Disable DNS Proxy or Recursive Resolver

RouterOS General
1

I received the below message from my ISP, anyone know how to resolve this on my CRS125?

Issue Description – A device on your network is capable of a network-impacting, distributed denial-of-service (DDoS) attack because it is acting as a DNS Open Resolver. This can allow hackers the ability to launch large attacks against others using your equipment.

We are asking that you take immediate action to remediate this issue.

Remediation Recommendations:

•Verify your router has the most current firmware.
•Consider disabling your DNS Proxy or Recursive Resolver in your router configuration settings.

2

If you use DNS resolver on router for LAN clients, block access from internet:

/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=<WAN> protocol=udp
add action=drop chain=input dst-port=53 in-interface=<WAN> protocol=tcp

I prefer to block everything by default and then specifically enable access from LAN, that way it’s much harder to end up with mistake like your current configuration, but both ways are possible.

If you don’t use it at all, you can disable it completely:

/ip dns set allow-remote-requests=no