Close down DNS requests

RouterOS Beginner Basics
1

Hi guys,

I am seeing these DNS enteries

.

They have extraordinarily long TTL (24Hrs at beginning).

I googled them and found this website link.

http://dnsamplificationattacks.blogspot.co.uk/2013/10/domain-krastius.html

It states that I am likely either taking part in a DNS amplification attack or I am being DDOSed.

I have these rules in place to protect my WAN connections

 /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=input action=drop connection-state=new protocol=udp in-interface=ether1 - WAN1 src-port="" dst-port=53 
 1   chain=input action=drop connection-state=new protocol=udp in-interface=ether2 - WAN2 src-port="" dst-port=53 
 2   chain=input action=drop connection-state=new protocol=tcp in-interface=ether1 - WAN1 src-port="" dst-port=53 
 3   chain=input action=drop connection-state=new protocol=tcp in-interface=ether2 - WAN2 src-port="" dst-port=53

.

The website informs us that I should use an iptables rule to control this.

Rule 1
iptables --insert INPUT -p udp --dport 53 -m u32 --u32 "0x28&0xFFDFDFDF=0x064b5241 && 0x2c&0xDFDFDFFF=0x53544902 && 0x30&0xDFDFFF00=0x55530000" -j DROP -m comment --comment "DROP DNS Q krasti.us"

Rule 2
iptables --insert INPUT -p udp --dport 53 -m string --from 40 --to 51 --algo bm --hex-string '|066b726173746902757300|' -j DROP -m comment --comment "DROP DNS Q krasti.us"

Can anyone help me configure these rules on my router. Additionally, Can I set a maximum TTL for DNS of say 10mins?

Thanks in advance.
DNS Requests.jpg

2

The problem do not come from internet, but from your internal network.
One of your user are infected.

Block all connection from / to this list:

http://www.spamhaus.org/drop/


And check if your client make excessive DNS MX request or excessive SMTP request

3

Hi.
Look here http://forum.mikrotik.com/t/great-script-automatic-generate-spamers-ip-adress-list/74355/1

4

What does “/” mean?

If I use the script which the other poster suggested. How do I create a firewall rule that blocks these coming from the LAN?

Thanks.

5

I ran the code as suggested, but it has not created an Address List under firewall. Any ideas where I am going wrong?

6

Did you add? :

Schedule the download and application of the openbl list

/system scheduler add comment=“Download openbl list” interval=7d name=“DownloadBegoneList” on-event=Download_openbl start-date=jan/01/1970 start-time=01:05:00
/system scheduler add comment=“Apply openbl List” interval=7d name=“InstallBegoneList” on-event=Replace_openbl start-date=jan/01/1970 start-time=01:15:00

You can try run it manual in system-scheduler. First run “DownloadBegoneList”, and afther 1-2 min. run “InstallBegoneList” Then check Firewall address list.

7

It didnt create an address list at all…

Am I supposed to manually create an address list? Or should it have been created when running the script?

Thanks

8

When I enter the command into terminal

 /system script add name="Download_openbl" source={
{...  /tool fetch url="http://joshaven.com/openbl.rsc" mode=http;    
{...  :log info "Downloaded openbl.rsc from Joshaven.com";       
{...  }

I get the message.


“failure: item with such name already exists”

I checked my “Files” folder in winbox but dont see the files already existing…

Help

9

ok, forgive me guys. I am very new to Mikrotik and learning fast :slight_smile:.

I now have it working correctly.

When creating a firewall rule for this list, I have done as follows.

chain=forward action=drop src-address-list=blacklist 
     dst-address-list=blacklist in-interface=all-ethernet 
     out-interface=all-ethernet

Does that look correct?

Thanks guys.

10

add chain=forward action=drop src-address-list=blacklist in-interface=all-ethernet
add chain=forward action=drop dst-address-list=blacklist in-interface=all-ethernet