DNS firewall problem

Nadir16 · August 9, 2020, 11:57am

hello, I have a problem with dns, I installed this protection, after an enable dns stops working https://wiki.mikrotik.com/wiki/DDoS_Detection_and_Blocking
After disable protection, DNS works again, we created rules to accept port 53 but still the same problem
https://i.postimg.cc/x1cyyhwy/dns.png
currently I have 2 connections with 2 providers, I have created rules but I can’t apply them to those providers
https://i.postimg.cc/76mfRY7C/dn2.png

how can i solve this problem?

anav · August 10, 2020, 1:14pm

Get rid of the DDOs blocking, its clearly getting in the way of your configuration for DNS purposes and it is not required.
If your ISP is not capable of blocking DDOS then you are wasting your time trying to do it on the MT.
Stick to the basic default firewall rules for troublefree traffic for your network.

Nadir16 · August 10, 2020, 8:11pm

this is a pretty good solution for my network, only the only problem is dns

anav · August 10, 2020, 9:53pm

post your entire config

/export hide-sensitive file=anynameyouwish

Nadir16 · August 11, 2020, 8:31pm

done

sindy · August 11, 2020, 8:43pm

As the very first rule in both input and forward chains of /ip firewall filter, place a rule connection-state=established,related action=accept. This will make all the other rules handle only the initial packet of each new logical connection, and if one of those other rules accepts such an initial packet, the rest of packets belonging to that same logical connection will be let through by the “accept established or related” one. So DNS responses will not be treated as a DDoS attack any more, and your router’s CPU will sweat much less as it will not have to push every single packet through the complete list of rules.

Also, the rule to accept incoming connections to port 53 must be placed before those DDoS protection ones, and must not accept packets coming from WAN.

anav · August 11, 2020, 8:56pm

The only part that confuses me is having the WAN part of your bridge? besides the fact its coming from a switch LOL. The rest of the config is far too complex for me to comment. ( Chapter 14 MTUNA certification states, if you know you are above your head, don’t drown just remove yourself from the situation )

Nadir16 · August 16, 2020, 5:44pm

hello sir, so how can i fix DNS to work?