Firewall disrupting email and receiving plain DNS replies

Hello, haven’t been using RouterOS for long, but I have a hAP 3 with a more or less default configuration other than the newer wireless package. I have not modified the firewall rules much yet, but just the default ones are preventing me from sending email. The firewall seems to be marking random TCP reset and ack packets as invalid for some reason; I don’t know what its logic is for blocking these. It likes to grab them from IMAP and SMTP ports, though. I need 143, 587 and 993. I’d rather not keep these ports open though, so I tried to add a srcnat port for those three destination ports. It didn’t work. Not sure what to do.

My other issue is that I keep receiving DNS traffic from Quad9 on port 53. My DNS is set for Quad9 but through DoH. The 443 traffic is working normally, so I don’t know why these replies are coming in. It’s being blocked by the firewall, which is good. My ISP seems to have a transparent proxy that hijacks DNS in certain cases. I believe this because on my old router the DNS would show as the ISP’s no matter what I set the router DNS to. Then they gave me another router that would allow you to change the DNS, but it routed it through their servers first. So I threw that thing away and bought this. The only way I ever got around it was to send out encrypted DNS on every device. It didn’t seem to touch those, even though in theory I would think they could still see the destination IP is a DNS server even on an SSL stream. I would much rather have my whole LAN with secure DNS.

The only guess I have is that maybe DNS requests from the LAN aren’t always being routed to 443 properly, and going out the gateway plaintext and getting replies. I guess I’d have to inspect the traffic more closely. The firewall is also marking a bunch of TCP reset packets for the Quad9 DoH as invalid. I don’t know what’s going on with this firewall.

Any help would be appreciated.

Well I think I’ve got the first issue worked out, but the DNS is still a mystery. I would also like to set it where the dynamic DNS servers are never used, which I thought was what the dns-no option was for, but when I use that the DNS doesn’t work at all.

Help how? Crystal Ball, Tarot Cards, Tea Leaves, PDF of your palm print??

Network diagram, type of WAN connection, is their an ISP router in the way and
Config required
/export hide-sensitive file=anynameyouwish

Good starting firewall here - see ITEM B. - https://forum.mikrotik.com/viewtopic.php?t=182373

Thanks for the response. Help figuring out why I’m being bombarded with incoming DNS replies from port 53 on servers I don’t use. Router is set to use Quad9 over DoH so it shouldn’t be sending anything to the ISP DNS as I understand it. Yet when I open a network monitoring program it shows a DNS domain for the ISP. Probably them capturing on port 53. So where are the queries coming from?

Ok, I see now I need NAT rules to redirect all clients’ DNS requests and that configuring the DNS is not sufficient alone.

If you have a public IP address you will be scanned from random addresses to well known ports. It is important to block new inbound DNS packets otherwise you will get used for DDoS amplifciation attacks. If you are seeing lots of replies, rather than requests, it could be the result of DDoS or DNS poisoning attempt.