DNS queries often resolve to 0.0.0.0

ramnit72 · November 3, 2025, 1:54pm

Sorry if this isn’t the correct category to post this.

Setup:

DNS Server set up for LAN with primary server being 1.1.1.1 (Cloudflare) and secondary being 8.8.4.4 (Google)

Allow remote requests is enabled, but I have two rules blocking all traffic on TCP and UDP for port 53. Action is set to drop. For some reason the UDP rule seems to have an unusually high amount of traffic.

Problem:

For some reason, my Mikrotik sometimes resolves addresses to 0.0.0.0. This happened a long time ago (>6 months), went away on its own, and now came back**. No configuration changes were made before this issue reapearred.**

What I tried:

Flushing the DNS cache
Restarting multiple times
Changing DNS servers

(I know, not a lot but I’m running out of ideas)

Could someone be messing with my DNS server even though I have a rule to block all outside traffic on port 53?

rextended · November 3, 2025, 2:01pm

What it SEEMS from the information provided so far:

You don't have a default firewall, so all the world's problems are dumped on you.

This isn't a joke, and I'm serious.

If you had to set those rules in your firewall,
your firewall is probably as good as nonsense.
Whoever set it up for you, didn't know what they were doing™.

savage · November 3, 2025, 2:07pm

Bold statement to make considering that you’ve seen all but 2 of the rules…. I’d say a very useful and constructive comment tbh….

erlinden · November 3, 2025, 2:08pm

Would be helpful to get the output of both:

/ip firewall export
/ip dns export

For me an IP address of 0.0.0.0 indicates using AdList. Could that be the case (it will be shown by the output)?

rextended · November 3, 2025, 2:11pm

Anyone forced to set those two rules,
otherwise they'll use RouterBOARD as an open relay,
surely has a poorly configured firewall.

There's little to say; it's an objective thing, not subjective or a matter of preference...

By the way, whether it's constructive or not is up to others to decide, not me.
In fact, I posted the page on how the default firewall is configured on the forum...

So...

ramnit72 · November 3, 2025, 2:16pm

Oh I know for a fact that the guy who set it up didn’t know what they were doing, because that’d be me!

But seriously, I do have a rule on the forward chain to block out all traffic that’s not explicitly allowed, as well as a rule to block all input traffic not coming from LAN interfaces. They’re at the bottom of the chain, so that's why the port 53 rule is catching so many attempst to connect to DNS

Why the port 53 rule then? Idk, I set it up when I had the issue that other time because I was paranoid the port was somehow still exposed

rextended · November 3, 2025, 2:20pm

That's fine, but if you don't want things to APPEAR one way or another,
always provide details...

Anyway, it seems like they're injecting answers into your DNS...
Try changing your DNS to two that aren't too public,
so you can be sure they won't be spoofed from outside...

ramnit72 · November 3, 2025, 2:23pm

I apologize in advance for the mess that is my firewall and NAT config.

/ip firewall export output

# 2025-11-03 11:21:06 by RouterOS 7.16.2
# software id = XXHA-ZBG0
#
# model = RB951G-2HnD
# serial number = 
/ip firewall address-list
add address=181.117.203.232 disabled=yes list=UAI
add address=186.122.130.27 comment="UAI ROCA" list=UAI
add address=201.235.200.16 comment="PCS ELECTRO LAB 5" disabled=yes list=UAI
add address=186.122.36.126 comment="UAI ROCA 2\?" list=UAI
add address=170.238.124.106 comment="UAI ROCA NUEVA IP 26 JUNIO 2025" list=UAI
/ip firewall connection tracking
set udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept input from VLAN 10" src-address=192.168.10.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="Block DNS (TCP) from outside" dst-port=53 in-interface=\
    "ether1 - WAN" protocol=tcp
add action=drop chain=input comment="Block DNS (UDP) from outside" dst-port=53 in-interface=\
    "ether1 - WAN" protocol=udp
add action=accept chain=input comment="allow WireGuard" dst-port=13444 protocol=udp
add action=accept chain=input comment="wireguard stuff" src-address=192.168.2.0/24
add action=drop chain=input comment="DROP ALL ELSE (FROM WAN)" in-interface-list=WAN log-prefix=\
    "INPUT DROP ALL" src-address-list=""
add action=fasttrack-connection chain=forward comment="FASTTRACK TRAFFIC!!" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=lan-bridge log-prefix=\
    "ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN
add action=accept chain=forward comment="ACCEPT RDP FROM UAI" disabled=yes dst-port=3389 in-interface=\
    "ether1 - WAN" protocol=tcp src-address-list=UAI time=8h-15h,tue,wed,thu,fri
add action=accept chain=forward comment="ACCEPT RDP FROM ANYWHERE" disabled=yes dst-port=3389 \
    in-interface="ether1 - WAN" protocol=tcp
add action=accept chain=forward comment="accept tcp SQL server" disabled=yes in-interface="ether1 - WAN" \
    src-address-list=""
add action=accept chain=forward comment="Minecraft 25565" dst-port=25565 in-interface="ether1 - WAN" \
    protocol=tcp
add action=accept chain=forward comment="Pterodactyl SSL connection" dst-port=9191 in-interface=\
    "ether1 - WAN" protocol=tcp
add action=accept chain=forward comment="Pterodactyl SFTP connection" dst-port=9192 in-interface=\
    "ether1 - WAN" protocol=tcp
add action=accept chain=forward comment="Minecraft 24454 UDP USED FOR VOICE CHAT" dst-port=24454 \
    in-interface="ether1 - WAN" protocol=udp
add action=accept chain=forward comment="Source TCP forward" dst-port=27015 in-interface="ether1 - WAN" \
    protocol=tcp
add action=accept chain=forward comment="Source UDP forward" dst-port=27015 in-interface="ether1 - WAN" \
    protocol=udp
add action=accept chain=forward comment="ALLOW MINECRAFT PTERO" dst-port=28000-28099 protocol=tcp
add action=accept chain=forward comment="ALLOW MINECRAFT PTERO (UDP)" dst-port=28000-28099 protocol=udp
add action=drop chain=forward comment="DROP ALL 3398 TCP (used for RDP), note this is executed AFTER NAT \
    so the port is INTERNAL-FACING not the EXTERNAL-FACING 222222" dst-port=3389 in-interface=\
    "ether1 - WAN" protocol=tcp time=0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="DROP ALL other FORWARD traffic" in-interface="ether1 - WAN" \
    log-prefix="FORWARD DROP ALL"
add action=drop chain=input comment="DROP ALL INPUT FROM WANs" in-interface-list=WAN log=yes
add action=accept chain=forward disabled=yes dst-address=192.168.1.0/24 dst-port=137-139,445 protocol=\
    tcp src-address=192.168.2.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.2.0/24 protocol=tcp src-address=\
    192.168.1.0/24
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting comment="Mark connections for hairpin NAT" disabled=yes \
    dst-address-list=WANs new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LANs
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT" disabled=yes
add action=masquerade chain=srcnat comment="Hairpin NAT for WSS" disabled=yes dst-address=192.168.1.92 \
    dst-port=9191 protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT for SFTP" disabled=yes dst-address=192.168.1.92 \
    dst-port=9192 protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="MASCARADE RULE NORMAL" out-interface="ether1 - WAN"
add action=masquerade chain=srcnat comment="MASCARADE RULE FOR WLAN BACKFEED" disabled=yes \
    out-interface=wlan1
add action=dst-nat chain=dstnat comment="WireGuard TCP" dst-port=51820 in-interface="ether1 - WAN" \
    protocol=tcp to-addresses=192.168.1.166 to-ports=51820
add action=dst-nat chain=dstnat comment="Test rule" disabled=yes dst-port=80 in-interface="ether1 - WAN" \
    protocol=tcp to-addresses=192.168.1.162 to-ports=80
add action=dst-nat chain=dstnat comment="WireGuard UDP" dst-port=51820 in-interface="ether1 - WAN" \
    protocol=udp to-addresses=192.168.1.166
add action=dst-nat chain=dstnat comment="SOURCE 27015  -> 192.168.1.250:27015" dst-port=27015 \
    in-interface="ether1 - WAN" protocol=tcp to-addresses=192.168.1.250 to-ports=27015
add action=dst-nat chain=dstnat comment="SOURCE 27015  -> 192.168.1.250:27015" dst-port=27015 \
    in-interface="ether1 - WAN" protocol=udp to-addresses=192.168.1.250 to-ports=27015
add action=dst-nat chain=dstnat comment="RDP TCP" dst-port=3398 in-interface="ether1 - WAN" protocol=tcp \
    to-addresses=192.168.1.250 to-ports=3389
add action=dst-nat chain=dstnat comment="INFLUXDB TCP" dst-port=8076 in-interface="ether1 - WAN" \
    protocol=tcp to-addresses=192.168.1.171 to-ports=8076
add action=dst-nat chain=dstnat comment="RDP UDP" dst-port=3398 in-interface="ether1 - WAN" protocol=udp \
    to-addresses=192.168.1.250 to-ports=3389
add action=dst-nat chain=dstnat comment="forward sql server 1334 -> 1433" dst-port=1334 in-interface=\
    "ether1 - WAN" protocol=tcp to-addresses=192.168.1.171 to-ports=1433
add action=dst-nat chain=dstnat comment="forward MYSQL 3360 -> 3306" dst-port=3360 in-interface=\
    "ether1 - WAN" protocol=tcp to-addresses=192.168.1.171 to-ports=3306
add action=dst-nat chain=dstnat comment="MINECRAFT 25526 -> 192.168.1.171:25565" dst-port=25526 \
    in-interface="ether1 - WAN" protocol=tcp to-addresses=192.168.1.250 to-ports=25565
add action=dst-nat chain=dstnat comment="MINECRAFT 24454 -> 24454 VOICE CHAT" dst-port=24454 \
    in-interface="ether1 - WAN" protocol=udp to-addresses=192.168.1.250 to-ports=24454
add action=dst-nat chain=dstnat comment="MINECRAFT SERVERS FOR PTERO NODE" dst-port=28000-28099 \
    protocol=tcp to-addresses=192.168.1.92 to-ports=28000-28099
add action=dst-nat chain=dstnat comment="MINECRAFT SERVERS FOR PTERO NODE (UDP)" dst-port=28000-28099 \
    protocol=udp to-addresses=192.168.1.92 to-ports=28000-28099
add action=dst-nat chain=dstnat comment="Ptero 9191 -> 9191" dst-port=9191 in-interface="ether1 - WAN" \
    protocol=tcp to-addresses=192.168.1.92 to-ports=9191
add action=dst-nat chain=dstnat comment="Ptero PORT 80 TEMPORARY RULE" dst-port=80 in-interface=\
    "ether1 - WAN" protocol=tcp to-addresses=192.168.1.92 to-ports=80
add action=dst-nat chain=dstnat comment="Ptero 9192 -> 9192" dst-port=9192 in-interface="ether1 - WAN" \
    protocol=tcp to-addresses=192.168.1.92 to-ports=9192

/ip dns export output

# 2025-11-03 11:22:22 by RouterOS 7.16.2
# software id = XXHA-ZBG0
#
# model = RB951G-2HnD
# serial number = 
/ip dns
set allow-remote-requests=yes max-concurrent-tcp-sessions=50 servers=1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.1.1 name=mighty.ws type=A
add address=192.168.2.101 name=pcoficina.local type=A
add address=192.168.2.102 name=oficina.local type=A
add address=192.168.1.171 name=proxmox.local ttl=10m type=A
add address=192.168.1.18 name=esp-pc.local ttl=15m type=A

For me an IP address of 0.0.0.0 indicates using AdList. Could that be the case (it will be shown by the output)?

I don’t have AdList set up

erlinden · November 3, 2025, 2:30pm

While analyzing...please remove the serial from your post.

rextended · November 3, 2025, 2:30pm

I see a big mistake there... or did you delete the list between the quotation marks?

Only 10s? Why not the 20s?

ramnit72 · November 3, 2025, 2:35pm

I see a big mistake there... or did you delete the list between the quotation marks?

Check in-interface-list

Only 10s? Why not the 20s?

Why 20 sec?

rextended · November 3, 2025, 2:36pm

Why 10s?

ramnit72 · November 3, 2025, 2:36pm

Good catch, thanks

ramnit72 · November 3, 2025, 2:41pm

Why 10s?

It’s an old router, 10s has always worked fine, and I don’t want the connections table filled with dead connections

rextended · November 3, 2025, 2:43pm

No, the rule do not work as expected, if src-address-list="" exist, is it like the rule do not work as expected.

working default:

add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"

Like the comment: <on input> drop all NOT coming from LAN <interface list>

altered (ignoring log/comment):

add chain=input action=drop in-interface-list=WAN src-address-list=""

<on input> drop all NOT coming from WAN that have the <\source IPv4> inside [undefined] <address list>
In addition to the above issue, this way ANY other source that is not EXPLICITLY a WAN (ignoring the real LAN) can go directly to the CPU...
immagine
So, the rule do not drop all as expected...

ramnit72 · November 3, 2025, 3:39pm

It is justifiably safer to block all non-LAN, so I changed it just in case.

Regardless, no visible effect on counters and no effect on the DNS issue

rextended · November 3, 2025, 3:41pm

@erlinden is checking, and as far as I'm concerned, that's not the only thing I wrote.

ramnit72 · November 3, 2025, 4:41pm

@erlinden is checking, and as far as I'm concerned, that's not the only thing I wrote.

What’s the other thing? Changing the DNS to a less popular one? I’ll try and see, though the chances of someone spoofing DNS between me and the ISP or at a higher level are insanely low

And as a side note: Thank you for the help so far (really, regardless of what I’m about to comment), though you should take savage’s feedback about constructive comments.

You don't have a default firewall, so all the world's problems are dumped on you.

This was in fact an assumption based on partial information. It would have been better phrased as a possibility along with a question to confirm it that was the case.

Whoever set it up for you, didn't know what they were doing™.

Regardless of the fact that I don’t know what I’m doing (lol), this comment does not contribute anything to the conversation itself, nor does it help to pinpoint the issue. In a more serious environment this could be considered unprofessional.

Anyone forced to set those two rules […] surely has a poorly configured firewall. There's little to say; it's an objective thing, not subjective or a matter of preference...

An assumption made with partial or incomplete information is not an objective statement.

By the way, whether it's constructive or not is up to others to decide, not me.

Even though you cannot control how people will perceive your comments, you are the one who decides and controls whether to make them constructive or not.

In fact, I posted the page on how the default firewall is configured on the forum...

Speaking of constructive, a link to that page would have been useful.

if you don't want things to APPEAR one way or another,
always provide details...

True, though a question asking for more information could have been made in the first comment like erliden did.

“Why 20 sec?”
Why 10s?

Rather than explaining the effect of setting the timeout higher or how it could be affecting DNS requests, this reply does not give me any reason to change the timeout to 20s, so it’s not helpful feedback really. Even if you are right, you cannot convince people that your choice is right / objetively better / whatever if you don’t explain the reason.

as I'm concerned, that's not the only thing I wrote.

And this is also not helpful. As far as I’m aware I have been checking everything other members and you have written. Dropping “ah but you missed something” and not saying what it is does not help.

Please don’t take this personally. I have been through different processes that required me to both give and receive feedback, hence some of the feedback I am giving you was given to me at some point. I hope you find this useful like I did, and again, thanks for all the help so far.

pe1chl · November 3, 2025, 5:38pm

The reason the default timeout was increased to 30s is that with a short timeout, the service might reply after that time and the reply is discarded rather than added to the cache.

While the DNS timeout will usually be set to a much smaller value, a delayed reply could still be useful for later queries.

rextended · November 3, 2025, 6:21pm

You're right here, I could have sworn I pasted the link...

Except this?
immagine
must be closed, not opened empty, this lead to bugs...

The question was why you changed it, versus leaving it at the default, which is NOT my preference, but the default...
And a 30-second timeout is better anyway.
The reason for this is unrelated to the DNS issue, but it improves the other fields. (See also @pe1chl reply...)
Discussing this here would have been off topic...

(v6 20s, v7 30s defaults???)

I don't take anything personally, don't worry.
My attitude is quite annoying, but it certainly doesn't leave anyone indifferent,
and you'll definitely ask yourself a few "why did he write that?" questions, and whether you like it or not, you learn something new...
Like, for example, how to tolerate strange people...
...or how annoying it is when DETAILS are missing... that's why the first post was made that way ON PURPOSE...