I was reading a link from a MUM that contained the following advice.........
THIS PART WAS LABELLED WRONG!
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
● /ip firewall nat
add action=masquerade chain=srcnat out-interface=Internet
● /ip firewall filters
add action=fasttrack-connection chain=forward
connection-state=established,related
(Public IP on the Internet interface)
Analysis of the problem
● Problem:
– High CPU load, high amount of unknown traffic on
public interface
Reason:
– Your router is used as Open DNS resolver. It
answers recursive queries for hosts outside of its
domain and is utilized in DNS Amplification attacks
CORRECT IMPLEMENTATION:
/ip firewall filter
add action=reject chain=input dst-port=53
protocol=udp reject-with=icmp-port-unreachable
add action=reject chain=input dst-port=53
protocol=tcp reject-with=icmp-port-unreachable
Well that was very concerning to me as here is my DNS setup and perhaps a few others.........
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related connection-state=\
established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE"
Would it be prudent or overkill to add the following in the forward chain...............
/ip firewall filter
add action=drop (reject?) chain=forward dst-port=53
in-interface-list=wan protocol=udp
add action=drop chain=forward dst-port=53
in-interface-list=wan protocol=udp
Or since its implied that my input chain allows lan to router for DNS and drops everything else, the firewall rules as they stand are okay??