DNS Firewall\Queue Limitation

RouterOS General
1

Would the following code limit each IP that is not 65.182.164.59 to 2 connections each of UDP and TCP to port 53 and then limit the whole thing to 10 kbps in the inbound direction?

/ip firewall mangle
add action=mark-packet chain=prerouting connection-limit=2,32 disabled=no dst-port=53 new-packet-mark=Other_DNS passthrough=no protocol=tcp src-address=!65.182.164.59
add action=mark-packet chain=prerouting connection-limit=2,32 disabled=no dst-port=53 new-packet-mark=Other_DNS passthrough=no protocol=udp src-address=!65.182.164.59
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=10k name=queue1 packet-mark=Other_DNS parent=global-in priority=8 queue=default

If I removed the src-address declaration, would it then limit all DNS queries to those described limits?
I would just add an accept before those mangle rules for my own DNS server for outbound traffic. I should probably also add an accept for my non-resolving authoritative DNS server.


My intent is to limit the damage from DNS amplification attacks, but to still permit off-net queries of my resolving DNS servers.

2

Would this limit all DNS transactions to no more than 5 concurrent connections per IP except for connections sourced by the DNS_Servers address list for all traffic to and through this box?

/ip firewall filter
add action=accept chain=forward connection-limit=5,32 disabled=no dst-port=53 protocol=udp src-address-list=!DNS_Servers
add action=accept chain=forward connection-limit=5,32 disabled=no dst-port=53 protocol=tcp src-address-list=!DNS_Servers
add action=accept chain=input connection-limit=5,32 disabled=no dst-port=53 protocol=udp src-address-list=!DNS_Servers
add action=accept chain=input connection-limit=5,32 disabled=no dst-port=53 protocol=tcp src-address-list=!DNS_Servers


Which would be a better way of handling it? This method or the original mangle? I had forgotten I had made the prior post when I thought up the above. Well, obviously I would revise the original to use the address-list vs. the single IP.