Drop DNS remote requests on WAN

Hi
I am running two mikrotik routers at different sites, on the one I managed to drop the DNS from the WAN side and cant see port 53 if I use a port scanner from the outside.

But on my own one the rules don’t want to take, I do how ever have a hotspot here and I think I made a mess off the original config. Below are my firewall rules if some one can please tell me what i must change.
I keep on getting hammered on the DNS to the point that my router stops responding to requests.

I have tried to make in interface Ethernet 1 or pppoe which i use

lags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop protocol=tcp in-interface=ether1-gateway
port=53 log=no log-prefix=“”

1 chain=forward action=drop protocol=udp in-interface=ether1-gateway
port=53 log=no log-prefix=“”

2 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!aut>
log=no log-prefix=“”

3 D chain=forward action=jump jump-target=hs-unauth-to
hotspot=to-client,!auth log=no log-prefix=“”

4 D chain=input action=jump jump-target=hs-input hotspot=from-client log=no
log-prefix=“”

5 D chain=input action=drop protocol=tcp hotspot=!from-client
dst-port=64872-64875 log=no log-prefix=“”

6 D chain=hs-input action=jump jump-target=pre-hs-input log=no log-prefix=“”

7 D chain=hs-input action=accept protocol=udp dst-port=64872 log=no
log-prefix=“”

8 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 log=no
log-prefix=“”

9 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth log=no
log-prefix=“”

10 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp log=no
log-prefix=“”

11 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited log=no
log-prefix=“”

12 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited log=no
log-prefix=“”

13 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough log=no log-prefix=“”

14 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=“”

15 ;;; default configuration
chain=input action=accept connection-state=established log=no
log-prefix=“”

16 ;;; default configuration
chain=input action=accept connection-state=related log=no log-prefix=“”

17 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log=no
log-prefix=“”

18 ;;; default configuration
chain=forward action=accept connection-state=established log=no
log-prefix=“”

19 ;;; default configuration
chain=forward action=accept connection-state=related log=no
log-prefix=“”

20 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

Your rule #0 and #1 are in forward chain.
This means, it will drop port 53 packets that are meant to go a host behind your router.
This rule is correct if you use another host as DNS server.

If you use your mikrotik as DNS server (you did not write that, but I assume) you have to move the rule into input chain. input chain is used for packets that are meant to go to your router. Your clients will still have access to the DNS as you already used in-interface

Besides that I usually would suggest three things:

• REJECT is preferred over DROP
• ALLOW what you need and REJECT the rest. You did it the other way around
• ESTABLISHED/RELATED should be at the beginning of the rules as you prevent each packet of already established connections to go through all the rules

Usually my firewalls are build like this (for input and forward chain):

• allow established
• allow related
• allow what you need (dns from inside, full forward from inside and so on)
• reject everything else

Ok thanks its closed now.

“ESTABLISHED/RELATED should be at the beginning of the rules as you prevent each packet of already established connections to go through all the rules”

which rules must be moved where I am not sure which ones refer to established related

Rules with
connection-state=established
and
connection-state=related