DNS Remote Requests

RouterOS General
1

Hello:

Have just installed a CRS109-8G-1S-2HnD and unsure how best to allow the DHCP clients to use it as the DNS server. One forum post said to pass the external servers via DHCP and another said to place DROP rules on the WAN interfaces so that remote requests could be switched on. I have tried the later but when I query from a source outside of my network it still allows recusion. What have I done wrong with the rules please?

Flags: X - disabled, I - invalid, D - dynamic
 0  D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth log=no log-prefix=""
 1  D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth log=no log-prefix=""
 2  D chain=input action=jump jump-target=hs-input hotspot=from-client log=no log-prefix=""
 3  D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875 log=no log-prefix=""
 4  D chain=hs-input action=jump jump-target=pre-hs-input log=no log-prefix=""
 5  D chain=hs-input action=accept protocol=udp dst-port=64872 log=no log-prefix=""
 6  D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 log=no log-prefix=""
 7  D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth log=no log-prefix=""
 8  D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp log=no log-prefix=""
 9  D chain=hs-unauth action=reject reject-with=icmp-net-prohibited log=no log-prefix=""
10  D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited log=no log-prefix=""
11 X  ;;; place hotspot rules here
      chain=unused-hs-chain action=passthrough log=no log-prefix=""
12    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix=""
13    chain=input action=accept connection-state=established,related log=no log-prefix=""
14    chain=input action=drop protocol=tcp in-interface=ether1-gateway dst-port=53 log=no log-prefix=""
15    chain=input action=drop protocol=udp in-interface=ether1-gateway dst-port=53 log=no log-prefix=""
16    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""
17    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no log-prefix=""
18    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix=""
19    ;;; default configuration
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""
2

Rule 16 should do the job - rules 14 and 15 are redundant.

Is ether1-gateway actually your WAN interface?
If you go into /ip addresses - what interface is your public IP address on? If it’s something other than ether1-gateway, then you’ll need to change rule 16’s in-interface to match whatever interface the public IP is on. (If you’re using pppoe for instance, then even though the pppoe may be connected to ether1-gateway, the IP address is actually on the PPPoE interface itself, and this is a common problem for beginners to discover)