Community discussions

MUM Europe 2020
 
NofPowells
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2019 3:26 pm

DNS Cache

Fri Dec 13, 2019 3:33 pm

Hello guys.

I'm having some issues on some clients Mikrotik.

The Dns Cache have a lot of domains/data. more than 2000 items.

I have allow remote request active, and drop udp/tcp 53 port using RAW in firewall.

This is a realy issue?

Sorry for my bad english.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24424
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS Cache

Fri Dec 13, 2019 3:38 pm

Router itself also uses DNS.
No answer to your question? How to write posts
 
NofPowells
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2019 3:26 pm

Re: DNS Cache

Fri Dec 13, 2019 3:53 pm

Thanks for the reply.

But con you explain that?
Just one PC is using internet and when i flush cache imediatly return all data/item on cache.

These items seems weird.

Exemple:

Image

And its using 100% of cpu (i don't know if it DNS cache problem)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24424
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: DNS Cache

Fri Dec 13, 2019 3:55 pm

Image not working.
Post your configuration file please.
No answer to your question? How to write posts
 
NofPowells
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2019 3:26 pm

Re: DNS Cache

Fri Dec 13, 2019 3:55 pm

 
NofPowells
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2019 3:26 pm

Re: DNS Cache

Fri Dec 13, 2019 4:02 pm

# dec/13/2019 11:59:19 by RouterOS 6.43.4
# software id = 5HTH-KXRN
#
# model = RouterBOARD 750 r2
# serial number = 67D206662025
/interface bridge
add fast-forward=no name=Bdg-Local
/interface ethernet
set [ find default-name=ether1 ] name=eth1-Intervel
set [ find default-name=ether2 ] name=eth2-Speedy
set [ find default-name=ether3 ] name=ether3-BDG
set [ find default-name=ether4 ] name=ether4-BDG
set [ find default-name=ether5 ] name=ether5-BDG
/interface pppoe-client
add disabled=no interface=eth1-Intervel name=pppoe-intervel password=137agrv \
    user=moinho.hotel
/interface list
add name=Internet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=facebook regexp=facebook
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool1 ranges=192.168.1.128-192.168.1.254
/ip dhcp-server
add address-pool=pool1 disabled=no interface=Bdg-Local name=DHCP-Local
/queue simple
add name=ADM priority=1/1 target=192.168.1.0/25
add name=WIFI target=192.168.1.128/25
/interface bridge port
add bridge=Bdg-Local interface=ether3-BDG
add bridge=Bdg-Local interface=ether4-BDG
add bridge=Bdg-Local interface=ether5-BDG
/interface list member
add interface=pppoe-intervel list=Internet
add interface=eth2-Speedy list=Internet
/ip address
add address=192.168.3.2/24 interface=eth2-Speedy network=192.168.3.0
add address=192.168.1.1/24 interface=Bdg-Local network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.1.11 client-id=1:e0:d5:5e:37:91:6c mac-address=\
    E0:D5:5E:37:91:6C server=DHCP-Local
add address=192.168.1.30 client-id=1:8c:dc:d4:fe:e8:13 mac-address=\
    8C:DC:D4:FE:E8:13 server=DHCP-Local
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
    8.8.8.8,208.67.222.222,84.200.69.80
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.0/24 dst-port=53 \
    in-interface-list=Internet protocol=udp
# inactive time
add action=drop chain=forward comment=\
    Bloqueio-Facebook-PC-Recepcao-16:30h-23:59h dst-port=80,443 \
    layer7-protocol=facebook protocol=tcp src-address=192.168.1.11 time=\
    16h30m-23h59m50s,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment=Bloqueio-Facebook-PC-Recepcao-00h-07h \
    dst-port=80,443 layer7-protocol=facebook protocol=tcp src-address=\
    192.168.1.11 time=0s-7h,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=input src-address=173.208.219.0/24
add action=accept chain=input src-address=91.215.158.0/24
add action=accept chain=input src-address=208.110.66.0/24
add action=accept chain=input src-address=188.92.74.0/24
add action=accept chain=input protocol=udp
# inactive time
add action=drop chain=forward comment=\
    "Bloqueio Facebook - Recepcao - 7h-16:29 - Valter-Quarta-Feira" dst-port=\
    80,443 layer7-protocol=facebook protocol=tcp src-address=192.168.1.11 \
    time=7h5s-16h29m55s,thu
# inactive time
add action=accept chain=output comment=\
    webproxy-libera-porta-8080-16:30h-23:59h dst-port=8080 protocol=tcp time=\
    16h30m-23h59m59s,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=accept chain=output comment=webproxy-libera-porta-8080-00h-07h \
    dst-port=8080 protocol=tcp time=0s-7h,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=accept chain=forward comment=\
    webproxy-libera-porta-8080-7h-16:29h-Folga-Valter-Quinta-Feira dst-port=\
    8080 protocol=tcp time=7h5s-16h29m55s,thu
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=rede-adm \
    passthrough=yes src-address=192.168.1.0/25
add action=mark-routing chain=prerouting new-routing-mark=rede-wifi \
    passthrough=yes src-address=192.168.1.128/25
add action=mark-routing chain=prerouting new-routing-mark=rede-wifi \
    passthrough=yes src-address=192.168.1.15
add action=mark-connection chain=input comment=\
    "Entra Intervel regra mark connection " in-interface=pppoe-intervel \
    new-connection-mark=intervel passthrough=yes
add action=mark-connection chain=input comment=\
    "Entra speedy regra mark connection " in-interface=eth2-Speedy \
    new-connection-mark=speedy passthrough=yes
add action=mark-routing chain=output comment=\
    "Sai Intervel regra mark connection " connection-mark=intervel \
    new-routing-mark=intervel passthrough=yes
add action=mark-routing chain=output comment=\
    "Sai Speedy regra mark connection " connection-mark=speedy \
    new-routing-mark=speedy passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=9070 in-interface=pppoe-intervel \
    protocol=tcp to-addresses=192.168.1.15 to-ports=9070
add action=dst-nat chain=dstnat dst-port=2101 in-interface=pppoe-intervel \
    protocol=tcp to-addresses=192.168.1.15 to-ports=2101
# inactive time
add action=redirect chain=dstnat comment=\
    Redirecionamento-webproxy-porta-8080-16:30h-23:59h dst-port=80 protocol=\
    tcp src-address=192.168.1.11 time=\
    16h30m-23h59m50s,sun,mon,tue,wed,thu,fri,sat to-ports=8080
# inactive time
add action=redirect chain=dstnat comment=\
    Redirecionamento-webproxy-porta-8080-00h-07h dst-port=80 protocol=tcp \
    time=0s-7h,sun,mon,tue,wed,thu,fri,sat to-ports=8080
# inactive time
add action=redirect chain=dstnat comment=\
    Redirecionamento-webproxy-porta-8080-7h-16:29h-Folga-Valter-Quinta-Feira \
    dst-port=80 protocol=tcp time=7h5s-16h29m55s,thu to-ports=8080
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=Internet \
    protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface-list=Internet \
    protocol=udp
/ip proxy
set enabled=yes max-fresh-time=1d
/ip proxy access
add dst-host=:deezer src-address=192.168.1.11
add dst-host=:webmail|locaweb|webmail-seguro.com.br src-address=192.168.1.11
add dst-host=:ventana src-address=192.168.1.11
add dst-host=:trivago src-address=192.168.1.11
add dst-host=:tripadvisor src-address=192.168.1.11
add dst-host=:sabesp src-address=192.168.1.11
add dst-host=:pousadavillaggioitalia src-address=192.168.1.11
add dst-host=:pousadaitaliaeleganza src-address=192.168.1.11
add dst-host=:omnibees src-address=192.168.1.11
add dst-host=:nfecj src-address=192.168.1.11
add dst-host=:nfe.fazenda src-address=192.168.1.11
add dst-host=:myhotel.omnibees src-address=192.168.1.11
add dst-host=:meuip src-address=192.168.1.11
add dst-host=:java src-address=192.168.1.11
add dst-host=:hotelmoinhoitalia src-address=192.168.1.11
add dst-host=:hoteis src-address=192.168.1.11
add dst-host=:fusionti src-address=192.168.1.11
add dst-host=:fazenda src-address=192.168.1.11
add dst-host=:extranet.decolar src-address=192.168.1.11
add dst-host=:correios src-address=192.168.1.11
add dst-host=:camposdojordao src-address=192.168.1.11
add dst-host=:booking src-address=192.168.1.11
add dst-host=:gruppoitalia src-address=192.168.1.11
add dst-host=:globo src-address=192.168.1.11
add dst-host=:focoaprendizagem src-address=192.168.1.11
add dst-host=:educacao.sp src-address=192.168.1.11
add dst-host=:escoladeformacao.sp src-address=192.168.1.11
add dst-host=:inovaeducacao.escoladeformacao.sp src-address=192.168.1.11
add dst-host=192.168.3.1 src-address=192.168.1.11
add action=deny redirect-to=www.fusionti.info/negado src-address=192.168.1.11
/ip route
add comment=Rota-Adm1 distance=1 gateway=192.168.3.1 routing-mark=rede-adm
add comment=Rota-Adm2 distance=2 gateway=pppoe-intervel routing-mark=rede-adm
add comment=Intervel-Italia distance=1 dst-address=138.94.71.230/32 gateway=\
    pppoe-intervel routing-mark=rede-adm
add comment=Rota-Wifi1 distance=1 gateway=pppoe-intervel routing-mark=\
    rede-wifi
add comment="Regra Entrada e Saida Intervel regra mark connection " distance=\
    1 gateway=pppoe-intervel routing-mark=intervel
add comment="Regra Entrada e Saida Speedy regra mark connection " distance=1 \
    gateway=192.168.3.1 routing-mark=speedy
add distance=1 gateway=192.168.3.1
add distance=1 gateway=pppoe-intervel
add comment=Check-Speedy distance=1 dst-address=189.8.2.162/32 gateway=\
    192.168.3.1 pref-src=192.168.3.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Sao_Paulo
/system ntp client
set enabled=yes primary-ntp=200.160.0.8 secondary-ntp=200.189.40.8
/system routerboard settings
set silent-boot=no
/tool netwatch
add down-script=\
    "/ip route set [/ip route find comment=Rota-Adm1] disabled=yes" host=\
    189.8.2.162 interval=30s up-script=\
    "ip route set [/ip route find comment=Rota-Adm1] disabled=no"
   
 
R1CH
Forum Veteran
Forum Veteran
Posts: 919
Joined: Sun Oct 01, 2006 11:44 pm

Re: DNS Cache

Fri Dec 13, 2019 4:37 pm

Why do you have allow-remote-requests turned on if you don't want people using it?
 
Znevna
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Mon Sep 23, 2019 1:04 pm

Re: DNS Cache

Fri Dec 13, 2019 4:54 pm

He is using it, for clients behind the network
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
But his firewall is a mess. These lines in particular:
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.0/24 dst-port=53 in-interface-list=Internet protocol=udp
add action=accept chain=input protocol=udp
?!!???
I also see lots of other accept lines but no final drop on input :?:
PS: adding those RAW lines without removing connections from conntrack will do nothing for the current established connections, it will only block new ones. (right?)
 
NofPowells
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2019 3:26 pm

Re: DNS Cache

Fri Dec 13, 2019 6:39 pm

Well thanks!!

I have removed theses lines

add action=accept chain=input src-address=173.208.219.0/24
add action=accept chain=input src-address=91.215.158.0/24
add action=accept chain=input src-address=208.110.66.0/24
add action=accept chain=input src-address=188.92.74.0/24
add action=accept chain=input protocol=udp

These lines not pertence from my cliente.

Now i still receiving a lot of DNS and connections on Firewall conections
 
pe1chl
Forum Guru
Forum Guru
Posts: 6241
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNS Cache

Fri Dec 13, 2019 6:49 pm

After the mistake of allowing use of your router's DNS from internet, the incoming requests will likely go on for some time but at some point it will stop again.
 
NofPowells
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2019 3:26 pm

Re: DNS Cache

Fri Dec 13, 2019 6:49 pm

 
NofPowells
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2019 3:26 pm

Re: DNS Cache

Fri Dec 13, 2019 7:02 pm

After the mistake of allowing use of your router's DNS from internet, the incoming requests will likely go on for some time but at some point it will stop again.
Thanks.

Even after flush cache?

Do you see any other issue on my config?
# dec/13/2019 15:00:36 by RouterOS 6.43.4
# software id = 5HTH-KXRN
#
# model = RouterBOARD 750 r2
# serial number = 67D206662025
/interface bridge
add fast-forward=no name=Bdg-Local
/interface ethernet
set [ find default-name=ether1 ] name=eth1-Intervel
set [ find default-name=ether2 ] name=eth2-Speedy
set [ find default-name=ether3 ] name=ether3-BDG
set [ find default-name=ether4 ] name=ether4-BDG
set [ find default-name=ether5 ] name=ether5-BDG
/interface pppoe-client
add disabled=no interface=eth1-Intervel name=pppoe-intervel password=137agrv \
    user=moinho.hotel
/interface list
add name=Internet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=facebook regexp=facebook
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool1 ranges=192.168.1.128-192.168.1.254
/ip dhcp-server
add address-pool=pool1 disabled=no interface=Bdg-Local name=DHCP-Local
/queue simple
add name=ADM priority=1/1 target=192.168.1.0/25
add name=WIFI target=192.168.1.128/25
/interface bridge port
add bridge=Bdg-Local interface=ether3-BDG
add bridge=Bdg-Local interface=ether4-BDG
add bridge=Bdg-Local interface=ether5-BDG
/interface list member
add interface=pppoe-intervel list=Internet
add interface=eth2-Speedy list=Internet
/ip address
add address=192.168.3.2/24 interface=eth2-Speedy network=192.168.3.0
add address=192.168.1.1/24 interface=Bdg-Local network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.1.11 client-id=1:e0:d5:5e:37:91:6c mac-address=\
    E0:D5:5E:37:91:6C server=DHCP-Local
add address=192.168.1.30 client-id=1:8c:dc:d4:fe:e8:13 mac-address=\
    8C:DC:D4:FE:E8:13 server=DHCP-Local
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
    8.8.8.8,208.67.222.222,84.200.69.80
/ip firewall filter
# inactive time
add action=drop chain=forward comment=\
    Bloqueio-Facebook-PC-Recepcao-16:30h-23:59h dst-port=80,443 \
    layer7-protocol=facebook protocol=tcp src-address=192.168.1.11 time=\
    16h30m-23h59m50s,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment=Bloqueio-Facebook-PC-Recepcao-00h-07h \
    dst-port=80,443 layer7-protocol=facebook protocol=tcp src-address=\
    192.168.1.11 time=0s-7h,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=drop chain=forward comment=\
    "Bloqueio Facebook - Recepcao - 7h-16:29 - Valter-Quarta-Feira" dst-port=\
    80,443 layer7-protocol=facebook protocol=tcp src-address=192.168.1.11 \
    time=7h5s-16h29m55s,thu
# inactive time
add action=accept chain=output comment=\
    webproxy-libera-porta-8080-16:30h-23:59h dst-port=8080 protocol=tcp time=\
    16h30m-23h59m59s,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=accept chain=output comment=webproxy-libera-porta-8080-00h-07h \
    dst-port=8080 protocol=tcp time=0s-7h,sun,mon,tue,wed,thu,fri,sat
# inactive time
add action=accept chain=forward comment=\
    webproxy-libera-porta-8080-7h-16:29h-Folga-Valter-Quinta-Feira dst-port=\
    8080 protocol=tcp time=7h5s-16h29m55s,thu
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=rede-adm \
    passthrough=yes src-address=192.168.1.0/25
add action=mark-routing chain=prerouting new-routing-mark=rede-wifi \
    passthrough=yes src-address=192.168.1.128/25
add action=mark-routing chain=prerouting new-routing-mark=rede-wifi \
    passthrough=yes src-address=192.168.1.15
add action=mark-connection chain=input comment=\
    "Entra Intervel regra mark connection " in-interface=pppoe-intervel \
    new-connection-mark=intervel passthrough=yes
add action=mark-connection chain=input comment=\
    "Entra speedy regra mark connection " in-interface=eth2-Speedy \
    new-connection-mark=speedy passthrough=yes
add action=mark-routing chain=output comment=\
    "Sai Intervel regra mark connection " connection-mark=intervel \
    new-routing-mark=intervel passthrough=yes
add action=mark-routing chain=output comment=\
    "Sai Speedy regra mark connection " connection-mark=speedy \
    new-routing-mark=speedy passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=9070 in-interface=pppoe-intervel \
    protocol=tcp to-addresses=192.168.1.15 to-ports=9070
add action=dst-nat chain=dstnat dst-port=2101 in-interface=pppoe-intervel \
    protocol=tcp to-addresses=192.168.1.15 to-ports=2101
# inactive time
add action=redirect chain=dstnat comment=\
    Redirecionamento-webproxy-porta-8080-16:30h-23:59h dst-port=80 protocol=\
    tcp src-address=192.168.1.11 time=\
    16h30m-23h59m50s,sun,mon,tue,wed,thu,fri,sat to-ports=8080
# inactive time
add action=redirect chain=dstnat comment=\
    Redirecionamento-webproxy-porta-8080-00h-07h dst-port=80 protocol=tcp \
    time=0s-7h,sun,mon,tue,wed,thu,fri,sat to-ports=8080
# inactive time
add action=redirect chain=dstnat comment=\
    Redirecionamento-webproxy-porta-8080-7h-16:29h-Folga-Valter-Quinta-Feira \
    dst-port=80 protocol=tcp time=7h5s-16h29m55s,thu to-ports=8080
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=Internet \
    protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface-list=Internet \
    protocol=udp
/ip proxy
set enabled=yes max-fresh-time=1d
/ip proxy access
add dst-host=:deezer src-address=192.168.1.11
add dst-host=:webmail|locaweb|webmail-seguro.com.br src-address=192.168.1.11
add dst-host=:ventana src-address=192.168.1.11
add dst-host=:trivago src-address=192.168.1.11
add dst-host=:tripadvisor src-address=192.168.1.11
add dst-host=:sabesp src-address=192.168.1.11
add dst-host=:pousadavillaggioitalia src-address=192.168.1.11
add dst-host=:pousadaitaliaeleganza src-address=192.168.1.11
add dst-host=:omnibees src-address=192.168.1.11
add dst-host=:nfecj src-address=192.168.1.11
add dst-host=:nfe.fazenda src-address=192.168.1.11
add dst-host=:myhotel.omnibees src-address=192.168.1.11
add dst-host=:meuip src-address=192.168.1.11
add dst-host=:java src-address=192.168.1.11
add dst-host=:hotelmoinhoitalia src-address=192.168.1.11
add dst-host=:hoteis src-address=192.168.1.11
add dst-host=:fusionti src-address=192.168.1.11
add dst-host=:fazenda src-address=192.168.1.11
add dst-host=:extranet.decolar src-address=192.168.1.11
add dst-host=:correios src-address=192.168.1.11
add dst-host=:camposdojordao src-address=192.168.1.11
add dst-host=:booking src-address=192.168.1.11
add dst-host=:gruppoitalia src-address=192.168.1.11
add dst-host=:globo src-address=192.168.1.11
add dst-host=:focoaprendizagem src-address=192.168.1.11
add dst-host=:educacao.sp src-address=192.168.1.11
add dst-host=:escoladeformacao.sp src-address=192.168.1.11
add dst-host=:inovaeducacao.escoladeformacao.sp src-address=192.168.1.11
add dst-host=192.168.3.1 src-address=192.168.1.11
add action=deny redirect-to=www.fusionti.info/negado src-address=192.168.1.11
/ip route
add comment=Rota-Adm2 distance=2 gateway=pppoe-intervel routing-mark=rede-adm
add comment=Rota-Adm1 disabled=yes distance=1 gateway=192.168.3.1 \
    routing-mark=rede-adm
add comment=Intervel-Italia distance=1 dst-address=138.94.71.230/32 gateway=\
    pppoe-intervel routing-mark=rede-adm
add comment=Rota-Wifi1 distance=1 gateway=pppoe-intervel routing-mark=\
    rede-wifi
add comment="Regra Entrada e Saida Intervel regra mark connection " distance=\
    1 gateway=pppoe-intervel routing-mark=intervel
add comment="Regra Entrada e Saida Speedy regra mark connection " distance=1 \
    gateway=192.168.3.1 routing-mark=speedy
add distance=1 gateway=192.168.3.1
add distance=1 gateway=pppoe-intervel
add comment=Check-Speedy distance=1 dst-address=189.8.2.162/32 gateway=\
    192.168.3.1 pref-src=192.168.3.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Sao_Paulo
/system ntp client
set enabled=yes primary-ntp=200.160.0.8 secondary-ntp=200.189.40.8
/system routerboard settings
set silent-boot=no
/tool netwatch
add disabled=yes down-script=\
    "/ip route set [/ip route find comment=Rota-Adm1] disabled=yes" host=\
    189.8.2.162 interval=30s up-script=\
    "ip route set [/ip route find comment=Rota-Adm1] disabled=no"

 
pe1chl
Forum Guru
Forum Guru
Posts: 6241
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNS Cache

Fri Dec 13, 2019 7:27 pm

I advise you to first upgrade your router to current stable version (system->package ->check for upgrades)
then reset it to defaults and add only what you need, not that christmas tree of strange rules that end in nothing.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1071
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: DNS Cache

Fri Dec 13, 2019 7:29 pm

... not that Christmas tree of strange rules that end in nothing.

How seasonably of you!
 
NofPowells
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2019 3:26 pm

Re: DNS Cache

Fri Dec 13, 2019 7:42 pm

I advise you to first upgrade your router to current stable version (system->package ->check for upgrades)
then reset it to defaults and add only what you need, not that christmas tree of strange rules that end in nothing.
What strange rules do you mean?

I will upgrade routerOs to current stable, but tell me about firmware? It is safe and normal to upgrade?
(system->routerboard->upgrade)
 
pe1chl
Forum Guru
Forum Guru
Posts: 6241
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNS Cache

Sat Dec 14, 2019 10:50 am

Yes you should update it as well, but it is not so important.
What is important: your firewall is completely bogus, as Znevna also wote. reset your router to defaults and do not make a firewall that is too difficult for you to understand.
 
NofPowells
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2019 3:26 pm

Re: DNS Cache

Sat Dec 14, 2019 3:09 pm

Yes you should update it as well, but it is not so important.
What is important: your firewall is completely bogus, as Znevna also wote. reset your router to defaults and do not make a firewall that is too difficult for you to understand.
Ok.

I can understand that. These rules is need of my client.
Block some sites in certain hours.

My dificult is to understand how dns cache is full of incompriencious DNS and how can i fix it.

I realy appreciate all of your help!
 
pe1chl
Forum Guru
Forum Guru
Posts: 6241
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNS Cache

Sat Dec 14, 2019 4:48 pm

My dificult is to understand how dns cache is full of incompriencious DNS and how can i fix it.
It is because your firewall is wrong. Reset it to defaults and your problem will be fixed.
And don't listen to clients that tell you to block certain websites, that is not realistic anymore these days.
(and certainly not using the method you have used there)

Similar for a proxy. Remove it, it is useless.
 
NofPowells
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2019 3:26 pm

Re: DNS Cache

Sat Dec 14, 2019 5:14 pm

My dificult is to understand how dns cache is full of incompriencious DNS and how can i fix it.
It is because your firewall is wrong. Reset it to defaults and your problem will be fixed.
And don't listen to clients that tell you to block certain websites, that is not realistic anymore these days.
(and certainly not using the method you have used there)

Similar for a proxy. Remove it, it is useless.
I undestand that.

But we need do the customers will. So if i need accept only some websites what can i do? How is the best/correct way?

Thanks again.
 
mkx
Forum Guru
Forum Guru
Posts: 3753
Joined: Thu Mar 03, 2016 10:23 pm

Re: DNS Cache

Sat Dec 14, 2019 5:21 pm

But we need do the customers will. So if i need accept only some websites what can i do? How is the best/correct way?
Start off with default firewall filter rules and only add drop rules according to customer's wishes.
BR,
Metod
 
NofPowells
just joined
Topic Author
Posts: 11
Joined: Fri Dec 13, 2019 3:26 pm

Re: DNS Cache

Sat Dec 14, 2019 5:29 pm

But we need do the customers will. So if i need accept only some websites what can i do? How is the best/correct way?
Start off with default firewall filter rules and only add drop rules according to customer's wishes.
Thanks for the reply.

Do you from Brazil?

where i can find a default firewall filter?

Thanks!
 
pe1chl
Forum Guru
Forum Guru
Posts: 6241
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNS Cache

Sat Dec 14, 2019 5:39 pm

Upgrade the router to latest stable version (or longterm when you like) and reset it to defaults.
Then build your configuration again starting with the basics (PPPoE connection, LAN address etc).
DO NOT add such things as proxy or l7 protocols until you really understand how they work.
DO NOT copy firewall recipes you find on youtube or shady internet sites.
Tell your client it is not realistic to block websites.

Who is online

Users browsing this forum: aclouk, EdPa, Google [Bot], jardenblack26 and 108 guests