Can't access DNS domain names from the router

comiconomenclaturist · October 9, 2023, 10:20am

I have configured my RB2011uiAs RM with 3 VLANS and DHCP servers and set up a default firewall. DNS works on the client, but not on the router. The problem seems to be with the with rule 5 (drop all not coming from LAN) because it works if I disable this rule. I’ve tried changing the rule to ‘drop all from WAN’ but that doesn’t work either. I tried adding a rule to allow requests from the router (rule 4). Can I safely disable rule 5, or how can I add another rule to allow DNS requests from the router itself?

# 2023-10-09 11:02:23 by RouterOS 7.11.2
# software id = XXXX-XXXX
#
# model = RB2011UiAS
# serial number = XXXXXXXXXXX
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge name=MGMT_VLAN vlan-id=10
add interface=bridge name=OFFICE_VLAN vlan-id=30
add interface=bridge name=STREAMS_VLAN vlan-id=20
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MGMT_POOL ranges=10.44.10.2-10.44.10.254
add name=OFFICE_POOL ranges=10.44.30.2-10.44.30.254
add name=STREAMS_POOL ranges=10.44.20.2-10.44.20.254
/ip dhcp-server
add address-pool=MGMT_POOL interface=MGMT_VLAN lease-time=8h name=MGMT
add address-pool=STREAMS_POOL interface=STREAMS_VLAN lease-time=8h name=STREAMS
add address-pool=OFFICE_POOL interface=OFFICE_VLAN lease-time=8h name=OFFICE
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=ether10 pvid=10
add bridge=bridge interface=ether6 pvid=20
add bridge=bridge fame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge vlan-ids=20
add bridge=bridge tagged=bridge vlan-ids=30
/interface list member
add interface=STREAMS_VLAN list=LAN
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=LAN
add interface=OFFICE_VLAN list=LAN
add interface=MGMT_VLAN list=MGMT
/ip address
add address=10.44.20.1/24 interface=STREAMS_VLAN network=10.44.20.0
add address=10.44.30.1/24 interface=OFFICE_VLAN network=10.44.30.0
add address=10.44.10.1/24 interface=MGMT_VLAN network=10.44.10.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.44.20.2 client-id=ff:eb:cd:d7:88:0:1:0:1:2c:ad:a3:be:b8:27:eb:cd:d7:88 mac-address=B8:27:EB:CD:D7:88 server=STREAMS
add address=10.44.20.3 client-id=ff:32:53:63:42:0:1:0:1:2c:ad:ad:1b:dc:a6:32:53:63:42 mac-address=DC:A6:32:53:63:42 server=STREAMS
/ip dhcp-server network
add address=10.44.10.0/24 dns-server=9.9.9.9 gateway=10.44.10.1
add address=10.44.20.0/24 dns-server=9.9.9.9 gateway=10.44.20.1
add address=10.44.30.0/24 dns-server=9.9.9.9 gateway=10.44.30.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="allow SSH" dst-port=XXXX protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow router to access DNS" dst-port=53 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
add action=drop chain=forward comment="drop access to clients behind NAT from WAN" connection-nat-state=!dstnat connection-state=new \
in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
/ip route
add
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=XXXX
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/lcd
set backlight-timeout=1m default-screen=stat-slideshow
/lcd pin
set hide-pin-number=yes pin-number=XXXX
/system clock
set time-zone-name=Europe/London
/system identity
set name=XXXXXXXX
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
add address=2.uk.pool.ntp.org
add address=3.uk.pool.ntp.org
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

karlisi · October 9, 2023, 11:56am

Add this rule, typically DNS uses UDP:

add action=accept chain=input comment=“Allow router to access DNS” dst-port=53 protocol=tcp
add action=accept chain=input comment=“Allow router to access DNS” dst-port=53 protocol=udp

And this rule does nothing because you already dropped all before

add action=drop chain=forward comment=“drop access to clients behind NAT from WAN” connection-nat-state=!dstnat connection-state=new
in-interface=ether1

comiconomenclaturist · October 9, 2023, 12:11pm

Thanks, I’ve changed it to UDP but it still doesn’t work. This is what my firewall looks like now:

/ip firewall filter
add action=accept chain=input comment="allow SSH" dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow router to access DNS" dst-port=53 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=internet in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

[admin@MikroTik] /ip/firewall/filter> /tool/ping google.com     
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: could not get answer from dns server

comiconomenclaturist · October 9, 2023, 1:37pm

I changed the port in the allow DNS rule from dst-port=53 to src-port=53 and now it works:

add action=accept chain=input comment="Allow router to access DNS" protocol=udp src-port=53

tdw · October 9, 2023, 11:27pm

Allowing DNS requests from outside is a bad idea, it turns your router into an open DNS resolver.

All the issues stem from you having deleted the first line of the default configuration which accepts established, related and untracked traffic in the input chain.

llamajaja · October 10, 2023, 4:59pm

yup any dns rule in input chain should be dst-port and should stipulate in-interface–list=LAN

johnson73 · October 10, 2023, 6:18pm

@ comiconomenclaturist

add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=tcp

tdw · October 10, 2023, 6:20pm

That does not solve the OPs problem.