How To Limit Or Protect DNS Atacks

RouterOS General
1

How To Protect DNS Attacks Thanks
UDP 53 port How To Limit By SRC address

Thanks

2

You may use firewall to filter packets destined to 53 port.
chain=input to protect your router.
chain=forward to protect customers.

3

Hai fren
yes, we allowed private dns only, and our client can't use DNS's isp... nice :wink:
as sergejs's suggested, i run since 2 years ago.

regards
Hasbullah.com

4

Yes I understand I have firewall rules, that are working fine, but I need to limit DNS requests somehow.
Sometimes I see DNS does not work on my router (ROS 2.9.50), when I torch the interfaces, I see that someone from my clients attacks (DNS UDP port 53 a lot of requests). How can I solve this problem, or may be you can give any script blocking such client for a while ?



Thanks
With Regards Karapet Aznavuryan

5

Specify to block what exactly.

  1. you may block this user traffic sent over router at all by firewall chain=forward
  2. you may block this user traffic sent to router at all by firewall chain=input
  3. you may block DNS traffic from this user sent over router by firewall chain=forward
  4. you may block DNS traffic from this user sent to router by firewall chain=input
6

Hai again,

no, i think enough without any scripts and i had 2 rules about it.
src-address=!my_isp_address_list protocol=udp action=drop port=53 chain=input
dst-address=!my_private_dns protocol=udp port=53 action=drop chain=forward

and i have another rules like that for central ntp[port=123] too.

regards
Hasbullah.com

7

you may use ‘limit’ filter in firewall rules to limit packet rate

or use queue for dns requests

8

Maybe this will help:
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_(FTP_%26_SSH)
?
-Matt

9

Chupaka

May Be You can give some examples, how to use dns limit?
I’ll be very glad to see them,
Now I’m trying to limit them by the following

/ip firewall filter
add chain=input action=accept dst-port=53 protocol=udp limit=2400/1m,5 comment="limited dns" disabled=no 
add chain=input action=accept dst-port=53 protocol=udp comment="allowed dns" disabled=no

I need something like that, can You help me?

10 



/ip firewall filter
add chain=input action=accept dst-port=53 protocol=udp limit=2400/1m comment="limited dns" disabled=no 
add chain=input action=drop dst-port=53 protocol=udp comment="all others go to hell" disabled=no
11

I Registered to thank you Chupaka! It really helps me.

12

If using chain=forward; wouldn’t that block customers DNS queries if they decided to use a public DNS?

How might you implement protection from DNS attacks on customers CPE’s from the Core Router?