I have customers routers that have “open recursive DNS port 53” and my upstream provider is telling me I need to get that blocked. Rather than chase down each customer I would like to block this at my core router. I have a firewall rule setup but it does not appear to be working. Any ideas what I’m doing wrong?
add action=drop chain=forward comment=“” disabled=no dst-port=53 protocol=udp
src-address=0.0.0.0/0 src-port=53
probably it is not working because UDP can use both TCP and UDP.
You can redirect all DNS requests to your router which is better solution
/ip firewall nat
add action=redirect chain=dstnat comment=dns dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
He means “DNS can use both TCP and UDP.”
And take off src-port=53. DNS clients / servers use random outgoing source ports, so you’ll probably probably never match that rule.
I am having the same issue as pkats and I have implemented the script you suggested. But is there a way I can narrow it down to a single computer on my network? I have been going to each one I can get to doing deep antivirus scans but I was just curious if it was possible. Thank You
remove src-port=53, everything else is correct, and set the same rule in input chain on public interface if you use your Mikrotik router as dns proxy too.