drop all dns request from Internet to my network

network99 · November 22, 2017, 7:02pm

hello all

my network 82.15.xx.0/24

i have need drop all DNS request from Internet to my network !

that’s mean :

Internet ( udp 53 Request ) -----> 82.15.xx.0/24 —Drop
82.15.xx.0/24 -----> Internet ( udp 53 Request ) —Allow

thanks

jarda · November 23, 2017, 7:28am

You have to drop all unwanted incoming packets from Internet generally.

network99 · November 23, 2017, 1:11pm

how to detect unwanted incoming packets in firewall ?
are you means : connections state ?

tangram · November 23, 2017, 2:41pm

drop input chain with dst port 53 protocol udp on outside interface.

and the generic approach drop input chain in outside interface not established.

amt · November 23, 2017, 2:49pm

for raw table;

/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface=WAN protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=WAN protocol=udp

for filter;

/ip firewall filter
add action=reject chain=input comment=DNS dst-port=53 protocol=udp reject-with=icmp-port-unreachable
add action=reject chain=input comment=DNS dst-port=53 protocol=tcp reject-with=icmp-port-unreachable

Or

/ip firewall filter
add action=drop chain=input comment=DNS dst-port=53 protocol=udp
add action=drop chain=input comment=DNS dst-port=53 protocol=tcp
add action=drop chain=foward comment=DNS dst-port=53 protocol=udp
add action=drop chain=foward comment=DNS dst-port=53 protocol=tcp

jarda · November 23, 2017, 5:15pm

Dropping port 53 is really insufficient. Get inspiration from documentation:
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Basic_examples