I was recently contacted by one of my upstream ISPs who told me that I have open recursive DNS servers on my network and that these are a security risk.
I did a bit of googling and realised that is was my MT gateway router with DNS cache enabled that was the issue. I have “allow remote requests” enabled to allow my customers to access the cache (plus I have a few static entries for other nodes on my network) but it did not occur to me that this would allow use of the cache (recursively) from the Internet. So I added this firewall rule:
I then also found that a VoIP ata/router on my network was also allowing remote recursive requests to it’s cache. It has no mention of a cache in it’s documentation, no settings for it in it’s web interface and no way to block access to it on the WAN port. So I added this rule to the MT which is upstreame of it:
So, this is just an advice that there is a small security risk if you “allow remote requests” in your MT DNS cache settings and also asking if the above rules are the best way to block access?
Yes, DNS amplification attacks are becoming a major problem… Open Recursive DNS servers are all going to need to be shutdown. Really UDP is the issue, but UDP and DNS combined are causing big problems. It’s still somewhat under wraps as many ISPs are contacting their customers having them fix the issues proactively. Blocking :53 from all networks except internal should help.
What ata/voip hardware is this? I would like to have it added to the known list that our list is keeping track of.
Zen contacted me about this a couple of days ago. In my case it was the D-Link ADSL router on the outside of my MT box.
Rather than block the individual ports, why not block everything from the Internet in the Input chain except established and related. This covers all the bases in once fell swoop.
Ditto. I read about this problem but had a s s u m e d it applied to “real” DNS machines, not caches. So before blocking mine I looked at the traffic inbound. I’m not sure what (having Googled such) an abuse looked like, there were several IPs happily banging away at my MT.
It humbles me to know that within a short time after hearing of a potential issue, we are able to act (before making the news) and learn.
Yes GJS, it will block access from anywhere,
but you can add addresses (your trusted IP addresses) before drop rule, these addresses will be allowed to access MikroTik Router from outside.
e.g. ‘ip firewall filter add chain=input action=accept src-address=x.x.x.x/32’.
Basically saying if you provide internet access to customers PLEASE only allow IPs that you assign them to pass thru your gateways. BCP 38 is going to become a common term here shortly. Maybe I will put together a wiki about setting the right rules up.