Hello everyone.
I stumbled across a thread here on the forum discussing the parameter /ip dns allow-remote-query .
There are two issues/questions about this:
- Wiki says default value is no. However in my setup it was set to yes - and I am pretty sure I haven’t ticked it. At least not directly that is, but maybe it was set due to something else I did?
I have set it to no, so my /ip dns setup looks like this:
[admin@MikroTik] /ip dns> set allow-remote-requests=no
[admin@MikroTik] /ip dns> print
servers: 92.220.228.70,8.8.8.8,109.247.114.4
dynamic-servers: 193.213.112.4,130.67.15.198
use-doh-server:
verify-doh-cert: no
allow-remote-requests: no
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 32KiB
My understanding is that if set to yes, I would allow external hosts to use my isp-assigned IP as their dns-server. Or am I misunderstanding?
- In the thread someone claimed (without backing it up in any way) that having it set to Yes would somehow improve performance somewhat.
I don’t really understand how that could be, unless I have misunderstood the purpose of the parameter (see above).
I have installed this SXT as my internet-solution in my home. I do not want to allow anyone connecting from the outside into my lan, I want the SXT to reject all incoming conections.
My assumption was that it was set up that way out of the box, but the above makes me wonder.
So if any of you guys would help me checking I haven’t managed to screw up my setup.
I am not very familiar with firewall setup, so please bear with me…
Here are my current firewall rules, let me know if more info is required:
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
5 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
6 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
7 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
8 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
9 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
[admin@MikroTik] /ip firewall filter>
Thanks !