DNS flood answering despite filter rules!

maxstel · July 6, 2013, 2:12pm

Hi everybody,
I would like to share a very strange behavior of filters rules on my router today (RB2011 - ROS 6.1)
Yesterday evening I was flooded for some times by dns requests. I was out, so I see it on the graphs and from logs…
Today similar things happened, but I was in front of the monitor…
My router has always had filter rules to drop everything is unneeded and I was really surprised to see that the RB2011 was answering to DNS requests coming from internet!!!
Many IPs doing traffic (udp:53) FROM my router!!
I tried many things to understand… Even some change on filters rules, but nothing happened! It seems that the router simply ignore the rules… If I disable “allow remote requests”, of course, outbound traffic stops… But I need it, so, I reboot the router…
Magically, after reboot, the same filters rules that before doesn’t catch udp packets, now works perfect, and my router doesn’t answer to DNS requests anymore… I still see DNS requests through “torch”, but there is no answer from my router!

This is the first time I see this weird behavior on a MikroTik router, so some explanation will be welcome…

Thanks

Zebble · July 6, 2013, 3:45pm

We saw exactly the same thing on an RB532 running ROS 6.1. I thought it was a rules issue, but couldn’t find the culprit. Refreshed the rules with a new set, rebooted and the problem was gone… I’m now not sure if a simple reboot would have sufficed.

Rudios · July 6, 2013, 4:39pm

And what about disable and enable the needed rule, would that fix the issue

antoninn · July 6, 2013, 8:50pm

I had similar problem. Setup is like this: Application in internet sends every few second UDP packet with some data to WAN interface of Mikrotik. Mikrotik contains two NAT rules to dst-nat incoming packet to production and development servers in internal LAN. Only one NAT rule is enabled, so packets are directed to production server. Few days ago I have to test new version of server so I disabled dst-nat rule to production server and enabled dst-nat rule to development server. I have found that packets were still destined to production server. Solution was simple - I had to manually delete appropriate UDP connection in firewall connection list. After this action packet started to flow to development server according to enabled dst-nat rule.
So it seems that UDP connections are somehow resistent to firewall rules changes once they are “established”.
I did not make any other experiments regarding this because my primary goal was to test server.

maxstel · July 8, 2013, 1:36pm

No… It doesn’t work…

SurferTim · July 8, 2013, 1:53pm

This drops udp port 53 (dns request) packets to your router from the internet only.

/ip firewall filter
add chain=input dst-port=53 protocol=udp in-interface=ether1 action=drop

move X 0

Replace ether1 with your WAN interface if that is not it, and the X with the line number of this new rule. That moves it to the top of the rules.

I hear they can use that to poison your dns if it isn’t blocked. I don’t know for certain.

maxstel · July 8, 2013, 2:14pm

SurferTim:

This drops udp port 53 (dns request) packets to your router from the internet only.
/ip firewall filter
add chain=input dst-port=53 protocol=udp in-interface=ether1 action=drop

move X 0
Replace ether1 with your WAN interface if that is not it, and the X with the line number of this new rule. That moves it to the top of the rules.

I hear they can use that to poison your dns if it isn’t blocked. I don’t know for certain.

Thanks for your tip, but I have a “drop all” rule at the bottom of my filters rules and it works perfectly if the RouterOS do its job… as he did after the reboot…

Eventually read my first post…

Thanks…

SurferTim · July 8, 2013, 2:32pm

I saw your first post. I actually read it. It mentioned nothing of this. I’m just guessing.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Router_protection