Community discussions

MikroTik App
 
xr4t3d85
just joined
Topic Author
Posts: 4
Joined: Sun Jul 02, 2017 2:15 pm

IP > Service > winbox/www - Not Able to Use DNS?

Mon Feb 22, 2021 2:42 am

It seems that I have come across a possible issue when trying to use a DNS in the "Available From" fields. I see that I'm able to use an IP Address, why am I not able to use a DNS name instead?
ipservice.png
You do not have the required permissions to view the files attached to this post.
 
joegoldman
Long time Member
Long time Member
Posts: 580
Joined: Mon May 27, 2013 2:05 am

Re: IP > Service > winbox/www - Not Able to Use DNS?

Mon Feb 22, 2021 6:11 am

because people don't come 'from' DNS - i suppose sure you could put DNS record in there and have it resolve forward at a specific time or in intervals - or its possible to have it perhaps lookup PTR on an IP to see if it matches that field - but this is used primarily as a 'firewall' to stop auth from other IP's - so its expecting an IP or subnet.

Having said that - I find this a bad way to limit service ports - as with this it still exposes the actual service to the web and just blocks auth - which means if an exploit is found to bypass auth you are still in trouble - my suggestion is always use ip firewall filter rules to lockdown service ports.
 
xr4t3d85
just joined
Topic Author
Posts: 4
Joined: Sun Jul 02, 2017 2:15 pm

Re: IP > Service > winbox/www - Not Able to Use DNS?

Mon Feb 22, 2021 3:17 pm

Joe,

Thanks for the insight, I do already use the Firewall to filter out those ports, I only use the service ports filter as a secondary. However, with regards to the putting my DNS name into the input field should be allowed, i just don't see why not? I have a DDNS on my router (my routers IP Address might be changing soon to IDK what) and want the remote router to be able to use the new IP address which is why I wanted to put the DDNS name of my router on that field. Again, this is only used as a secondary. Its not that big of a deal, however, I dont see why this field should discriminate against DNS names being entered into this field.
 
tdw
Forum Veteran
Forum Veteran
Posts: 713
Joined: Sat May 05, 2018 11:55 am

Re: IP > Service > winbox/www - Not Able to Use DNS?

Mon Feb 22, 2021 4:36 pm

It is not trivial to use DNS entries for this (or src-address / dst-address in firewall rules) as you can't wait until DNS resolution has completed before continuing to process packets.

However, it is possible to use address lists with firewall rules (src-address-list / dst-address-list) which will accommodate the potentially multiple responses from a DNS lookup, the list contents can then be quickly searched during packet processing:
/ip firewall address-list
add address=some.domain.name list=admins
/ip firewall filter
add action=drop chain=input dst-port=8291 protocol=tcp src-address-list=!admins

Who is online

Users browsing this forum: pdm, Renfrew, Rokoch and 193 guests