Not blocking IP / Raw on DNS !!!

lorekk · September 17, 2024, 7:53am

Firewall Raw is not functional.
DNS is enabled as “DNS cache” on Mikrotik ver 7.14.x and 7.15.x.
Now anyone can use my DNS.
The firewall for the sit works but the dns blocking does not.

Is something wrong or just the version.
It has DNS cache in several places. And it’s becoming a big problem.

My ip 46.135.231.153
DNS test pages. https://openresolver.com/?ip=46.135.231.153
China and Russia know me anyway.

I had to turn DNS off. Someone didn’t like it anymore.
Test your DNS! A month ago it was working fine.

/ip/firewall/raw> pr

0 chain=prerouting action=add-dst-to-address-list dst-port=53 log=no log-prefix=“” protocol=udp
src-address-list=!dns dst-address-list=!dns address-list=dns!!! address-list-timeout=none-dynamic

1 chain=prerouting action=drop dst-port=53 log=no log-prefix=“” protocol=udp src-address-list=!dns
dst-address-list=!dns

2 chain=prerouting action=drop dst-port=53 log=no log-prefix=“” protocol=tcp src-address-list=!dns
dst-address-list=!dns

/ip/firewall/address-list> pr

0 dns 192.168.0.0/16 1970-01-02 00:47:41
1 dns 10.0.0.0/8 1970-01-02 00:45:21
;;; google
2 dns 8.8.8.8 1970-01-02 00:45:27
3 dns 176.103.130.130 1970-01-02 00:45:34
;;; tucows.com
4 dns 1.1.1.1 1970-01-02 00:45:40
;;; open neco
5 dns 208.67.222.222 1970-01-02 00:45:46
;;; dns9.quad9
6 dns 9.9.9.9 1970-01-02 00:45:58
;;; cina alibaba
7 dns 114.114.114.114 1970-01-02 00:46:04
;;; vodafon
8 dns 31.30.90.1 1970-01-02 00:46:10
;;; vodafon
9 dns 31.30.90.2 1970-01-02 00:46:25
;;; google
10 dns 8.8.4.4 1970-01-02 00:46:56
;;; cina alibaba
11 dns 8.208.8.0/24 1970-01-02 00:47:12
;;; open neco
12 dns 208.67.220.220 1970-01-02 00:47:18
13 dns 62.168.9.230 1970-01-02 00:47:23
;;; hwclouds-dns
14 dns 94.74.74.175 1970-01-02 00:47:29
;;; dnsmob3.o2isp
15 dns 160.218.161.60 1970-01-02 00:47:35
;;; o2isp
16 dns 194.228.211.33 1970-01-02 00:47:56
17 dns 172.16.0.0/16 2024-09-16 16:36:43

lorekk · September 17, 2024, 10:41am

This change is working so far.
But you gentlemen are making fun of us.

172.16.1.100/24 172.16.1.0 ether2_gw
1 192.168.10.1/24 192.168.10.0 mesh

0 chain=prerouting action=add-dst-to-address-list dst-port=53 log=no log-prefix=“” protocol=udp
dst-address=172.16.1.100 src-address-list=!dns address-list=dns!!! address-list-timeout=none-dynamic

1 chain=prerouting action=drop dst-port=53 log=no log-prefix=“” protocol=udp dst-address=172.16.1.100
src-address-list=!dns

2 chain=prerouting action=drop dst-port=53 log=no log-prefix=“” protocol=tcp dst-address=172.16.1.100
src-address-list=!dns

mkx · September 17, 2024, 10:59am

Did you thoroughly think about what this rule does?

It says:

if dst-port is 53
.
AND
.
if protocol is UDP
.
AND
.

if src-address is not member of list named dns
.
AND
.
if dst-address is not member of list named dns
.
THEN
.
add dst-address to list named “dns!!!”
(I’m assuming you’re posting config as-is, not adding some emotional state of yours)

And I’m not going to think how these rules apply to DNS traffic you would like to allow and how it applies to traffic you want to prevent. And if address-list naming is appropriate at all. But if rules are not constructed exactly the way they should be, then they will not get executed.

lorekk · September 17, 2024, 11:25am

This creates a list of IP addresses. Dal is not used. Only checking.

I’ve had the last two rules for a long time. And it’s a coincidence that I checked. There’s a list that the filter works by.

It occurred to me that it doesn’t say exactly what ip dns it works from.

But thanks for the reply anyway.

mkx · September 17, 2024, 11:31am

So are you saying that the other two rules, such as

1 chain=prerouting action=drop dst-port=53 log=no log-prefix=“” protocol=udp dst-address=172.16.1.100
src-address-list=!dns

are not working?

According to packet flow, prerouting is executed before DST-NAT … which means that for packets, originating from internet, dst-address won’t be one of your LAN addresses, it’ll be your public (WAN) IP address for connections, originating from internet. Which means that these two rules won’t trigger.

I have hard time understanding what exactly doesn’t work the way you expect … which is the reason I didn’t react to your initial post. The only reason I reacted to your second post is that the wording of it indicates that you somehow blame Mikrotik or forum members for your setup not to work according to your expectations (which are, as I already wrote, hard to read from your initial post).

lorekk · September 17, 2024, 11:50am

Mr. MKX. My language is not English. I just wrote here that there was a change. And mikrotik stopped throwing me unwanted DNS requests.
I didn’t mean to offend either you or the mikrotik.
I’m fine now, and if someone is using something similar it’s their fault.

Yes, there is IP/NAT I have LTE 4g network and the operator does not put a fixed ip on the router.
Have a nice week.