Hi guys,
Having a hard time trying to block DNS in a network.
We have Mikrotik GW 192.168.2.1
Server on 192.168.2.253
We only want to allow DNS requests (through forwarders) from 192.168.2.253, anything else dropped. Also if possible, any DNS request from a client on the network, redirected to the server. What’s the best way to do this?
You probably want to DST NAT outbound DNS traffic unless it originates from your internal DNS server in which case it is allowed to pass outside as normal.
Could you provide an example of the rules I’d need to create that? I did try this, but it didn’t work. I think I’m getting the rules wrong.
try this for redirect request from your client.
/ip firewall nat
add action=dst-nat chain=dstnat comment=dns disabled=no dst-port=53 protocol=tcp src-address=!192.168.2.253 to-addresses=192.168.2.253 to-ports=53
add action=dst-nat chain=dstnat disabled=no dst-port=53 protocol=udp src-address=!192.168.2.253 to-addresses=192.168.2.253 to-ports=53
and this for block dns, remember change your interface wan.
/ip firewall filter
add action=drop chain=forward comment="block dns" disabled=no dst-port=53 out-interface=ether1-gateway protocol=tcp src-address=!192.168.2.253
add action=drop chain=forward disabled=no dst-port=53 out-interface=ether1-gateway protocol=udp src-address=!192.168.2.253