Hi,
I am seeing in my mikrotik router some connection to dns “k3yhol3.ddns.net”, this dns has the IP 0.0.0.0.
Linux (nslookup):
Non-authoritative answer:
Name: k3yhol3.ddns.net
Address: 0.0.0.0
ping web:
What’s up with this domain? I do not understand anything, if someone can help me …
Regards.
Please post your config
/export hide=sensitive file=mylatestconfig
It will help determine how your DNS and firewall rules are setup.
We may also want to consider redirect NAT rules for DNS.
Hi anav,
Thanks. export:
# jan/18/2019 20:37:41 by RouterOS 6.44beta54
# software id = 06GQ-R3YM
#
/interface bridge
add name=loopback protocol-mode=none
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
group-key-update=30m management-protection=allowed mode=dynamic-keys \
name=p_AP supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
ampdu-priorities=0,1,2,3,4 band=2ghz-onlyn basic-rates-a/g="" \
basic-rates-b="" bridge-mode=disabled disabled=no distance=indoors \
frequency=2452 ht-basic-mcs="" ht-supported-mcs="mcs-3,mcs-4,mcs-5,mcs-6,m\
cs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" \
hw-protection-mode=cts-to-self installation=indoor mode=ap-bridge \
radio-name="" rate-set=configured security-profile=p_AP ssid=INVI \
supported-rates-a/g="" supported-rates-b="" wireless-protocol=802.11 \
wps-mode=disabled
/ip pool
add name=pool_lan ranges=192.168.88.50-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=pool_lan disabled=no interface=wlan1 lease-time=\
1d name=dhcp_lan
/ip neighbor discovery-settings
set discover-interface-list=none
/ip address
add address=192.168.88.1/24 interface=wlan1 network=192.168.88.0
add address=192.168.240.100 interface=loopback network=192.168.240.100
/ip dhcp-client
add dhcp-options=clientid,hostname disabled=no interface=ether1 use-peer-dns=\
no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set servers=1.1.1.1,208.67.220.220
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=valb01
/system ntp client
set enabled=yes primary-ntp=52.209.118.149 secondary-ntp=163.172.61.210
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
If you make a ping or solve the domain that resolves to you?
Regards.
I am not familiar with 1.1.1.1 is that a legitimate DNS server??
Overall your setup is missing so many things and most of all any firewall rules.
I suggest you download the latest stable firmware 6.43.8 and reset to defaults.
For example
missing an IP pool
missing a DHCP-SERVER NEWORK
no firewall filter rules
no firewall nat rules
no IP route rules
and many others…
Hi,
IP 1.1.1.1 is cloudfare.
https://blog.cloudflare.com/announcing-1111/
Regarding the rules of the firewall, they are not necessary, since in front of the mikrotik there is a firewall that blocks all unwanted input/forward traffic.
Can you try to resolve the domain k3yhol3.ddns.net by ping and tell me if an IP responds?
Regards.
I appreciate your help.
Localhost… So strange.
Enviado desde mi Mi A2 mediante Tapatalk
https://otx.alienvault.com/indicator/domain/k3yhol3.ddns.net
Enviado desde mi Mi A2 mediante Tapatalk
Not strange at all. When you register a DNS name, you can add any IP you like.
So some has registered k3yhol3.ddns.net with IP 127.0.0.1
I can register myserverhome.dyndns,com with IP 127.0.0.1 but why should I do that is an other question.
Exactly
Enviado desde mi Mi A2 mediante Tapatalk
Google k3yhol3
It sounds like you may have something on your network you’ll want to get rid of. Sounds like whatever it is, it keeps checking that domain for a valid IP. And once it has it… it will start its process. Be it transferring data… performing a DDoS attack… not good.
Burn it with fire… quick.