If anyone can help please do. Several mikrotik routers I manage can’t seem to get a socket connection to port 53. The production application would be a DNS server behind NAT where the WAN connection is the PPPoE interface. ( but I haven’t got that far because of this problem )
I tried to setup a test router to experiment different configurations. The one posted here is as simple as I could make it to prove that I still can’t make any connections to port 53 from the internet, and the router doesn’t even count the attempts in the firewall. I know for a fact the ISP doesn’t filter or throttle or otherwise manipulate the internet connection. I think i’m over looking something simple, I just can’t see it and i’m out of ideas at this point. I tested other versions of RouterOS going back to 6.33.6 - same issue. If I change the port attempts to 52 or 54, there’s no problem.
Here’s the test config which shows no filters counting my port 53 TCP or UDP connection attempts:
[admin@TestTik] > export
# jan/10/2023 13:06:00 by RouterOS 7.6
# software id = 7***-****
#
# model = RB750
# serial number = 2F**********
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether1 name=\
pppoe-out1 use-peer-dns=yes user=testlogin@isp
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=accept chain=input dst-port=53 in-interface=ether1 log=yes \
log-prefix=-mydns protocol=tcp
add action=accept chain=input dst-port=53 in-interface=ether1 log=yes \
log-prefix=-mydns protocol=udp
add action=accept chain=input
add action=accept chain=forward
add action=accept chain=output
add action=log chain=input dst-port=53 log-prefix="PORT 53 TCP HIT" protocol=\
tcp
add action=log chain=input dst-port=53 log-prefix="PORT 53 UDP HIT" protocol=\
udp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=TestTik
/system leds
add interface=pppoe-out1 leds="" type=interface-activity
/system routerboard settings
set boot-device=nand-only
Confusing post.
Forgetting about the config, What are your requirements, based on users, traffiic flow they need to have or not to have with respect to DNS.
A viable solution will pop out from well stated requirements.
The only issue here is that you dont understand how DNS works or ROS works or both… and chasing a config is needlessly challenging without understanding the why…
Ensure you add any network context like self supplied PI servers and where they reside…
LoL of course I’m here because I don’t understand something. Here’s more simple language for you: I want to make a DNS server off my PPPoE connection. Number of users don’t matter, traffic flow doesn’t matter. I just needs responses from port 53 to work through the MikroTik router.
For starters, push those 2 rules with action=log above similar rules with action=accept. Firewall rules are evaluated top-to-bottom and first matching rule executes. Rules with action=accept or action=drop also stop processing of rules. So the way you have them now, the log rules will not execute for paxkets ingressing through PPPoE interface because matching packets trigger execution of accept rules above.
Does connection work from LAN? From firewall point of view either (LAN and PPPoE) should work, you actually don’t have anything in firewall blocking any connection to router itself … which also means device can be easily hacked from internet. So if connecting to DNS service on router works from LAN but doesn’t from internet, then your ISP doesn’t offer internet lines as transparrent as you were made to believe.
Connections to port 53 always work on the LAN. In fact if I setup a NAT port forward, if the outside ports are 52 or 54 and inside port is 53, connection always works. Yes device is not secured and hackable. This config is only for demonstrating the problem with port 53. I’m not posting my production config. As for the ISP not being transparent ? I’ve spoken with the network engineer who built the network and have been advised at lengths that there is no filtering. Further to that, I was given and IP address of another user in my CIDR block that does have a working DNS server using port 53 on the same network I’m on at my ISP. DIG / nslookup queries to that IP still work as of this posting.
Here’s a winbox showing no packets received for port 53:
People would open up port 53 for the purpose of running an Authoritative DNS server. ( https://en.wikipedia.org/wiki/Name_server ) This is my purpose as I’ve stated before. Your fix of using the default mikrotik configuration that comes with the router also doesn’t work. I’ve omitted it for the sake of simplicity here, that’s why my config has no firewall rules. Also, everything is working, its just port 53 TCP / UDP out of all the 65535 ports that is not working for me.
I’ve thought so too. I’m testing from within the ISP network using the same subnet. Client / server connection not working with the MikroTik. But I can query another IP in the same subnet who is running a DNS server without a MikroTik router. No filtering going on here.
I am one of those many.
If the customer has enough knowledge to get a DNS server online, with all the bells and whistles that go with that,
they’re also able to use a VPN on remote devices to access that DNS resolver (or NAT the port 53 with some other on both sides)…
I’ll phrase my thought this way: ROS doesn’t have any hidden default firewall rules. So if you don’t see any rule blocking pirt 53 from wan, then it’s not mikrotik blocking it.
As a few already mentioned: ISPs often block port 53 even if they don’t block other ports (another quite “popular” is UDP port 123). If I were you, I’d ask my ISP about it. Good luck getting an honest and accurate response though.
Here locally the ISP hard codes the blocking inbound pinging on the home hub modem/router they provide. Hence one of the reasons I used their business modem instead.
I block 53 & Co. right after my edge router…
If the user wants to open his home or office to the world, he must sign an agreement
according to which if for some reason he is the target of some attack (or generate some attack),
his service is immediately blocked and he must pay the damages…
(although in reality it can only ask, after rent one static Public IP, instead of have dynamic Public IP, for ports like
20, 21, 22, 23, 80, 443, etc.
but not, just for example:
0, 53, 67, 68, 111, 123, 135, 137, 138, 139, 161, 445, 1433, 1900, 3389, 5678, 8291, 20561, etc.
of this type)
