I'm a bit stuck right now.
I run DNS on this mikrotik router - that act as a gateway for my network.
I added log rule like this one:
Code: Select all
/system logging action add name=dnsRemote remote=192.168.0.10 remote-port=514 src-address=0.0.0.0 target=remote
/system logging add topics=dns,!packet action=dnsRemote
I have a simple firewall rule that:
Code: Select all
input chain, drop, src.address=!192.168.0.0/24,proto=udp,dst_port=53,action=drop
Code: Select all
Tools -> Packet Sniffer
I hit "start"
And in MT_Syslog I single Chinese IP is querying DNS, but then the dns is passing that request to outside dns, and respond with replay to that IP that is outside my network.
I wait a bit, then stop the sniffer, download that file, open wireshark, and there is no single packet that contain that IP address from outside my network.
What is going on? I would assume that Logging record the packet from IP asking my dns for query, then Firewall would drop that request, and it shouldn't be giving response (aka not in log), but then again it bypass firewall somehow, get logged by logger but is not recorded by sniffing tool.