ip dns allow remote requests set yes generate traffic !?

petru · July 7, 2013, 11:06am

Hello
I use RB2011UAS-2HnD and after upgrade to 6.1 I noticed that when in menu /IP DNS/Allow remote request is set to yes then it generate traffic and I noticed a lot of strange ip addresses in arp list
This is situation when Allow remote request=no
ip arp print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic

ADDRESS MAC-ADDRESS INTERFACE

0 D xxx.22.240.129 00:22:56:CF:B6:46 ether4_O
1 D xxx.168.15.1 5C:5E:AB:01:90:C4 ether5_S
2 D 192.168.2.5 90:E6:BA:E3:E8:ED ether3
3 D 10.0.10.10 00:24:2C:67:96:45 wlan1

This is situation when Allow remote request=yes
ip arp print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic

ADDRESS MAC-ADDRESS INTERFACE

0 D xxx.22.240.129 00:22:56:CF:B6:46 ether4_O
1 D xxx.168.15.1 5C:5E:AB:01:90:C4 ether5_S
2 D 192.168.2.5 90:E6:BA:E3:E8:ED ether3
3 D 10.0.10.10 00:24:2C:67:96:45 wlan1
4 D 192.168.3.5 00:C0:B7:A2:B8:C9 ether10_UPS
5 D 24.63.12.209 00:22:56:CF:B6:46 ether4_O
6 D 69.31.29.26 00:22:56:CF:B6:46 ether4_O

please help what is wrong…

prague · September 25, 2013, 9:40am

I have the same issue ! Did you find any solution ?

SurferTim · September 25, 2013, 9:53am

If you are not blocking tcp and udp port 53, then your router is an open dns server. Block port 53 requests from the internet to the router.

/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=53 in-interface=ether1
add chain=input action=drop protocol=udp dst-port=53 in-interface=ether1

If ether1 is not your wan interface, change that. Insure you place these above any udp accept rules.

efaden · September 25, 2013, 10:56am

SurferTim:

If you are not blocking tcp and udp port 53, then your router is an open dns server. Block port 53 requests from the internet to the router.
/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=53 in-interface=ether1
add chain=input action=drop protocol=udp dst-port=53 in-interface=ether1
If ether1 is not your wan interface, change that. Insure you place these above any udp accept rules.

Post your configuration of the above doesn’t fix it.

Sent from my SCH-I545 using Tapatalk 4

petru · October 6, 2013, 6:35pm

Thank you for reply

I put this rule

/ip firewall filter
add chain=input in-interface=ether4_O protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether4_O protocol=tcp dst-port=53 action=drop
/ip firewall filter
add chain=forward protocol=udp dst-port=53 out-interface=!ether4_O action=drop
add chain=forward protocol=tcp dst-port=53 out-interface=!ether4_O action=drop
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 in-interface=!ether4_O action=redirect
add chain=dstnat protocol=tcp dst-port=53 in-interface=!ether4_O action=redirect

petru · October 6, 2013, 6:39pm

SurferTim:

If you are not blocking tcp and udp port 53, then your router is an open dns server. Block port 53 requests from the internet to the router.
/ip firewall filter
add chain=input action=drop protocol=tcp dst-port=53 in-interface=ether1
add chain=input action=drop protocol=udp dst-port=53 in-interface=ether1
If ether1 is not your wan interface, change that. Insure you place these above any udp accept rules.

Thank you for the reply

I put this rule and it works

/ip firewall filter
add chain=input in-interface=ether4_O protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether4_O protocol=tcp dst-port=53 action=drop
/ip firewall filter
add chain=forward protocol=udp dst-port=53 out-interface=!ether4_O action=drop
add chain=forward protocol=tcp dst-port=53 out-interface=!ether4_O action=drop
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 in-interface=!ether4_O action=redirect
add chain=dstnat protocol=tcp dst-port=53 in-interface=!ether4_O action=redirect