dns allow remote requests

RouterOS General
1

HI guys,

I would like my router to respond to DNS queries,

I know I have to bock requests from wan, however can you please advise what rules i need and where to move them, thank you


[admin@MikroTik_RB4011] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""

2 ;;; accept connection to IKEv2 ports
chain=input action=accept protocol=udp in-interface-list=WAN dst-port=500,4500 log=no log-prefix=""

3 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""

4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""

5 ;;; management over VPN
chain=input action=accept protocol=tcp dst-port=80,8291 log=no log-prefix="" ipsec-policy=in,ipsec

6 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""

7 ;;; defconf: accept in ipsec policy
chain=forward action=accept in-interface-list=WAN log=no log-prefix="" ipsec-policy=in,ipsec

8 ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec

9 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""

11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""

12 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
[admin@MikroTik_RB4011] /ip firewall filter>

\



I found these

/ip firewall filter
add chain=input in-interface= protocol=tcp dst-port=53 connection-state=new action=drop
add chain=input in-interface= protocol=udp dst-port=53 connection-state=new action=drop

are they the ones i need?

thanks all

2

Existing rule #6 already drops everything from WAN, if it was not allowed before.

3

does it mean i don’t need those specific rules?

4

If your interface lists are correct, i.e. actual WAN interface is definitely not in LAN interface list, then current rules are enough.

5

yes my list of wan interfaces only have the wan interfaces

thank you for your help