DNS works but firewall blocks DNS (UDP source port 53) on outside. Why?

Jotne · October 15, 2017, 8:38am

I have a RB750G with nearly default setup.
It gets it DNS from my ISP 92.220.228.70 and 109.247.114.4
DNS resolution from clients and MikroTik router works fine.
There is a rule who block all traffic that has not en eksplisitt rule to allow in. (Last filter rule)

chain=input action=drop in-interface=ether1 log=yes log-prefix="FW_Drop_all_from_WAN"

But why do I see this in my log:

firewall,info MikroTik: FW_Drop_all_from_WAN input: in:ether1 out:(none), src-mac 00:05:00:01:00:01, proto UDP, 92.220.228.70:53->92.x.x.x:34694, len 73
firewall,info MikroTik: FW_Drop_all_from_WAN input: in:ether1 out:(none), src-mac 00:05:00:01:00:01, proto UDP, 109.247.114.4:53->92.x.x.x:39234, len 73
firewall,info MikroTik: FW_Drop_all_from_WAN input: in:ether1 out:(none), src-mac 00:05:00:01:00:01, proto UDP, 92.220.228.70:53->92.x.x.x:45052, len 73
firewall,info MikroTik: FW_Drop_all_from_WAN input: in:ether1 out:(none), src-mac 00:05:00:01:00:01, proto UDP, 92.220.228.70:53->92.x.x.x:39250, len 73
firewall,info MikroTik: FW_Drop_all_from_WAN input: in:ether1 out:(none), src-mac 00:05:00:01:00:01, proto UDP, 92.220.228.70:53->92.x.x.x:35385, len 73
firewall,info MikroTik: FW_Drop_all_from_WAN input: in:ether1 out:(none), src-mac 00:05:00:01:00:01, proto UDP, 109.247.114.4:53->92.x.x.x:35609, len 72

Why do I see this?
Source port 53? DNS
Is this normal?
Should I allow my DNS server to enter my firewall?

msatter · October 15, 2017, 10:09am

Your ISP won’t like it when you leave DNS open for people from the outside because of the danger you becoming a DDOS zombie.

Only if you know what you are doing you should open up ports to the outside.

These hits can be fragments from the DNS requests you made.

Jotne · October 15, 2017, 10:17am

But what is this data coming from my ISP?
Should I just ignore it?

nescafe2002 · October 15, 2017, 10:20am

These packets are most likely to be part of an established connection.

Add the following rule which is part of the default configuration and the packets will be accepted (without causing a security risk as explained by msatter).

/ip firewall filter add chain=input action=accept connection-state=established,related comment="defconf: accept established,related"

Jotne · October 15, 2017, 10:55am

It’s already there, as first rule:

 0    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related

It seems to happen more when I was starting to use the net today:
MikrotikFWDNS.jpg

msatter · October 15, 2017, 10:56am

Have look at the last part of this page: https://notes.shichao.io/tcpv1/ch10/

UDP is shoot and forget and when a part is lost then all has to be sent again. If you have fragments with every DNS request you have to look at the MTU with your ISP.

As you wrote the DNS requests are working and these fragments can be ignored.