They are attacking me?

The firewall is by default only with two changes;
1; fasttrack disabled.
2; added rule to accept wireguard.
In IP/DNS/ allow remote request is also disabled from day one.
The IP/Service only activated Winbox with the default port changed and only accepted my local IP and my Wireguard IP.

To solve it, is the rule in raw or filter better?
Any other way to solve??

/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN protocol=udp

or

/ip firewall filter
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp

show /ip firewall export

Please provide config
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc..)

Who is THEY?

The default rule on the input chain prevents this noise…
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN

The only way this could be happening is if you created your wireguard rule like this
add chain=input action=accept comment=allow wireguard

(in other words you forgot to add dst port/protocol or any other matching attribute.

Therefore, we need to see the evidence of what you really did, not your opinion.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=WIREGUARD dst-port=13136 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=reject chain=forward comment="ONLY INTERNET KIDS" in-interface-list=USUARIOS out-interface-list=!WAN reject-with=icmp-network-unreachable
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="DNS ADGUARD FAMILY UDP" dst-port=53 in-interface-list=USUARIOS protocol=udp to-addresses=94.140.14.15 to-ports=53
add action=dst-nat chain=dstnat comment="DNS ADGUARD FAMILY TCP" dst-port=53 in-interface-list=USUARIOS protocol=tcp to-addresses=94.140.14.15 to-ports=53

@anav @rextended
Yesterday when I suffered this attack the rules of “DNS ADGUARD FAMILY UDP” and “DNS ADGUARD FAMILY TCP” were like this;
add action=dst-nat chain=dstnat comment=“DNS ADGUARD FAMILY UDP” dst-port=53 protocol=udp to-addresses=94.140.14.15 to-ports=53
add action=dst-nat chain=dstnat comment=“DNS ADGUARD FAMILY TCP” dst-port=53 protocol=tcp to-addresses=94.140.14.15 to-ports=53

I didn’t specify any input interface, then I put "in-interface-list=“USUARIOS”

I think your family is attacking you…

What do you think these two lines do?

add action=dst-nat chain=dstnat comment="DNS ADGUARD FAMILY UDP" dst-port=53 in-interface-list=USUARIOS protocol=udp to-addresses=94.140.14.15 to-ports=53
add action=dst-nat chain=dstnat comment="DNS ADGUARD FAMILY TCP" dst-port=53 in-interface-list=USUARIOS protocol=tcp to-addresses=94.140.14.15 to-ports=53

Force to use that DNS
Yesterday when I suffered this attack the rules of "DNS ADGUARD FAMILY UDP" and "DNS ADGUARD FAMILY TCP" were like this;
add action=dst-nat chain=dstnat comment="DNS ADGUARD FAMILY UDP" dst-port=53 protocol=udp to-addresses=94.140.14.15 to-ports=53
add action=dst-nat chain=dstnat comment="DNS ADGUARD FAMILY TCP" dst-port=53 protocol=tcp to-addresses=94.140.14.15 to-ports=53

I didn't specify any input interface, then I put "in-interface-list="USUARIOS"

I think you indeed have to add the interface list to prefend that anyone (from the Internet) can use your router to get to the DNS server (94.140.14.15). So it is solved. Therefor no attack, just abuse of an incorrect firewall config.

As well you might want to consider closing port 853 (DNS over TLS) as this is used besides port 53. So users might still not use the supplied DNS server.

Think about what you did.

a. ensured you had a rule in the forward chain that allowed DST-NAT traffic.
This tells the router ALLOW WAN TO LAN Traffic for any designated ports identified in DST-NAT rules …

b. then you made a rule that said ANY traffic ( LAN WAN from the fricken MOON) headed to port 53 on your router, will get shunted to your local IP 94.140.14.15.

c. YES the solution was not a firewall rule, it was a dst-nat rule that limits access to local interfaces…

Erlinden never heard of DNS over TLS, new one for me. So people an avoid DNS setting by such a method…
Thanks for the tip…
although they could avoid it by using their own DOH approach? or browser with some capability??

You can’t stop users for getting around security. Reason I block port 853 is because it was used by a Huawei smartphone (out of the box).

Oh yes the direct link to the red army

adding implicit parts…

add action=dst-nat chain=dstnat [src-addess=ANY] [src-port=ANY] [dst-addess=ANY] dst-port=53 protocol=udp to-addresses=94.140.14.15 to-ports=53

So any device in the world can use your Router/Public IP like is using ADGuard DNS…

erlinden where/how do you block port 853?
add chain=forward action=drop in-interface-list=LAN dst-port=853 protocol=udp
add chain=forward action=drop in-interface-list=LAN dst-port=853 protocol=tcp

Or are you thinking in raw
add chain=preouting action=drop dst-port=853 protocol=udp
add chain=preouting action=drop dst-port=853 protocol=tcp