DNS resolution vulnerability -

Someone locked this discussion http://forum.mikrotik.com/t/dns-resolution-vulnerability/127426/9 (silly if you ask me)

So I will reiterate the issue here:
Brand new router brought from the ISP, loaded default config and used Quick Set. Then added capsman and few small things.

Sanitized config :

# jul/31/2020 13:42:41 by RouterOS 6.45.9
# software id = *********
#
# model = RB750Gr3
# serial number = **********
/interface bridge
add comment="lan" igmp-snooping=yes name=bridge priority=0x1000
add comment="bridge guest wifi" name=bridge-guest
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN1
set [ find default-name=ether3 ] comment=LAN2
set [ find default-name=ether4 ] comment=LAN3
set [ find default-name=ether5 ] comment=LAN4
/interface vlan
add interface=bridge-guest name=VLAN10 vlan-id=10
/caps-man configuration
add country=italy datapath.bridge=bridge-guest name=guest \
    security.authentication-types=wpa-psk,wpa2-psk security.passphrase=\
    ******* ssid=Guests
add country=italy datapath.bridge=bridge name=main \
    security.authentication-types=wpa-psk,wpa2-psk security.passphrase=\
    ******* ssid=Main
/interface list
add name=WAN
add name=LAN
/ip pool
add comment="LAN pool" name=pool ranges=192.168.2.9-192.168.2.99
add comment="Guest pool" name=guestpool ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=pool disabled=no interface=bridge lease-time=3h name=dhcp
add address-pool=guestpool disabled=no interface=bridge-guest lease-time=1h \
    name=dhcp-guest
/queue simple
add max-limit=4M/4M name="WiFi Guests" target=bridge-guest
/user group
set read policy="local,telnet,ssh,reboot,read,test,winbox,password,sniff,sensi\
    tive,api,romon,dude,tikapp,!ftp,!write,!policy,!web"
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=main \
    slave-configurations=guest
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.2.1/24 comment=LAN interface=ether2 network=\
    192.168.2.0
add address=80.80.80.88/27 comment=WAN interface=ether1 network=\
    80.80.80.64
add address=10.10.10.1/24 comment=Guest interface=bridge-guest \
    network=10.10.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server network
add address=10.10.10.0/24 comment=Guest gateway=10.10.10.1
add address=192.168.2.0/24 comment=LAN gateway=192.168.2.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="drop udp 53" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop tcp 53" dst-port=53 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="wifi: drop all from guest" \
    in-interface=bridge-guest out-interface=bridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=80.80.80.65
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.2.0/24 port=****
set ssh address=192.168.2.0/24 port=****
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=Mik1
/system ntp client
set enabled=yes primary-ntp=81.94.123.16 secondary-ntp=87.195.109.207
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

note : (added drop 53 just to make the point this should not happen. I disabled fasttrack for some other reason)

ip firewall filter print

 0    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 1    ;;; drop udp 53
      chain=input action=drop protocol=udp in-interface-list=WAN dst-port=53 log=no log-prefix="" 

 2    ;;; drop tcp 53
      chain=input action=drop protocol=tcp in-interface-list=WAN dst-port=53 log=no log-prefix="" 

 3    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 4    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 5    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 log=no log-prefix="" 

 6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

 9 X  ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 

11    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

12    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

13    ;;; defconf: drop all from guest
      chain=forward action=drop in-interface=bridge-guest out-interface=bridge log=no log-prefix=""

ip firewall nat print

 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none

ip dns print

          servers: 8.8.8.8,8.8.4.4
          dynamic-servers: 
          allow-remote-requests: no
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 21KiB

nmap result :

Discovered open port 53/udp on xx.xx.xx.xx
Discovered open|filtered port 53/udp on xxx-xx4.xxx-xx.org (xx.xx.xx.xx) is actually open

UDP 53 stays open whatever I do

Not excluding that it actually is a bug in ROS, I’d recommend to run /tool sniffer quick interface=ether1 port=53 on the Mikrotik while you run the nmap test, to see whether the UDP packets with destination port 53 really arrive to the Mikrotik. I can imagine DNS redirection to take place somewhere on the path between the nmap “client” and the WAN of the Mikrotik, causing some other device to respond to those packets.

Thanks, I am tending towards your explanation. I tried scanning from a nmap “client” No.2 and it doesn’t show opened port 53. Sniffer on port 53 shows a lot of communication between ether1 and my ISP DNS (i removed if from the sanitized config), and 8.8.8.8, but I don’t see any ether1:53. During nmap scan from client2 I see packets sent to ether1:53 but nmap doesnt report an answer as I said. While during nmap scan from client1 who reports opened 53, i dont see communication on ether1:53 at all, so it might be that something else is answering. I will do more tests

Is your nmap scan running on a host on the LAN side of the router? While I think your router DNS server shouldn’t reply internally because you have allow-remote-request=no, perhaps it is replying anyway.

Do your drop DNS request rules applied to the interface list WAN get any hits?

Hi, absolutely not the LAN side. Both scans are from outside.
The drop rules didnt register much activity from the first location scans. They register a dozen packets when scanned from nmap client2

Perhaps your first nmap location isn’t sending DNS requests directly to your router as you think. Perhaps they are being captured by a NGFW for inspection, or a host-based AV/FW for inspection. This could trick nmap into thinking destination port 53 is open and responding when it actually isn’t.