Community discussions

MUM Europe 2020
 
tfj88
just joined
Topic Author
Posts: 19
Joined: Mon Apr 25, 2016 3:16 am

Drop DNS server or request

Thu Apr 28, 2016 4:16 am

Hello..

I have setup a firewall rule to drop dns request "81.198.87.240" "91.188.51.139".....
But it seems not working
Should I change forwaord to input or something ???
dns.jpg
DNS.PNG
You do not have the required permissions to view the files attached to this post.
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Re: Drop DNS server or request

Thu Apr 28, 2016 7:12 am

You are dropping source-port not dst-port. Also, make sure you are not using fasttrack. This may ignore your drop rules.
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Thu Apr 28, 2016 8:28 am

What are you trying to get generally?
 
tfj88
just joined
Topic Author
Posts: 19
Joined: Mon Apr 25, 2016 3:16 am

Re: Drop DNS server or request

Thu Apr 28, 2016 10:56 am

How about the chain ?
You are dropping source-port not dst-port. Also, make sure you are not using fasttrack. This may ignore your drop rules.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Drop DNS server or request

Thu Apr 28, 2016 3:36 pm

53 rules and counting.... (ironic number, since we're talking about DNS heheh)

Your firewall could probably be simplified quite a bit.
The first thing that's obvious to me is all of the separate rules to block certain destination address ranges.
You should make an address list called "blocked", add all of the blocked IP ranges to that list, and then replace all of the block rules with one rule:
chain=forward src-address=192.168.88.0/24 dst-address-list=blocked action=drop

Are you getting used in a DNS-Amplification DDoS attack or something?
As Jarda says, your intention isn't clear.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
Van9018
Long time Member
Long time Member
Posts: 515
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Drop DNS server or request

Thu Apr 28, 2016 11:29 pm

About chains,

forward = packets going through your Mikrotik, so if your DNS server is on a server behind your router then use forward
input = packets destined to your Mikrotik and don't match a forwarding rule

In your case, your DNS server is not listening for external requests, so to block DNS requests going to your DNS server behind the Mikrotik, use the forward rule.

To firewall inbound DNS requests from certain IP addresses, you'd use:
chain=forward, dst-port=53, src-addr=81.198.87.240
If you have many IP addresses you'd like to block, you can use a list.

If you want your Mikrotik to serve DNS requests to your internal devices, then select "Allow Remote Requests" in your DNS Server, and create a firewall rule to drop requests from the WAN.
chain=input, dst-port=53, in-interface=ether1-gateway

If you aren't serving DNS at all, but are seeing many requests hitting your Mikrotik, there isn't much you can do about it. Or call your ISP and have it blocked upstream. If it's not killing your bandwidth, then ignore it. It'll probably eventually stop.
 
tfj88
just joined
Topic Author
Posts: 19
Joined: Mon Apr 25, 2016 3:16 am

Re: Drop DNS server or request

Mon May 02, 2016 2:48 am

Yes, I do not want anything about the dns request.
And also forbid DNS-Amplification DDoS attack.
53 rules and counting.... (ironic number, since we're talking about DNS heheh)

Your firewall could probably be simplified quite a bit.
The first thing that's obvious to me is all of the separate rules to block certain destination address ranges.
You should make an address list called "blocked", add all of the blocked IP ranges to that list, and then replace all of the block rules with one rule:
chain=forward src-address=192.168.88.0/24 dst-address-list=blocked action=drop

Are you getting used in a DNS-Amplification DDoS attack or something?
As Jarda says, your intention isn't clear.
 
tfj88
just joined
Topic Author
Posts: 19
Joined: Mon Apr 25, 2016 3:16 am

Re: Drop DNS server or request

Mon May 02, 2016 2:52 am

OK, I will try change my setting.
Although DNS is small stream, I still do not want to see it.
About chains,

forward = packets going through your Mikrotik, so if your DNS server is on a server behind your router then use forward
input = packets destined to your Mikrotik and don't match a forwarding rule

In your case, your DNS server is not listening for external requests, so to block DNS requests going to your DNS server behind the Mikrotik, use the forward rule.

To firewall inbound DNS requests from certain IP addresses, you'd use:
chain=forward, dst-port=53, src-addr=81.198.87.240
If you have many IP addresses you'd like to block, you can use a list.

If you want your Mikrotik to serve DNS requests to your internal devices, then select "Allow Remote Requests" in your DNS Server, and create a firewall rule to drop requests from the WAN.
chain=input, dst-port=53, in-interface=ether1-gateway

If you aren't serving DNS at all, but are seeing many requests hitting your Mikrotik, there isn't much you can do about it. Or call your ISP and have it blocked upstream. If it's not killing your bandwidth, then ignore it. It'll probably eventually stop.

Who is online

Users browsing this forum: No registered users and 24 guests