Community discussions

MikroTik App
 
dastain
just joined
Topic Author
Posts: 6
Joined: Mon May 02, 2022 3:09 pm

Receiving undesired DNS queries from outside my local network

Mon May 02, 2022 4:12 pm

Hello!

I recently installed a hAP ac2 and I have Pi-hole installed on a device in my network, which I set up as DNS server.

From the Pi-hole's logs, it looks like I received some DNS queries from external addresses (by googling them, they look mostly Chinese addresses). I noticed that because of some (~20) warnings: "ignoring query from non-local network <ip-address>", all of them from the same day within a window of few hours.

I don't have the Pi-hole exposed to the internet, at least it's not supposed to be, and I didn't make changes to the firewall in the past days. how is it possible I'm receiving those queries?

The MikroTik device is behind my ISP's modem router, a Vodafone Station Revolution which has been configured to act only as a modem and has a static NAT enabled towards the hAP ac2.

I have some firewall rules to redirect every DNS query from my network to the Pi-hole.

The Pi-hole also acts as a WireGuard server.

My network structure:

Internet <-> Vodafone Station <--(static NAT)--> mikrotik.local <-> NATted devices, including Pi-hole
# may/02/2022 14:17:33 by RouterOS 6.49.6
# software id = 0GMD-Z5IT
#
# model = RBD52G-5HacD2HnD
/ip firewall address-list
add address=192.168.88.2 list=pi-hole
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Block NetBIOS" dst-port=135,137-139 protocol=tcp
add action=drop chain=forward dst-port=135,137-139 protocol=udp
add action=drop chain=forward protocol=tcp src-port=135,137-139
add action=drop chain=forward protocol=udp src-port=135,137-139
/ip firewall mangle
add action=mark-connection chain=prerouting comment=DNS dst-port=53,853 new-connection-mark=dns passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=DNS dst-port=53,853 new-connection-mark=dns passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=dns new-packet-mark=dns passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Redirect all DNS queries to the Pi-hole (TCP)" dst-address=!192.168.88.2 packet-mark=dns protocol=tcp \
    src-address=!192.168.88.2 src-address-list=!pi-hole to-addresses=192.168.88.2 to-ports=53
add action=dst-nat chain=dstnat comment="Redirect all DNS queries to the Pi-hole (UDP)" dst-address=!192.168.88.2 packet-mark=dns protocol=udp \
    src-address=!192.168.88.2 src-address-list=!pi-hole to-addresses=192.168.88.2 to-ports=53
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment=WireGuard dst-port=51337 protocol=udp to-addresses=192.168.88.2 to-ports=51337

My DHCP configuration:
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip dhcp-server lease
<cut>
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.2 gateway=192.168.88.1

Thanks!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Receiving undesired DNS queries from outside my local network  [SOLVED]

Mon May 02, 2022 4:23 pm

You're redirecting all DNS requests, regardless of their source, so including ones from internet to your public address. You should limit that using e.g. in-interface-list=LAN.
 
dastain
just joined
Topic Author
Posts: 6
Joined: Mon May 02, 2022 3:09 pm

Re: Receiving undesired DNS queries from outside my local network

Mon May 02, 2022 4:57 pm

You're redirecting all DNS requests, regardless of their source, so including ones from internet to your public address. You should limit that using e.g. in-interface-list=LAN.

Oh ok, thanks, I will add that to the dstnat rules, but I'm still puzzled: shouldn't external requests be blocked by the other firewall rules? Specifically by this one:

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

Furthermore, I cannot a query my Pi-hole from a VPS: if I run "dig google.com @<my-lab-ip>" from a VPS it hangs and I don't see the request in the Pi-hole's logs. Why is that?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Receiving undesired DNS queries from outside my local network

Mon May 02, 2022 5:25 pm

No, chain=input is only for traffic to router itself (e.g. when you're connecting to WinBox or WebFig). Forwarded ports is traffic passing though router and uses chain=forward.

If you limits requests to LAN sources, then external access from VPS won't work, you'll need exception for that (you can e.g add two new dstnat rules with src-address=<VPS>).

I also don't see what's the point of marking DNS traffic, that's not needed for this to work, but it's possible that you use it for something else.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Receiving undesired DNS queries from outside my local network

Mon May 02, 2022 5:29 pm

...shouldn't external requests be blocked by the other firewall rules?...

dst-nat happen before any firewall rules, if you "permit" it, firewall can not block that...
https://wiki.mikrotik.com/wiki/Manual:P ... ng_Diagram
 
dastain
just joined
Topic Author
Posts: 6
Joined: Mon May 02, 2022 3:09 pm

Re: Receiving undesired DNS queries from outside my local network

Mon May 02, 2022 6:19 pm

No, chain=input is only for traffic to router itself (e.g. when you're connecting to WinBox or WebFig). Forwarded ports is traffic passing though router and uses chain=forward.

Oh sorry, you're right, the one I actually should've pointed to is actually this one:

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
I also don't see what's the point of marking DNS traffic, that's not needed for this to work, but it's possible that you use it for something else.

No need for it, it's redundant, I was just testing out something (trying to use marked packets instead of src-address) and left it there.

dst-nat happen before any firewall rules, if you "permit" it, firewall can not block that...
https://wiki.mikrotik.com/wiki/Manual:P ... ng_Diagram

Thanks for that diagram! That's very helpful, now I think I get it.

The only thing I don't get is: why can't I reproduce that? I mean, I should be able to see queries I myself make from a server from the outside to my lab's public address, right? But if I try to dig a name from a VPS on the outside, specifying my lab's public IP as DNS server, I don't see the query in the logs, what am I missing?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Receiving undesired DNS queries from outside my local network

Mon May 02, 2022 7:56 pm

What you have to learn is that MT Config is like life.
The more you know, the more you realize you don't know

To illustrate this further, the following two jpegs are provided.
............
dontknow.jpg
..............................

More on unknowns
..................
unks.jpg
....................

Finally, the path to knowledge
.............................
effect.jpg
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Receiving undesired DNS queries from outside my local network

Mon May 02, 2022 9:22 pm

If you look at that rule's comment ("drop all from WAN not DSTNATed"), it's no secret why those packets can pass, is it?

And if you mean that from VPS it didn't work even with original rules (without limiting it to LAN clients), then it definitely should. I mean, if it worked for random Chinese, why not for you.

:)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Receiving undesired DNS queries from outside my local network

Mon May 02, 2022 11:18 pm

Thats a polite way of saying, self-inflicted wounds are the funniest kind..........
 
dastain
just joined
Topic Author
Posts: 6
Joined: Mon May 02, 2022 3:09 pm

Re: Receiving undesired DNS queries from outside my local network

Tue May 03, 2022 2:29 pm

And if you mean that from VPS it didn't work even with original rules (without limiting it to LAN clients), then it definitely should. I mean, if it worked for random Chinese, why not for you.

If you're implying that they're more skilled than me, they most definitely are anyway :lol:

And yes, I meant with the original rules (those I posted, with those DSTNAT rules not limited to LAN). I'm banging my head against a wall, it's either something stupid I'm missing or something complicated I don't know I guess... Perhaps this is OT since I should have the answer to the main question now, but I would like to test it anyway, you know, before and after the updated rules.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Receiving undesired DNS queries from outside my local network

Tue May 03, 2022 2:58 pm

Maybe your VPS provider doesn't allow DNS traffic to random IPs. Did you test that?
 
dastain
just joined
Topic Author
Posts: 6
Joined: Mon May 02, 2022 3:09 pm

Re: Receiving undesired DNS queries from outside my local network

Wed May 04, 2022 3:48 pm

Maybe your VPS provider doesn't allow DNS traffic to random IPs. Did you test that?
Yes, I did test that. I'm using 3 VPSs from 3 different providers, they can query each other but not my lab. I also tried from home, I cannot run queries through my lab's Pi-hole. But I keep receiving queries from the outside if I don't limit the DSTNAT to LAN.

The strange thing is that yesterday I tried to disable the firewall altogether (all the rules aside from the DSTNAT rules) and in a matter of few minutes the Pi-hole rate-limited my router (192.168.88.1), so I guess it can be queried from the outside, but it sees traffic coming from 192.168.88.1. The queries that I'm seeing in the Pi-hole logs are from external IPs, that's what's confusing to me.

Image
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Receiving undesired DNS queries from outside my local network

Sat May 07, 2022 3:01 pm

That's weird in more than one way. First, incoming connections are clearly possible, so it must allow your VPSes too. At least it's not this router's firewall (original version) blocking them. You can add additional logging (at the beginning of chain) to see incoming packets:
/ip firewall mangle
add chain=prerouting src-address=<VPS> protocol=udp dst-port=53 action=log log-prefix="DNS from VPS"
Second, there's nothing here that would change source of incoming traffic from internet. There's default masquerade rule, but that's only for outgoing traffic. Then there's masquerade for hairpin NAT, but it's only for 192.168.88.x sources.
 
dastain
just joined
Topic Author
Posts: 6
Joined: Mon May 02, 2022 3:09 pm

Re: Receiving undesired DNS queries from outside my local network

Thu May 12, 2022 4:46 pm

Thanks for the suggestion Sob, that did it! Actually the mangle rules didn't work for some reason (I guess a real determinism doesn't exist in networking - lol), I had to tick the "Log" option in the specific NAT rules to be able to see those packets in the logs. Obviously if I limit the rules to the LAN interface, I don't see those logs anymore.

Funny thing is that the Pi is only logging some of those DNS requests from my VPSs, while I see all of them in the RouterOS logs...

Anyway, I understand this better now, thank you all for the help!

Now I'll have to learn how to harden my firewall :D

Who is online

Users browsing this forum: Google [Bot], lurker888, sid5632 and 44 guests