Hi, All!
I have a problem with my BR750GL, the CPU load is very high. In Profile I see that “dns” usage is 80-90%.
1.png
When I stop “Allow Remote Request” the usage go down. Can someone explain that.
2.png
Can I fix that problem?
Thank you
Dns attack?
What you are seeing is most likely a DNS amplification attack or some variant of it.
https://www.us-cert.gov/ncas/alerts/TA13-088A
It’s a very easy fix. Either don’t allow remote requests or put the following rule in your firewall above all other rules on the input chain.
/ip firewall filter
add action=drop chain=input dst-port=53 protocol=tcp
add action=drop chain=input dst-port=53 protocol=udp
i think to the rules IPNET posted you have to add some rule to allow internal users to query dns cache on mikrotik
Sure. The rules have to be port specific otherwise it’s better to switch dns service off. When such rules are needed it means your firewall has conceptual error. Think of it.
Thank You, about your advices and about my long absence.
By adding two firewall rules cpu overload has stop:
chain=input action=drop protocol=tcp in-interface=ether1 dst-port=53 log=no log-prefix=“”
chain=input action=drop protocol=udp in-interface=ether1 dst-port=53 log=no log-prefix=“”
I keep an eye on my router and post here result.
Thank you again
Thanks for the catch…I do normally add an input interface to the rule 