Drop DNS server or request

tfj88 · April 28, 2016, 1:16am

Hello..

I have setup a firewall rule to drop dns request “81.198.87.240” “91.188.51.139”…
But it seems not working
Should I change forwaord to input or something ???
dns.jpg
DNS.PNG

kiaunel · April 28, 2016, 4:12am

You are dropping source-port not dst-port. Also, make sure you are not using fasttrack. This may ignore your drop rules.

jarda · April 28, 2016, 5:28am

What are you trying to get generally?

tfj88 · April 28, 2016, 7:56am

How about the chain ?

ZeroByte · April 28, 2016, 12:36pm

53 rules and counting… (ironic number, since we’re talking about DNS heheh)

Your firewall could probably be simplified quite a bit.
The first thing that’s obvious to me is all of the separate rules to block certain destination address ranges.
You should make an address list called “blocked”, add all of the blocked IP ranges to that list, and then replace all of the block rules with one rule:
chain=forward src-address=192.168.88.0/24 dst-address-list=blocked action=drop

Are you getting used in a DNS-Amplification DDoS attack or something?
As Jarda says, your intention isn’t clear.

Van9018 · April 28, 2016, 8:29pm

About chains,

forward = packets going through your Mikrotik, so if your DNS server is on a server behind your router then use forward
input = packets destined to your Mikrotik and don’t match a forwarding rule

In your case, your DNS server is not listening for external requests, so to block DNS requests going to your DNS server behind the Mikrotik, use the forward rule.

To firewall inbound DNS requests from certain IP addresses, you’d use:
chain=forward, dst-port=53, src-addr=81.198.87.240
If you have many IP addresses you’d like to block, you can use a list.

If you want your Mikrotik to serve DNS requests to your internal devices, then select “Allow Remote Requests” in your DNS Server, and create a firewall rule to drop requests from the WAN.
chain=input, dst-port=53, in-interface=ether1-gateway

If you aren’t serving DNS at all, but are seeing many requests hitting your Mikrotik, there isn’t much you can do about it. Or call your ISP and have it blocked upstream. If it’s not killing your bandwidth, then ignore it. It’ll probably eventually stop.

tfj88 · May 1, 2016, 11:48pm

Yes, I do not want anything about the dns request.
And also forbid DNS-Amplification DDoS attack.

tfj88 · May 1, 2016, 11:52pm

OK, I will try change my setting.
Although DNS is small stream, I still do not want to see it.

Van9018:

About chains,

forward = packets going through your Mikrotik, so if your DNS server is on a server behind your router then use forward
input = packets destined to your Mikrotik and don’t match a forwarding rule

In your case, your DNS server is not listening for external requests, so to block DNS requests going to your DNS server behind the Mikrotik, use the forward rule.

To firewall inbound DNS requests from certain IP addresses, you’d use:
chain=forward, dst-port=53, src-addr=81.198.87.240
If you have many IP addresses you’d like to block, you can use a list.

If you want your Mikrotik to serve DNS requests to your internal devices, then select “Allow Remote Requests” in your DNS Server, and create a firewall rule to drop requests from the WAN.
chain=input, dst-port=53, in-interface=ether1-gateway

If you aren’t serving DNS at all, but are seeing many requests hitting your Mikrotik, there isn’t much you can do about it. Or call your ISP and have it blocked upstream. If it’s not killing your bandwidth, then ignore it. It’ll probably eventually stop.