Page 1 of 1

ATTACKS TO UDP PORT 53 (DNS)

Posted: Fri Jun 29, 2018 3:39 pm
by borregator
ATTACKS TO UDP PORT 53 (DNS)

Hello Mikrotik Developers and Users.
I did found several mikrotik routers (any model) connected to the Internet failing due to induced saturation in WAN Port. The users report extreme slowness when browsing the Internet. When the Router is disconnected from LAN side the saturation continues like the Router is sending packets toward the Internet Cloud (Tx Saturation).
This problem often occurs when static public addresses are used in the WAN port.

I solved it by adding a filter rule dropping any incoming packets in WAN Port with destination port 53 UDP.

Does any of you has experienced with it ?

Does Mikrotik is working in this issue ?

Any recommendations ?

Thanks.

Re: ATTACKS TO UDP PORT 53 (DNS)

Posted: Fri Jun 29, 2018 3:55 pm
by BartoszP
http://bfy.tw/IpI6

Simply: deny any incoming unexpected/unrelated traffic to your router.

Re: ATTACKS TO UDP PORT 53 (DNS)

Posted: Sat Jun 30, 2018 2:09 am
by Sob
Does Mikrotik is working in this issue ?
There's not much here for MikroTik to do. The issue is misconfigured router working as open resolver. Blame the admin. Even the default firewall is now secure by default. MikroTik could probably make some small changes to make it harder to misconfigure router like this, but still, it's the admin who's responsible.

Re: ATTACKS TO UDP PORT 53 (DNS)

Posted: Sat Jun 30, 2018 6:02 pm
by Redmor
You could accept DNS only from LAN if you're on a client, as default configuration firewall does.
/ip firewall
add action=accept chain=input comment=DNS dst-port=53 in-interface=LAN-interface
protocol=udp
add action=accept chain=input comment=DNS dst-port=53 in-interface=LAN-interface protocol=tcp
add action=drop chain=input

Re: ATTACKS TO UDP PORT 53 (DNS)

Posted: Sat Jun 30, 2018 6:30 pm
by Sob
Careful with the last one, you want to allow few more things (admin access) before adding the last drop rule.

Re: ATTACKS TO UDP PORT 53 (DNS)

Posted: Tue Jul 03, 2018 12:57 pm
by WirtelPL
Will disabling the "allow remote requests" option be an additional security?
[Router]> ip dns print 
         allow-remote-requests: no

Re: ATTACKS TO UDP PORT 53 (DNS)

Posted: Tue Jul 03, 2018 1:20 pm
by BartoszP
http://lmgtfy.com/?q=mikrotik+dns+allow+remote

Devices at LAN are also remote for router so only router can itself use DNS.
Yes, security is higher but fincionality is lower.