DNS

KenSanta · April 28, 2016, 5:41pm

Hi everyone, I would like to have my router to stop all the DNS coming from my clients and not reaching my ISP provider. Any idea?

ZeroByte · April 28, 2016, 5:58pm

To just block it:

/ip firewall filter add chain=forward in-interface=LAN protocol=udp dst-port=53 connection-state=new action=drop

To intercept it and redirect it to your own server:

/ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=dst-nat to-address=IP.OF.DNS.SERVER

To force proxy resolver on the Mikrotik itself:
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
-----> be sure that your input chain blocks new DNS connecions incoming on the WAN interface. Test this with http://openresolver.com/

EDIT: if enforcing that DNS queries go to some internal host, be sure that the internal host itself is exempted from the above rules with an accept rule for DNS traffic from its/their IP address(es).

KenSanta · May 4, 2016, 4:30pm

Hi, thanks for the assist, but it doesn’t work!

ZeroByte:

To just blok it:

/ip firewall filter add chain=forward in-interface=LAN protocol=udp dst-port=53 connection-state=new action=drop

To intercept it and redirect it to your own server:

/ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=dst-nat to-address=IP.OF.DNS.SERVER

To force proxy resolver on the Mikrotik itself:
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
-----> be sure that your input chain blocks new DNS connecions incoming on the WAN interface. Test this with http://openresolver.com/

EDIT: if enforcing that DNS queries go to some internal host, be sure that the internal host itself is exempted from the above rules with an accept rule for DNS traffic from its/their IP address(es).

ZeroByte · May 4, 2016, 6:10pm

make sure these block rules / nat rules appear in the right order in your chains.

If you added the block rule, for instance, and this rule comes after a rule that allows all traffic outbound on the WAN interface, then the block rule is never going to be reached.

config · May 4, 2016, 11:51pm

add this to the rule
place-before=0

KenSanta · May 5, 2016, 9:16am

Hi, have realized that it has blocked only wireless connection, but LAN is still through!?

ZeroByte:

To just block it:

/ip firewall filter add chain=forward in-interface=LAN protocol=udp dst-port=53 connection-state=new action=drop

To intercept it and redirect it to your own server:

/ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=dst-nat to-address=IP.OF.DNS.SERVER

To force proxy resolver on the Mikrotik itself:
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
-----> be sure that your input chain blocks new DNS connecions incoming on the WAN interface. Test this with http://openresolver.com/

EDIT: if enforcing that DNS queries go to some internal host, be sure that the internal host itself is exempted from the above rules with an accept rule for DNS traffic from its/their IP address(es).

KenSanta · May 6, 2016, 8:33am

ZeroByte,
hey, that really worked thanks a lot men, now i still need your help, nowadays my ISP is redirecting accounts to quarantine if they find out that your dns traffic is high any solution to avoid quarantine?

Thanks.

KenSanta:

Hi, have realized that it has blocked only wireless connection, but LAN is still through!?

ZeroByte:

To just block it:

/ip firewall filter add chain=forward in-interface=LAN protocol=udp dst-port=53 connection-state=new action=drop

To intercept it and redirect it to your own server:

/ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=dst-nat to-address=IP.OF.DNS.SERVER

To force proxy resolver on the Mikrotik itself:
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
-----> be sure that your input chain blocks new DNS connecions incoming on the WAN interface. Test this with http://openresolver.com/

EDIT: if enforcing that DNS queries go to some internal host, be sure that the internal host itself is exempted from the above rules with an accept rule for DNS traffic from its/their IP address(es).

ZeroByte · May 6, 2016, 5:41pm

If you force the local users to use the Mikrotik as their resolver, then the Mikrotik will cache most lookups so any burst of traffic will only get cached replies and not send them to the ISP.

chain=dstnat protocol=udp dst-port=53 in-interface=LAN action=redirect
chain=dstnat protocol=tcp dst-port=53 in-interface=LAN action=redirect
chain=dstnat protocol=udp dst-port=53 in-interface=WLAN action=redirect
chain=dstnat protocol=tcp dst-port=53 in-interface=WLAN action=redirect

Also, set RP Filter to strict in /IP Settings so that if a LAN workstation is a member of a botnet, spoofed-source DNS queries will not be answered.

KenSanta · May 7, 2016, 5:27pm

Hi Byte,

i have done that but all the machines loses internet.

ZeroByte · May 9, 2016, 2:26pm

You must have DNS servers configured for the Mikrotik itself in /ip dns
You must also enable “allow remote requests” in order for this redirection to work.

Of course make sure that the WAN interfaces will block DNS queries

You can test your configuration by entering your public IP address into this test site:
http://openresolver.com/