Good day, Mikrotik community.
I want to ask an indirect question in hopes that someone can point me to the relevant information even if it is through PM so the info does not fall into the wrong hands.
I work for an ISP and we are currently facing an intruder on our network. This "hacker" somehow obtained the passphrase to one of our network towers (without brute-forcing as logs are clean) and is leveraging that info to gain access to client CPE's. He basically has free-roam across the whole network and as soon as we block his MAC from a certain tower or sector he simply infiltrates another sector.
In researching some dnssec I came across CVE-2019-3978. This is where my question lies.
Is it possible to somehow use DNS poisoning as an advantage to redirect the intruder to a honeypot when he infiltrates a certain CPE?
As you can imagine this intruder is causing havoc for our company and causing clients to be disconnected from the network.
Unfortunately, my knowledge of Mikrotik is very limited and I cannot seem to find a way to stop this intrusion.