We are an ISP & we have built one x86 based Mikrotik Server which is acting just as a forwarding DNS Server for our customers and this is working OK. But this is acting as a kind of Open DNS which other unknown outside users can use as well as launch attack.
Please help us to build a firewall rule where we can permit only our own customers to use the DNS OR , placed differently, only our ISP’s static IP blocks can only gain access to query the DNS & all other outside & unknown IP blocks should be dropped while querying the DNS.
Bit worried about having to ask this question as an ISP. Glad you did...because you have the opportunity to do it correct.
My assuption is that you know all public IP addresses of your customers...correct?
In thta case create a source address list containing all IP's and only allow those to your DNS service.
While you are at it...please consider making DNS redundant.
Thanks for your reply.Yes we are an existing ISP ( 50,000 customers ) and we are trying to set up a DNS using a Mikrotik & Yes I know all the public IP Pools we are using.
If you are referring to the above code for securing the DNS server - I have already done this , but this is resulting abrupt results, some of the websites are opening & some are not. This rule is dropping huge traffic , which we cant use further.
With that many customers, you have to significantly increase the Max Concurrent Queries and Max Concurrent TCP Sessions in the RouterOS DNS setting. But probably MikroTik implementation of the DNS resolver is not made for that many users.
You should setup something like unbound on a separate device and let it acts as resolver instead.
Your rules would be fine for the DNS service but you do not want to have only those 3 rules because you would also block access to the router for configuration. And you also need to allow the replies to outgoing DNS requests.
Before the drop rule you should at least have something like:
I have created the following rule - and as of now it started working as desired- though it needs to be tested for atleast 72 hours. My rules are as follows -
Now I never know if Mikrotik DNS forwarder will work for 50,000 users, lets test it. But till now we have assigned 10,000 users DNS query traffic and CPU load is 0% and interface traffic is 2 Mbps. Lets see what happens next.