Community discussions

MikroTik App
 
kelvinmurithi3229
just joined
Topic Author
Posts: 6
Joined: Mon Jul 19, 2021 5:50 am

Allow Remote DNS Requests

Mon Jul 19, 2021 5:58 am

I am trying to use the Allow Remote Requests in Mikrotik DNS to make my Mikrotik a DNS server for clients connected over a PPPOE interface but it doesn't work when one of the default firewall rules is enabled. defconf: drop all not coming from LAN, If I disable this rule the DNS requests work as I expect them and requests can go through. Why is this default rule causing the DNS requests to fail when enabled?
Is it safe to disable it?
 
User avatar
karlisi
Member
Member
Posts: 433
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Allow Remote DNS Requests

Mon Jul 19, 2021 8:56 am

It's self explanatory: drop all not coming from LAN. PPPoE interface is not LAN. Allow 53/udp from appropriate interfaces exactly before this drop-all rule. And be sure to not allow DNS from entire world.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Allow Remote DNS Requests

Mon Jul 19, 2021 12:00 pm

Change it to
drop all coming from WAN to port 53.
and then all "any type local" interfaces will be served.
 
kelvinmurithi3229
just joined
Topic Author
Posts: 6
Joined: Mon Jul 19, 2021 5:50 am

Re: Allow Remote DNS Requests

Fri Jul 23, 2021 5:41 am

It's self explanatory: drop all not coming from LAN. PPPoE interface is not LAN. Allow 53/udp from appropriate interfaces exactly before this drop-all rule. And be sure to not allow DNS from entire world.
Would including the dynamic list which I think contains all PPPoE clients in LAN solve this issue? or create the Allow 53/udp for dynamic list and add it before the drop-all-rule be the best option?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Allow Remote DNS Requests

Fri Jul 23, 2021 12:27 pm

When you are serving PPPoE clients, the default firewall may or may not be reasonable for you.
You need to evaluate what you want the firewall to do, and how you want to control what it does.
(i.e. if you still want to use the simplified "WAN and LAN" classification that is in the default firewall, and which is intended for the typical home setup)
Maybe you just want to change the firewall to suit your needs as (apparently) an ISP, and in that process remove the use of WAN and LAN interface lists alltogether.
But, be sure that you keep a well configured firewall especially on the local services of the router. When you DNS resolver, or your configuration interface (telnet/ssh/webfig/winbox) is accessible from the internet, you will get in real trouble sooner or later!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Allow Remote DNS Requests

Fri Jul 23, 2021 2:13 pm

... you will get in real trouble sooner or later!

Rather sooner than later.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Allow Remote DNS Requests

Fri Jul 23, 2021 4:39 pm

Would including the dynamic list which I think contains all PPPoE clients in LAN solve this issue? or create the Allow 53/udp for dynamic list and add it before the drop-all-rule be the best option?
Simply add before "defconf: drop all not coming from LAN" two rule with
chain input (not forward)
action accept
src-address-list=address_list_of_pppoe_client_allowed_to_use_dns
dst-address=local_dns_ip_address
protocol=udp (on the second rule tcp)
dst-port=53

Who is online

Users browsing this forum: Bing [Bot] and 44 guests