Hello
I use RB2011UAS-2HnD and after upgrade to 6.1 I noticed that when in menu /IP DNS/Allow remote request is set to yes then it generate traffic and I noticed a lot of strange ip addresses in arp list
This is situation when Allow remote request=no
ip arp print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 D xxx.22.240.129 00:22:56:CF:B6:46 ether4_O
1 D xxx.168.15.1 5C:5E:AB:01:90:C4 ether5_S
2 D 192.168.2.5 90:E6:BA:E3:E8:ED ether3
3 D 10.0.10.10 00:24:2C:67:96:45 wlan1

This is situation when Allow remote request=yes
ip arp print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 D xxx.22.240.129 00:22:56:CF:B6:46 ether4_O
1 D xxx.168.15.1 5C:5E:AB:01:90:C4 ether5_S
2 D 192.168.2.5 90:E6:BA:E3:E8:ED ether3
3 D 10.0.10.10 00:24:2C:67:96:45 wlan1
4 D 192.168.3.5 00:C0:B7:A2:B8:C9 ether10_UPS
5 D 24.63.12.209 00:22:56:CF:B6:46 ether4_O
6 D 69.31.29.26 00:22:56:CF:B6:46 ether4_O

please help what is wrong...

I have the same issue ! Did you find any solution ?

If you are not blocking tcp and udp port 53, then your router is an open dns server. Block port 53 requests from the internet to the router. If ether1 is not your wan interface, change that. Insure you place these above any udp accept rules.

If you are not blocking tcp and udp port 53, then your router is an open dns server. Block port 53 requests from the internet to the router.

Code: Select all

/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=53 in-interface=ether1
add chain=input action=drop protocol=udp dst-port=53 in-interface=ether1

If ether1 is not your wan interface, change that. Insure you place these above any udp accept rules.

Post your configuration of the above doesn't fix it.

Sent from my SCH-I545 using Tapatalk 4

Thank you for reply

I put this rule

/ip firewall filter
add chain=input in-interface=ether4_O protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether4_O protocol=tcp dst-port=53 action=drop
/ip firewall filter
add chain=forward protocol=udp dst-port=53 out-interface=!ether4_O action=drop
add chain=forward protocol=tcp dst-port=53 out-interface=!ether4_O action=drop
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 in-interface=!ether4_O action=redirect
add chain=dstnat protocol=tcp dst-port=53 in-interface=!ether4_O action=redirect

If you are not blocking tcp and udp port 53, then your router is an open dns server. Block port 53 requests from the internet to the router.

Code: Select all

/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=53 in-interface=ether1
add chain=input action=drop protocol=udp dst-port=53 in-interface=ether1

If ether1 is not your wan interface, change that. Insure you place these above any udp accept rules.

Thank you for the reply

I put this rule and it works

/ip firewall filter
add chain=input in-interface=ether4_O protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether4_O protocol=tcp dst-port=53 action=drop
/ip firewall filter
add chain=forward protocol=udp dst-port=53 out-interface=!ether4_O action=drop
add chain=forward protocol=tcp dst-port=53 out-interface=!ether4_O action=drop
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 in-interface=!ether4_O action=redirect
add chain=dstnat protocol=tcp dst-port=53 in-interface=!ether4_O action=redirect