Correct Firewall Rule for DNS

qwertysqwerty · November 18, 2014, 10:44pm

Hello, as the title suggests I’m looking for the correct firewall rules to allow the router to perform DNS requests on behalf of the LAN.

So basically, all systems on my LAN use the default gateway (my router) for DNS lookup.

Currently I have UDP port 53 allowed from LAN address list on INPUT and OUTPUT chain. I think this should just be OUTPUT though yes?

I’m seeing an awful LOT of external connections to my WAN interface IP on port 53. I am worried about this.

BartoszP · November 18, 2014, 11:03pm

Two ways of blocking DNS-attack on WAN:

/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1-gateway protocol=udp
add action=reject chain=input dst-port=53 in-interface=ether1-gateway protocol=tcp reject-with=icmp-host-unreachable

There is no consensus if it is better to DROP or to REJECT but:
A. DROP makes your router a blackhole and sender terminates connection after many retries as there is no response.
B. REJECT generates outgoing data stream but fools sender that there is no host if the sender cares about it and stops sending data.

If attacker is just sending constant stream of 53-type packets with false src field then your router sends packet back to the router which is the real attack destination so DROP seems to be better.

To block LAN users from asking external DNS servers:
A. your DHCP server should point users to router as DNS server
B. router’s DNS should be configured: http://wiki.mikrotik.com/wiki/Manual:IP/DNS
C. Firewall should block 53-types packetes excluding router as source (assuming 192.168.88.1 as it’s address)

/ip firewall filter
add action=drop chain=output dst-port=53 out-interface=ether1-gateway protocol=udp src-address=!192.168.88.1
add action=drop chain=output dst-port=53 out-interface=ether1-gateway protocol=tcp src-address=!192.168.88.1

coylh · November 19, 2014, 12:58am

Something like this… allow from lan, drop everything else.

Don’t just copy/paste though.

/ip firewall filter
add chain=input dst-port=53 in-interface=ether1-lan protocol=udp
add chain=input dst-port=53 in-interface=ether1-lan protocol=tcp
#add action=drop chain=input

jarda · November 19, 2014, 6:04am

I guess tarpit on tcp is better.

BartoszP · November 19, 2014, 7:25am

@coyhl:
A. You assume that requests are going only from ether1-LAN interface and do not care about other ones so you need to repeat rules for each interface.
B. My rules blocks each device except router…just outgoing interface.
C. Yes, I assume that requests are NATed to 192.168.88.1 as source…this should be tuned but it is just idea not full working code.