Hello guys.
I’m having some issues on some clients Mikrotik.
The Dns Cache have a lot of domains/data. more than 2000 items.
I have allow remote request active, and drop udp/tcp 53 port using RAW in firewall.
This is a realy issue?
Sorry for my bad english.
Router itself also uses DNS.
Thanks for the reply.
But con you explain that?
Just one PC is using internet and when i flush cache imediatly return all data/item on cache.
These items seems weird.
Exemple:
And its using 100% of cpu (i don’t know if it DNS cache problem)
Image not working.
Post your configuration file please.
# dec/13/2019 11:59:19 by RouterOS 6.43.4
# software id = 5HTH-KXRN
#
# model = RouterBOARD 750 r2
# serial number = 67D206662025
/interface bridge
add fast-forward=no name=Bdg-Local
/interface ethernet
set [ find default-name=ether1 ] name=eth1-Intervel
set [ find default-name=ether2 ] name=eth2-Speedy
set [ find default-name=ether3 ] name=ether3-BDG
set [ find default-name=ether4 ] name=ether4-BDG
set [ find default-name=ether5 ] name=ether5-BDG
/interface pppoe-client
add disabled=no interface=eth1-Intervel name=pppoe-intervel password=137agrv \
user=moinho.hotel
/interface list
add name=Internet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=facebook regexp=facebook
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool1 ranges=192.168.1.128-192.168.1.254
/ip dhcp-server
add address-pool=pool1 disabled=no interface=Bdg-Local name=DHCP-Local
/queue simple
add name=ADM priority=1/1 target=192.168.1.0/25
add name=WIFI target=192.168.1.128/25
/interface bridge port
add bridge=Bdg-Local interface=ether3-BDG
add bridge=Bdg-Local interface=ether4-BDG
add bridge=Bdg-Local interface=ether5-BDG
/interface list member
add interface=pppoe-intervel list=Internet
add interface=eth2-Speedy list=Internet
/ip address
add address=192.168.3.2/24 interface=eth2-Speedy network=192.168.3.0
add address=192.168.1.1/24 interface=Bdg-Local network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.1.11 client-id=1:e0:d5:5e:37:91:6c mac-address=\
E0:D5:5E:37:91:6C server=DHCP-Local
add address=192.168.1.30 client-id=1:8c:dc:d4:fe:e8:13 mac-address=\
8C:DC:D4:FE:E8:13 server=DHCP-Local
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
8.8.8.8,208.67.222.222,84.200.69.80
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.0/24 dst-port=53 \
in-interface-list=Internet protocol=udp
# inactive time
add action=drop chain=forward comment=\
Bloqueio-Facebook-PC-Recepcao-16:30h-23:59h dst-port=80,443 \
layer7-protocol=facebook protocol=tcp src-address=192.168.1.11 time=\
16h30m-23h59m50s,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment=Bloqueio-Facebook-PC-Recepcao-00h-07h \
dst-port=80,443 layer7-protocol=facebook protocol=tcp src-address=\
192.168.1.11 time=0s-7h,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=input src-address=173.208.219.0/24
add action=accept chain=input src-address=91.215.158.0/24
add action=accept chain=input src-address=208.110.66.0/24
add action=accept chain=input src-address=188.92.74.0/24
add action=accept chain=input protocol=udp
# inactive time
add action=drop chain=forward comment=\
"Bloqueio Facebook - Recepcao - 7h-16:29 - Valter-Quarta-Feira" dst-port=\
80,443 layer7-protocol=facebook protocol=tcp src-address=192.168.1.11 \
time=7h5s-16h29m55s,thu
# inactive time
add action=accept chain=output comment=\
webproxy-libera-porta-8080-16:30h-23:59h dst-port=8080 protocol=tcp time=\
16h30m-23h59m59s,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=accept chain=output comment=webproxy-libera-porta-8080-00h-07h \
dst-port=8080 protocol=tcp time=0s-7h,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=accept chain=forward comment=\
webproxy-libera-porta-8080-7h-16:29h-Folga-Valter-Quinta-Feira dst-port=\
8080 protocol=tcp time=7h5s-16h29m55s,thu
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=rede-adm \
passthrough=yes src-address=192.168.1.0/25
add action=mark-routing chain=prerouting new-routing-mark=rede-wifi \
passthrough=yes src-address=192.168.1.128/25
add action=mark-routing chain=prerouting new-routing-mark=rede-wifi \
passthrough=yes src-address=192.168.1.15
add action=mark-connection chain=input comment=\
"Entra Intervel regra mark connection " in-interface=pppoe-intervel \
new-connection-mark=intervel passthrough=yes
add action=mark-connection chain=input comment=\
"Entra speedy regra mark connection " in-interface=eth2-Speedy \
new-connection-mark=speedy passthrough=yes
add action=mark-routing chain=output comment=\
"Sai Intervel regra mark connection " connection-mark=intervel \
new-routing-mark=intervel passthrough=yes
add action=mark-routing chain=output comment=\
"Sai Speedy regra mark connection " connection-mark=speedy \
new-routing-mark=speedy passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=9070 in-interface=pppoe-intervel \
protocol=tcp to-addresses=192.168.1.15 to-ports=9070
add action=dst-nat chain=dstnat dst-port=2101 in-interface=pppoe-intervel \
protocol=tcp to-addresses=192.168.1.15 to-ports=2101
# inactive time
add action=redirect chain=dstnat comment=\
Redirecionamento-webproxy-porta-8080-16:30h-23:59h dst-port=80 protocol=\
tcp src-address=192.168.1.11 time=\
16h30m-23h59m50s,sun,mon,tue,wed,thu,fri,sat to-ports=8080
# inactive time
add action=redirect chain=dstnat comment=\
Redirecionamento-webproxy-porta-8080-00h-07h dst-port=80 protocol=tcp \
time=0s-7h,sun,mon,tue,wed,thu,fri,sat to-ports=8080
# inactive time
add action=redirect chain=dstnat comment=\
Redirecionamento-webproxy-porta-8080-7h-16:29h-Folga-Valter-Quinta-Feira \
dst-port=80 protocol=tcp time=7h5s-16h29m55s,thu to-ports=8080
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=Internet \
protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface-list=Internet \
protocol=udp
/ip proxy
set enabled=yes max-fresh-time=1d
/ip proxy access
add dst-host=:deezer src-address=192.168.1.11
add dst-host=:webmail|locaweb|webmail-seguro.com.br src-address=192.168.1.11
add dst-host=:ventana src-address=192.168.1.11
add dst-host=:trivago src-address=192.168.1.11
add dst-host=:tripadvisor src-address=192.168.1.11
add dst-host=:sabesp src-address=192.168.1.11
add dst-host=:pousadavillaggioitalia src-address=192.168.1.11
add dst-host=:pousadaitaliaeleganza src-address=192.168.1.11
add dst-host=:omnibees src-address=192.168.1.11
add dst-host=:nfecj src-address=192.168.1.11
add dst-host=:nfe.fazenda src-address=192.168.1.11
add dst-host=:myhotel.omnibees src-address=192.168.1.11
add dst-host=:meuip src-address=192.168.1.11
add dst-host=:java src-address=192.168.1.11
add dst-host=:hotelmoinhoitalia src-address=192.168.1.11
add dst-host=:hoteis src-address=192.168.1.11
add dst-host=:fusionti src-address=192.168.1.11
add dst-host=:fazenda src-address=192.168.1.11
add dst-host=:extranet.decolar src-address=192.168.1.11
add dst-host=:correios src-address=192.168.1.11
add dst-host=:camposdojordao src-address=192.168.1.11
add dst-host=:booking src-address=192.168.1.11
add dst-host=:gruppoitalia src-address=192.168.1.11
add dst-host=:globo src-address=192.168.1.11
add dst-host=:focoaprendizagem src-address=192.168.1.11
add dst-host=:educacao.sp src-address=192.168.1.11
add dst-host=:escoladeformacao.sp src-address=192.168.1.11
add dst-host=:inovaeducacao.escoladeformacao.sp src-address=192.168.1.11
add dst-host=192.168.3.1 src-address=192.168.1.11
add action=deny redirect-to=www.fusionti.info/negado src-address=192.168.1.11
/ip route
add comment=Rota-Adm1 distance=1 gateway=192.168.3.1 routing-mark=rede-adm
add comment=Rota-Adm2 distance=2 gateway=pppoe-intervel routing-mark=rede-adm
add comment=Intervel-Italia distance=1 dst-address=138.94.71.230/32 gateway=\
pppoe-intervel routing-mark=rede-adm
add comment=Rota-Wifi1 distance=1 gateway=pppoe-intervel routing-mark=\
rede-wifi
add comment="Regra Entrada e Saida Intervel regra mark connection " distance=\
1 gateway=pppoe-intervel routing-mark=intervel
add comment="Regra Entrada e Saida Speedy regra mark connection " distance=1 \
gateway=192.168.3.1 routing-mark=speedy
add distance=1 gateway=192.168.3.1
add distance=1 gateway=pppoe-intervel
add comment=Check-Speedy distance=1 dst-address=189.8.2.162/32 gateway=\
192.168.3.1 pref-src=192.168.3.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Sao_Paulo
/system ntp client
set enabled=yes primary-ntp=200.160.0.8 secondary-ntp=200.189.40.8
/system routerboard settings
set silent-boot=no
/tool netwatch
add down-script=\
"/ip route set [/ip route find comment=Rota-Adm1] disabled=yes" host=\
189.8.2.162 interval=30s up-script=\
"ip route set [/ip route find comment=Rota-Adm1] disabled=no"
Why do you have allow-remote-requests turned on if you don’t want people using it?
He is using it, for clients behind the network
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
But his firewall is a mess. These lines in particular:
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.0/24 dst-port=53 in-interface-list=Internet protocol=udp
add action=accept chain=input protocol=udp
?!!???
I also see lots of other accept lines but no final drop on input 
PS: adding those RAW lines without removing connections from conntrack will do nothing for the current established connections, it will only block new ones. (right?)
Well thanks!!
I have removed theses lines
add action=accept chain=input src-address=173.208.219.0/24
add action=accept chain=input src-address=91.215.158.0/24
add action=accept chain=input src-address=208.110.66.0/24
add action=accept chain=input src-address=188.92.74.0/24
add action=accept chain=input protocol=udp
These lines not pertence from my cliente.
Now i still receiving a lot of DNS and connections on Firewall conections
After the mistake of allowing use of your router’s DNS from internet, the incoming requests will likely go on for some time but at some point it will stop again.
Importante !!
Thanks.
Even after flush cache?
Do you see any other issue on my config?
# dec/13/2019 15:00:36 by RouterOS 6.43.4
# software id = 5HTH-KXRN
#
# model = RouterBOARD 750 r2
# serial number = 67D206662025
/interface bridge
add fast-forward=no name=Bdg-Local
/interface ethernet
set [ find default-name=ether1 ] name=eth1-Intervel
set [ find default-name=ether2 ] name=eth2-Speedy
set [ find default-name=ether3 ] name=ether3-BDG
set [ find default-name=ether4 ] name=ether4-BDG
set [ find default-name=ether5 ] name=ether5-BDG
/interface pppoe-client
add disabled=no interface=eth1-Intervel name=pppoe-intervel password=137agrv \
user=moinho.hotel
/interface list
add name=Internet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=facebook regexp=facebook
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool1 ranges=192.168.1.128-192.168.1.254
/ip dhcp-server
add address-pool=pool1 disabled=no interface=Bdg-Local name=DHCP-Local
/queue simple
add name=ADM priority=1/1 target=192.168.1.0/25
add name=WIFI target=192.168.1.128/25
/interface bridge port
add bridge=Bdg-Local interface=ether3-BDG
add bridge=Bdg-Local interface=ether4-BDG
add bridge=Bdg-Local interface=ether5-BDG
/interface list member
add interface=pppoe-intervel list=Internet
add interface=eth2-Speedy list=Internet
/ip address
add address=192.168.3.2/24 interface=eth2-Speedy network=192.168.3.0
add address=192.168.1.1/24 interface=Bdg-Local network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.1.11 client-id=1:e0:d5:5e:37:91:6c mac-address=\
E0:D5:5E:37:91:6C server=DHCP-Local
add address=192.168.1.30 client-id=1:8c:dc:d4:fe:e8:13 mac-address=\
8C:DC:D4:FE:E8:13 server=DHCP-Local
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
8.8.8.8,208.67.222.222,84.200.69.80
/ip firewall filter
# inactive time
add action=drop chain=forward comment=\
Bloqueio-Facebook-PC-Recepcao-16:30h-23:59h dst-port=80,443 \
layer7-protocol=facebook protocol=tcp src-address=192.168.1.11 time=\
16h30m-23h59m50s,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment=Bloqueio-Facebook-PC-Recepcao-00h-07h \
dst-port=80,443 layer7-protocol=facebook protocol=tcp src-address=\
192.168.1.11 time=0s-7h,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment=\
"Bloqueio Facebook - Recepcao - 7h-16:29 - Valter-Quarta-Feira" dst-port=\
80,443 layer7-protocol=facebook protocol=tcp src-address=192.168.1.11 \
time=7h5s-16h29m55s,thu
# inactive time
add action=accept chain=output comment=\
webproxy-libera-porta-8080-16:30h-23:59h dst-port=8080 protocol=tcp time=\
16h30m-23h59m59s,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=accept chain=output comment=webproxy-libera-porta-8080-00h-07h \
dst-port=8080 protocol=tcp time=0s-7h,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=accept chain=forward comment=\
webproxy-libera-porta-8080-7h-16:29h-Folga-Valter-Quinta-Feira dst-port=\
8080 protocol=tcp time=7h5s-16h29m55s,thu
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=rede-adm \
passthrough=yes src-address=192.168.1.0/25
add action=mark-routing chain=prerouting new-routing-mark=rede-wifi \
passthrough=yes src-address=192.168.1.128/25
add action=mark-routing chain=prerouting new-routing-mark=rede-wifi \
passthrough=yes src-address=192.168.1.15
add action=mark-connection chain=input comment=\
"Entra Intervel regra mark connection " in-interface=pppoe-intervel \
new-connection-mark=intervel passthrough=yes
add action=mark-connection chain=input comment=\
"Entra speedy regra mark connection " in-interface=eth2-Speedy \
new-connection-mark=speedy passthrough=yes
add action=mark-routing chain=output comment=\
"Sai Intervel regra mark connection " connection-mark=intervel \
new-routing-mark=intervel passthrough=yes
add action=mark-routing chain=output comment=\
"Sai Speedy regra mark connection " connection-mark=speedy \
new-routing-mark=speedy passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=9070 in-interface=pppoe-intervel \
protocol=tcp to-addresses=192.168.1.15 to-ports=9070
add action=dst-nat chain=dstnat dst-port=2101 in-interface=pppoe-intervel \
protocol=tcp to-addresses=192.168.1.15 to-ports=2101
# inactive time
add action=redirect chain=dstnat comment=\
Redirecionamento-webproxy-porta-8080-16:30h-23:59h dst-port=80 protocol=\
tcp src-address=192.168.1.11 time=\
16h30m-23h59m50s,sun,mon,tue,wed,thu,fri,sat to-ports=8080
# inactive time
add action=redirect chain=dstnat comment=\
Redirecionamento-webproxy-porta-8080-00h-07h dst-port=80 protocol=tcp \
time=0s-7h,sun,mon,tue,wed,thu,fri,sat to-ports=8080
# inactive time
add action=redirect chain=dstnat comment=\
Redirecionamento-webproxy-porta-8080-7h-16:29h-Folga-Valter-Quinta-Feira \
dst-port=80 protocol=tcp time=7h5s-16h29m55s,thu to-ports=8080
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=Internet \
protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface-list=Internet \
protocol=udp
/ip proxy
set enabled=yes max-fresh-time=1d
/ip proxy access
add dst-host=:deezer src-address=192.168.1.11
add dst-host=:webmail|locaweb|webmail-seguro.com.br src-address=192.168.1.11
add dst-host=:ventana src-address=192.168.1.11
add dst-host=:trivago src-address=192.168.1.11
add dst-host=:tripadvisor src-address=192.168.1.11
add dst-host=:sabesp src-address=192.168.1.11
add dst-host=:pousadavillaggioitalia src-address=192.168.1.11
add dst-host=:pousadaitaliaeleganza src-address=192.168.1.11
add dst-host=:omnibees src-address=192.168.1.11
add dst-host=:nfecj src-address=192.168.1.11
add dst-host=:nfe.fazenda src-address=192.168.1.11
add dst-host=:myhotel.omnibees src-address=192.168.1.11
add dst-host=:meuip src-address=192.168.1.11
add dst-host=:java src-address=192.168.1.11
add dst-host=:hotelmoinhoitalia src-address=192.168.1.11
add dst-host=:hoteis src-address=192.168.1.11
add dst-host=:fusionti src-address=192.168.1.11
add dst-host=:fazenda src-address=192.168.1.11
add dst-host=:extranet.decolar src-address=192.168.1.11
add dst-host=:correios src-address=192.168.1.11
add dst-host=:camposdojordao src-address=192.168.1.11
add dst-host=:booking src-address=192.168.1.11
add dst-host=:gruppoitalia src-address=192.168.1.11
add dst-host=:globo src-address=192.168.1.11
add dst-host=:focoaprendizagem src-address=192.168.1.11
add dst-host=:educacao.sp src-address=192.168.1.11
add dst-host=:escoladeformacao.sp src-address=192.168.1.11
add dst-host=:inovaeducacao.escoladeformacao.sp src-address=192.168.1.11
add dst-host=192.168.3.1 src-address=192.168.1.11
add action=deny redirect-to=www.fusionti.info/negado src-address=192.168.1.11
/ip route
add comment=Rota-Adm2 distance=2 gateway=pppoe-intervel routing-mark=rede-adm
add comment=Rota-Adm1 disabled=yes distance=1 gateway=192.168.3.1 \
routing-mark=rede-adm
add comment=Intervel-Italia distance=1 dst-address=138.94.71.230/32 gateway=\
pppoe-intervel routing-mark=rede-adm
add comment=Rota-Wifi1 distance=1 gateway=pppoe-intervel routing-mark=\
rede-wifi
add comment="Regra Entrada e Saida Intervel regra mark connection " distance=\
1 gateway=pppoe-intervel routing-mark=intervel
add comment="Regra Entrada e Saida Speedy regra mark connection " distance=1 \
gateway=192.168.3.1 routing-mark=speedy
add distance=1 gateway=192.168.3.1
add distance=1 gateway=pppoe-intervel
add comment=Check-Speedy distance=1 dst-address=189.8.2.162/32 gateway=\
192.168.3.1 pref-src=192.168.3.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Sao_Paulo
/system ntp client
set enabled=yes primary-ntp=200.160.0.8 secondary-ntp=200.189.40.8
/system routerboard settings
set silent-boot=no
/tool netwatch
add disabled=yes down-script=\
"/ip route set [/ip route find comment=Rota-Adm1] disabled=yes" host=\
189.8.2.162 interval=30s up-script=\
"ip route set [/ip route find comment=Rota-Adm1] disabled=no"
I advise you to first upgrade your router to current stable version (system->package ->check for upgrades)
then reset it to defaults and add only what you need, not that christmas tree of strange rules that end in nothing.
How seasonably of you!
What strange rules do you mean?
I will upgrade routerOs to current stable, but tell me about firmware? It is safe and normal to upgrade?
(system->routerboard->upgrade)
Yes you should update it as well, but it is not so important.
What is important: your firewall is completely bogus, as Znevna also wote. reset your router to defaults and do not make a firewall that is too difficult for you to understand.
Ok.
I can understand that. These rules is need of my client.
Block some sites in certain hours.
My dificult is to understand how dns cache is full of incompriencious DNS and how can i fix it.
I realy appreciate all of your help!
It is because your firewall is wrong. Reset it to defaults and your problem will be fixed.
And don’t listen to clients that tell you to block certain websites, that is not realistic anymore these days.
(and certainly not using the method you have used there)
Similar for a proxy. Remove it, it is useless.
I undestand that.
But we need do the customers will. So if i need accept only some websites what can i do? How is the best/correct way?
Thanks again.
Start off with default firewall filter rules and only add drop rules according to customer’s wishes.