Community discussions

 
peterpan15
just joined
Topic Author
Posts: 9
Joined: Wed Sep 04, 2019 9:47 am

Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 5:24 pm

Hi everyone,
can anyone give me a hint as to why replies from static DNS servers (ISP or Google 8.8.8.8) are not handled as "related" by rule 1 but instead I have to make a special rule (5) for them? (The RB serves as DNS server for the local LAN.)


0 chain=forward action=passthrough
1 chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
2 chain=input action=drop connection-state=invalid log=yes log-prefix=""
3 chain=input action=accept connection-state=new in-interface=!ether1 log=no log-prefix=""
4 chain=input action=accept src-address-list=allowed-list in-interface=ether1 log=no log-prefix=""

5 chain=input action=accept protocol=udp src-port=53 log=yes log-prefix=""

6 chain=input action=drop log=yes log-prefix=""
7 chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
8 chain=forward action=drop connection-state=invalid log=yes log-prefix=""
 
Zacharias
Forum Veteran
Forum Veteran
Posts: 727
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 5:36 pm

They are marked as "established" in the connection tracking table....right?
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 6:18 pm

May sound stupid but recreate your established and related rule as a totally new rule, drag it to the top and then see if it works. Had this very recently and the only reason I could think was #mikrotik.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
peterpan15
just joined
Topic Author
Posts: 9
Joined: Wed Sep 04, 2019 9:47 am

Re: Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 7:54 pm

They are marked as "established" in the connection tracking table....right?
I think only TCP connections can be "established".
"Related" is a virtual state used for tracking UDP (stateless) connections.
 
peterpan15
just joined
Topic Author
Posts: 9
Joined: Wed Sep 04, 2019 9:47 am

Re: Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 8:03 pm

May sound stupid but recreate your established and related rule as a totally new rule, drag it to the top and then see if it works. Had this very recently and the only reason I could think was #mikrotik.
alas, it didn't work - anyway, thanks for a promising hint.
I thought this might be timed-out answers but a DNS server time-out increase did not help either.
It seems to be very regular to be some artifact...
 
Exiver
Member Candidate
Member Candidate
Posts: 113
Joined: Sat Jan 10, 2015 6:45 pm

Re: Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 8:08 pm

Can you please share your full /export hide-sensitive ? How are these dns requests made? By clients with router set as DNS-Server or directly from client to google-dns (or others)?
 
peterpan15
just joined
Topic Author
Posts: 9
Joined: Wed Sep 04, 2019 9:47 am

Re: Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 8:13 pm

May sound stupid but recreate your established and related rule as a totally new rule, drag it to the top and then see if it works. Had this very recently and the only reason I could think was #mikrotik.
alas, it didn't work - anyway, thanks for a promising hint.
I thought this might be timed-out answers but a DNS server time-out increase did not help either.
It seems to be very regular to be some artifact...

proto UDP, <1st ISP DNS server>:53-><my external IP>:5678, len 323
proto UDP, <2nd ISP DNS server>:53-><my external IP>:5678, len 80
proto UDP, <3rd ISP DNS server>:53-><my external IP>:5678, len 80
proto UDP, 8.8.8.8:53-><my external IP>:5678, len 80
proto UDP, 8.8.8.8:53-><my external IP>:5678, len 80

I should mentions that <my external IP> is a private one and my ISP is port-forwarding all traffic to it from my public IP
 
Zacharias
Forum Veteran
Forum Veteran
Posts: 727
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 8:19 pm

They are marked as "established" in the connection tracking table....right?
I think only TCP connections can be "established".
Yes... i forgot we were talking about DNS requests
 
Sob
Forum Guru
Forum Guru
Posts: 4780
Joined: Mon Apr 20, 2009 9:11 pm

Re: Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 9:36 pm

Udp can have connection-state=established too. The protocol doesn't have any connection as tcp does, but connection tracking sees it that way when there are packets with matching source and destination addresses and ports.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Zacharias
Forum Veteran
Forum Veteran
Posts: 727
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 9:58 pm

Sob i don't think inside connections we will see any UDP connection marked as established...
 
Sob
Forum Guru
Forum Guru
Posts: 4780
Joined: Mon Apr 20, 2009 9:11 pm

Re: Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 10:20 pm

With these rules:
/ip firewall filter
add action=log chain=output dst-address=8.8.8.8 log-prefix=request
add action=log chain=input connection-state=established log-prefix="response established" src-address=8.8.8.8
add action=log chain=input connection-state=invalid log-prefix="response invalid" src-address=8.8.8.8
add action=log chain=input connection-state=new log-prefix="response new" src-address=8.8.8.8
add action=log chain=input connection-state=related log-prefix="response related" src-address=8.8.8.8
This command (which needs to send DNS request):
/ping forum.mikrotik.com
Produces this log:
21:10:18 firewall,info request output: in:(unknown 0) out:internal, proto UDP, 192.168.80.183:33734->8.8.8.8:53, len 64 
21:10:18 firewall,info response established input: in:internal out:(unknown 0), src-mac fe:00:c0:a8:50:04, proto UDP, 8.8.8.8:53->192.168.80.183:33734, len 80
So accepting established should be enough.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Sob
Forum Guru
Forum Guru
Posts: 4780
Joined: Mon Apr 20, 2009 9:11 pm

Re: Static DNS server replies not handled as "related" by firewall

Mon Sep 30, 2019 10:27 pm

Btw, for OP, this <my external IP>:5678 everywhere looks very suspicious, DNS queries should have random source port.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
peterpan15
just joined
Topic Author
Posts: 9
Joined: Wed Sep 04, 2019 9:47 am

Re: Static DNS server replies not handled as "related" by firewall

Mon Oct 14, 2019 8:20 pm

OK guys, I found out that these strange/bogus "DNS replies" to port 5678 (neighbor discovery) stopped as soon as I turned off "internet detection". I assume it probed Google 8.8.8.8 and/or DHCP-acquired DNS servers.
Thanks

Who is online

Users browsing this forum: No registered users and 32 guests