Blocking DNS traffic

Hi,

Looks like I’m having an absolute beginner question. On other systems than MikroTik this question is easy to be answered.

I have a cellular MikroTik IoT router (KNOT), that uses LTE-M / NB-IoT. One of the clients is flooding the network with dozens of DNS requests. Due to the limited bandwidth, this let the entire upstream to congest.

Client (172.16.64.199) ---> (172.16.64.254) MikroTik (1.2.3.4) ----> Internet

Since this one client doesn’t need any DNS to work properly, I tried to create a firewall rule that drops any DNS traffic originating from this client. But I’m definitely not able to…

I tried all kind of rules, but the only one that blocks requests is an outbound rule, that also blocks all other kind of DNS traffic. I thought I could make an inbound or forward rule, having my client as the source and port 53 as the destination. (Intentionally ignored TCP).

To see the effect of any rule, I reset the counter:

I activated the log, and all the logged requests are

172.16.64.254:9876 ---> 8.8.8.8:53

If I use the torch tool and set the interface to WLAN or Bridge, then I see dozens of

172.16.64.199 ---> 172.16.64.254:53

. But no idea how to filter them. Any ideas what I can try?

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, etc.. )

Please ignore the entire Wiregurd stuff, it’s not relevant for the question I have.

The current rules are more of a trial and error, not intended to keep them this way

# 2023-12-09 20:57:04 by RouterOS 7.12.1
# software id = MKI3-RTA5
#
# model = RB924i-2nD-BT5&BG77
# serial number = XXX
/interface bridge
add admin-mac=DC:2C:6E:0F:C5:1D auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=switzerland disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=XXX wireless-protocol=\
    802.11
/interface wireguard
add disabled=yes listen-port=51820 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/iot bluetooth
set bt1 name=bt1 random-static-address=F2:17:B5:72:17:07
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=172.16.64.100-172.16.64.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface ppp-client
add apn=em comment=LTE-M data-channel=2 default-route-distance=2 disabled=no \
    info-channel=2 keepalive-timeout=5 modem-init="AT+QGPSCFG=\"priority\"" \
    name=ppp-out1 pin=XXX port=modem
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=ppp-out1 list=WAN
/interface wireguard peers
add allowed-address=192.168.252.1/32,172.16.32.0/24 disabled=yes \
    endpoint-address=XXX endpoint-port=51820 interface=\
    wireguard1 public-key="XXX"
/ip address
add address=172.16.64.254/24 comment=defconf interface=bridge network=\
    172.16.64.0
add address=192.168.252.3/24 interface=wireguard1 network=192.168.252.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.16.64.0/24 comment=defconf dns-server=172.16.64.254 gateway=\
    172.16.64.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.16.64.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Remote Administration" dst-port=80 \
    in-interface=ether1 protocol=tcp
add action=accept chain=input comment=Webinterface dst-address=172.16.64.254
add action=accept chain=forward comment=ICMP in-interface-list=LAN protocol=\
    icmp
add action=drop chain=forward src-address=172.16.64.199
add action=drop chain=input src-address=172.16.64.199
add action=drop chain=forward protocol=udp
add action=drop chain=forward protocol=udp src-port=53
add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input log=yes log-prefix=DNS protocol=udp src-port=53
add action=drop chain=output log=yes log-prefix=XXX protocol=udp src-port=53
add action=drop chain=output dst-port=53 log=yes log-prefix=YYY protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked log=yes log-prefix=WHY
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Dublin
/system gps
set channel=1 init-channel=2 init-string=\
    "AT+QGPSCFG=\"outport\",\"usbnmea\";+QGPSCFG=\"priority\",0;+QGPS=1" \
    port=modem set-system-time=no
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Second input rule.

Yup, it makes me cringe when I see people deviate from the defaults and dont know what they are doing.

(1) Why in gods earth would you allow port 80 to the router from the internet side. I would guess that using ether1 probably wont work as traffic is actually via the interface name in pppoe.

(2) Then you allow an input chain rule to a private IP on the LAN via an input chain rule… Ridonkulous.

Delete all the crap DNS rules and you should be left with the defaults with some additional adjustment you get the below settings:

/ip firewall address-list { using static dhcp leases mostly }
add address=172.16.64.10x/32 list=Authorized comment=“admin local desktop”
add address=172.16.64.10y/32 list=Authorized comment=“admin local laptop”
add address=172.16.64.10z/32 list=Authorized comment=“admin ipad/smartphone”
add address=192.168.252.3 list=Authorized comment=“admin remote access”
/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
( admin rules )
add action=accept chain=input dst-port=51820 protocol=udp comment=“wireguard handshake”
add action=accept chain=input src-address-list=Authorized comment=“Config Access”
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
(default rules to keep)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(user rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required }
—> add additional user rules here <—
add action=drop chain=forward comment=“drop all else”

And remove the dns rules from the output chain. The only thing you achieved is preventing the router itself from being able to resolve anything.

And for reference, the documentation on the firewall: https://help.mikrotik.com/docs/display/ROS/Filter

Key elements:

• input is for connection to the device itself, output for connections from the device itself, forward for connections going through the device
• order matters: the first match wins.
• think before acting: blindly stuffing random rules at random places is not going to work.

Thanks @vingjfg. The dumb second rule.

To all the others, as mentioned in my previous post, these rules are far from production.

Why in gods earth would you allow port 80 to the router from the internet side. I would guess that using ether1 probably wont work as traffic is actually via the interface name in pppoe

Tesing! The router’s WAN port was temporarily attached to a LAN port of my internal network. Just for the sake of simulating non-metered internet. LTE-M/NB-IoT is to expensive to do updates and mess around. And since all my other devices live in my regular LAN, I wanted to configure the Mikrotik without patching cables all the time.

Then you allow an input chain rule to a private IP on the LAN via an input chain rule… Ridonkulous

I guess everything is said.

Delete all the crap DNS rules and you should be left with the defaults with some additional adjustment you get the below settings:

First, thanks for helping me. Nevertheless, a bit of reading would help before blaming.
I had totally overseen the second input rule. Then I created further, more precise rules with enabled logging to see where the packet counter increase and why.
It’s a fact, I’m not really familiar with MikroTik and wouldn’t use one of the product ever if I could avoid it, just because I’m not experienced enough with the RouterOS. I prefer other brands and products. Therefore, you have to excuse, that I potentially haven’t used the correct way to monitor or log what’s going on, on the router. Looks like there is the torch and the log. Both a rather minimalistic and limited tool, to do real debugging. But as I said, may there is more I’m not aware of.

Since I found the root cause, I was able to remove all the custom rules and just added the few I really ned.