Mikrotik (crs125-24g-1s-2hnd-in) OPEN DNS

Forze · August 30, 2014, 11:41am

Hi,
I recently received a letter from my ISP claiming my connection was at risk due to my routers configuration regarding open DNS,
they asked me to go to http://www.thinkbroadband.com/tools/dnscheck.html i ran their test & my connection failed the test

How can i resolve this or what settings to i need to configure as im struggling to configure this router, although i have it working
the bandwidth speeds are also varying, if i remove the mikrotik, i get a rock solid 160mb, but when using the mikrotik i get anywhere
from 12mb - 160mb

total mess of a router unless your a super genius

Forze · September 1, 2014, 7:24am

waited a few days for the above post to be moderated / approved, yet its not my first post?

nm ive sold the router now due to the issues & lack of Mikrotik documentation, back to cisco…

cdiedrich · September 1, 2014, 7:57am

Even though you’re not using MikroTik anymore (which is a pity though) I’d like to answer your questions

The open DNS service issue would have been easily resolved with two simple firewall rules, dropping tcp & udp packets coming in from your WAN interface on port 53. This makes your DNS only available from your internal network and hides it to the outside world.

The bandwidth issue you were seeing is most likely a CPU issue on the CRS. It’s just not powerful enough to handle the bementioned bandwidth with firewall rules ans NAT. Remember it’s basically a switch (which is a a really good deal for its features compared to the price you’re paying).

Chers
-Chris

BartoszP · September 1, 2014, 8:00am

I know that it does not matter now but you should have added two rules:

add action=drop chain=input dst-port=53 in-interface=wan_interface protocol=udp
add action=reject chain=input dst-port=53 in-interface=wan_interface protocol=tcp reject-with=icmp-host-unreachable

Why TCP if DNS questions are UDP based ? As some servers fall to TCP if UDP is dropped.

There are many discussions what is better: to drop or to reject connections ?
I am rejecting TCP as IMHO routers could (!!) trace that information and learn to kill packets before they reach my router. If you DROP then your router is simple blackhole for the rest of the world.

cdiedrich · September 1, 2014, 8:04am

But this could also expose your router to (D)DoS attacks.
I tend to use tarpit on TCP ports as it not only ignores requests but also binds attackers’/abusers’ resources…
-Chris

janisk · September 1, 2014, 8:23am

this forum has a nice feature called - search. There you could find a lot of articles some of them even includes examples on what exactly has to be done and vast explanations on why and how that is happening. Even more elaborate than one cdiedrich gave.

also, you have to have 3 approved posts to post without moderation on this forum.