized that it has blocked only wireless connection, but LAN is still through!?
To just block it:
/ip firewall filter add chain=forward in-interface=LAN protocol=udp dst-port=53 connection-state=new action=drop
To intercept it and redirect it to your own server:
/ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=dst-nat to-address=IP.OF.DNS.SERVER
To force proxy resolver on the Mikrotik itself:
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
-----> be sure that your input chain blocks new DNS connecions incoming on the WAN interface. Test this with http://openresolver.com/
EDIT: if enforcing that DNS queries go to some internal host, be sure that the internal host itself is exempted from the above rules with an accept rule for DNS traffic from its/their IP address(es).
If you force the local users to use the Mikrotik as their resolver, then the Mikrotik will cache most lookups so any burst of traffic will only get cached replies and not send them to the ISP.
chain=dstnat protocol=udp dst-port=53 in-interface=LAN action=redirect
chain=dstnat protocol=tcp dst-port=53 in-interface=LAN action=redirect
chain=dstnat protocol=udp dst-port=53 in-interface=WLAN action=redirect
chain=dstnat protocol=tcp dst-port=53 in-interface=WLAN action=redirect
Also, set RP Filter to strict in /IP Settings so that if a LAN workstation is a member of a botnet, spoofed-source DNS queries will not be answered.