Community discussions

MikroTik App
 
Darryl
just joined
Topic Author
Posts: 23
Joined: Fri May 13, 2016 3:44 pm

RouterOS can't use ingress port 53  [SOLVED]

Tue Jan 10, 2023 9:39 pm

Hello,


If anyone can help please do. Several mikrotik routers I manage can't seem to get a socket connection to port 53. The production application would be a DNS server behind NAT where the WAN connection is the PPPoE interface. ( but I haven't got that far because of this problem )

I tried to setup a test router to experiment different configurations. The one posted here is as simple as I could make it to prove that I still can't make any connections to port 53 from the internet, and the router doesn't even count the attempts in the firewall. I know for a fact the ISP doesn't filter or throttle or otherwise manipulate the internet connection. I think i'm over looking something simple, I just can't see it and i'm out of ideas at this point. I tested other versions of RouterOS going back to 6.33.6 - same issue. If I change the port attempts to 52 or 54, there's no problem.


Here's the test config which shows no filters counting my port 53 TCP or UDP connection attempts:

[admin@TestTik] > export
# jan/10/2023 13:06:00 by RouterOS 7.6
# software id = 7***-****
#
# model = RB750
# serial number = 2F**********
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether1 name=\
    pppoe-out1 use-peer-dns=yes user=testlogin@isp
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=accept chain=input dst-port=53 in-interface=ether1 log=yes \
    log-prefix=-mydns protocol=tcp
add action=accept chain=input dst-port=53 in-interface=ether1 log=yes \
    log-prefix=-mydns protocol=udp
add action=accept chain=input
add action=accept chain=forward
add action=accept chain=output
add action=log chain=input dst-port=53 log-prefix="PORT 53 TCP HIT" protocol=\
    tcp
add action=log chain=input dst-port=53 log-prefix="PORT 53 UDP HIT" protocol=\
    udp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=TestTik
/system leds
add interface=pppoe-out1 leds="" type=interface-activity
/system routerboard settings
set boot-device=nand-only
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: RouterOS can't use ingress port 53

Tue Jan 10, 2023 9:58 pm

Change the in-interface to "pppoe-out1" ?
 
Darryl
just joined
Topic Author
Posts: 23
Joined: Fri May 13, 2016 3:44 pm

Re: RouterOS can't use ingress port 53

Tue Jan 10, 2023 10:17 pm

Change the in-interface to "pppoe-out1" ?
I made the suggested change, counters still at 0 when I tried with putty using telnet to port 53:


# jan/10/2023 15:13:32 by RouterOS 7.6
# software id = 7***-****
#
# model = RB750
# serial number = 2F**********
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether1 name=\
    pppoe-out1 use-peer-dns=yes user=testlogin@isp
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=accept chain=input dst-port=53 in-interface=pppoe-out1 log=yes log-prefix=-mydns protocol=tcp
add action=accept chain=input dst-port=53 in-interface=pppoe-out1 log=yes log-prefix=-mydns protocol=udp
add action=accept chain=input in-interface=pppoe-out1
add action=accept chain=forward
add action=accept chain=output
add action=log chain=input dst-port=53 log-prefix="PORT 53 TCP HIT" protocol=tcp
add action=log chain=input dst-port=53 log-prefix="PORT 53 UDP HIT" protocol=udp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=America/Toronto
/system identity
set name=TestTik
/system leds
add interface=pppoe-out1 leds="" type=interface-activity
/system package update
set channel=testing
/system routerboard settings
set boot-device=nand-only
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS can't use ingress port 53

Tue Jan 10, 2023 11:04 pm

Confusing post.
Forgetting about the config,
What are your requirements, based on users, traffiic flow they need to have or not to have with respect to DNS.
A viable solution will pop out from well stated requirements.
The only issue here is that you dont understand how DNS works or ROS works or both............. and chasing a config is needlessly challenging without understanding the why.........

Ensure you add any network context like self supplied PI servers and where they reside.........
 
Darryl
just joined
Topic Author
Posts: 23
Joined: Fri May 13, 2016 3:44 pm

Re: RouterOS can't use ingress port 53

Tue Jan 10, 2023 11:12 pm

Confusing post.
Forgetting about the config,
What are your requirements, based on users, traffiic flow they need to have or not to have with respect to DNS.
A viable solution will pop out from well stated requirements.
The only issue here is that you dont understand how DNS works or ROS works or both............. and chasing a config is needlessly challenging without understanding the why.........

Ensure you add any network context like self supplied PI servers and where they reside.........

LoL of course I'm here because I don't understand something. Here's more simple language for you: I want to make a DNS server off my PPPoE connection. Number of users don't matter, traffic flow doesn't matter. I just needs responses from port 53 to work through the MikroTik router.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: RouterOS can't use ingress port 53

Tue Jan 10, 2023 11:24 pm

For starters, push those 2 rules with action=log above similar rules with action=accept. Firewall rules are evaluated top-to-bottom and first matching rule executes. Rules with action=accept or action=drop also stop processing of rules. So the way you have them now, the log rules will not execute for paxkets ingressing through PPPoE interface because matching packets trigger execution of accept rules above.

Does connection work from LAN? From firewall point of view either (LAN and PPPoE) should work, you actually don't have anything in firewall blocking any connection to router itself ... which also means device can be easily hacked from internet. So if connecting to DNS service on router works from LAN but doesn't from internet, then your ISP doesn't offer internet lines as transparrent as you were made to believe.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS can't use ingress port 53

Tue Jan 10, 2023 11:46 pm

Why would anyone open up port 53 on the input chain or portforward port 53 to the LAN side.........
Sounds like security breach to me........

In other words your firewall rules are not worthy of commenting upon and port 53 is the least of your problems.


Fixed for you........
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN


Output chain is rarely needed and not included here.

YOu are missing many other components of a config and its no wonder nothing is working............
 
Darryl
just joined
Topic Author
Posts: 23
Joined: Fri May 13, 2016 3:44 pm

Re: RouterOS can't use ingress port 53

Wed Jan 11, 2023 2:39 pm

For starters, push those 2 rules with action=log above similar rules with action=accept. Firewall rules are evaluated top-to-bottom and first matching rule executes. Rules with action=accept or action=drop also stop processing of rules. So the way you have them now, the log rules will not execute for paxkets ingressing through PPPoE interface because matching packets trigger execution of accept rules above.

Does connection work from LAN? From firewall point of view either (LAN and PPPoE) should work, you actually don't have anything in firewall blocking any connection to router itself ... which also means device can be easily hacked from internet. So if connecting to DNS service on router works from LAN but doesn't from internet, then your ISP doesn't offer internet lines as transparrent as you were made to believe.


I put the rules at the top:
/ip firewall filter
add action=log chain=input dst-port=53 in-interface=pppoe-out1 log-prefix=\
    "PORT 53 TCP HIT" protocol=tcp
add action=log chain=input dst-port=53 in-interface=pppoe-out1 log-prefix=\
    "PORT 53 UDP HIT" protocol=udp
add action=accept chain=input dst-port=53 in-interface=pppoe-out1 log=yes \
    log-prefix=-mydns protocol=tcp
add action=accept chain=input dst-port=53 in-interface=pppoe-out1 log=yes \
    log-prefix=-mydns protocol=udp
add action=accept chain=input in-interface=pppoe-out1
add action=accept chain=forward
add action=accept chain=output

Connections to port 53 always work on the LAN. In fact if I setup a NAT port forward, if the outside ports are 52 or 54 and inside port is 53, connection always works. Yes device is not secured and hackable. This config is only for demonstrating the problem with port 53. I'm not posting my production config. As for the ISP not being transparent ? I've spoken with the network engineer who built the network and have been advised at lengths that there is no filtering. Further to that, I was given and IP address of another user in my CIDR block that does have a working DNS server using port 53 on the same network I'm on at my ISP. DIG / nslookup queries to that IP still work as of this posting.

Here's a winbox showing no packets received for port 53:
You do not have the required permissions to view the files attached to this post.
 
Darryl
just joined
Topic Author
Posts: 23
Joined: Fri May 13, 2016 3:44 pm

Re: RouterOS can't use ingress port 53

Wed Jan 11, 2023 2:44 pm

Why would anyone open up port 53 on the input chain or portforward port 53 to the LAN side.........
Sounds like security breach to me........

In other words your firewall rules are not worthy of commenting upon and port 53 is the least of your problems.


Fixed for you........
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN


Output chain is rarely needed and not included here.

YOu are missing many other components of a config and its no wonder nothing is working............
People would open up port 53 for the purpose of running an Authoritative DNS server. ( https://en.wikipedia.org/wiki/Name_server ) This is my purpose as I've stated before. Your fix of using the default mikrotik configuration that comes with the router also doesn't work. I've omitted it for the sake of simplicity here, that's why my config has no firewall rules. Also, everything is working, its just port 53 TCP / UDP out of all the 65535 ports that is not working for me.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: RouterOS can't use ingress port 53

Wed Jan 11, 2023 4:54 pm

Open resolvers on port 53 are often abused for DDoS reflection attacks, your ISP or another upstream is probably filtering it.
 
Darryl
just joined
Topic Author
Posts: 23
Joined: Fri May 13, 2016 3:44 pm

Re: RouterOS can't use ingress port 53

Wed Jan 11, 2023 5:00 pm

Open resolvers on port 53 are often abused for DDoS reflection attacks, your ISP or another upstream is probably filtering it.

I've thought so too. I'm testing from within the ISP network using the same subnet. Client / server connection not working with the MikroTik. But I can query another IP in the same subnet who is running a DNS server without a MikroTik router. No filtering going on here.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: RouterOS can't use ingress port 53

Wed Jan 11, 2023 5:09 pm

Open resolvers on port 53 are often abused for DDoS reflection attacks, your ISP or another upstream is probably filtering it.
I am one of those many.
If the customer has enough knowledge to get a DNS server online, with all the bells and whistles that go with that,
they're also able to use a VPN on remote devices to access that DNS resolver (or NAT the port 53 with some other on both sides)...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: RouterOS can't use ingress port 53

Wed Jan 11, 2023 8:55 pm

I'll phrase my thought this way: ROS doesn't have any hidden default firewall rules. So if you don't see any rule blocking pirt 53 from wan, then it's not mikrotik blocking it.

As a few already mentioned: ISPs often block port 53 even if they don't block other ports (another quite "popular" is UDP port 123). If I were you, I'd ask my ISP about it. Good luck getting an honest and accurate response though.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS can't use ingress port 53

Wed Jan 11, 2023 11:16 pm

Here locally the ISP hard codes the blocking inbound pinging on the home hub modem/router they provide. Hence one of the reasons I used their business modem instead.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: RouterOS can't use ingress port 53

Wed Jan 11, 2023 11:22 pm

I block 53 & Co. right after my edge router...
If the user wants to open his home or office to the world, he must sign an agreement
according to which if for some reason he is the target of some attack (or generate some attack),
his service is immediately blocked and he must pay the damages...

(although in reality it can only ask, after rent one static Public IP, instead of have dynamic Public IP, for ports like
20, 21, 22, 23, 80, 443, etc.
but not, just for example:
0, 53, 67, 68, 111, 123, 135, 137, 138, 139, 161, 445, 1433, 1900, 3389, 5678, 8291, 20561, etc.
of this type)
 
Darryl
just joined
Topic Author
Posts: 23
Joined: Fri May 13, 2016 3:44 pm

Re: RouterOS can't use ingress port 53

Thu Jan 12, 2023 9:33 pm

Thanks for the comments guys. Indeed the ISP side had it accidently blocked. Problem has been resolved and it was definitely not the RouterOS.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: RouterOS can't use ingress port 53

Thu Jan 12, 2023 10:11 pm

[…] accidently […]

What??? Seriously???

No comment...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS can't use ingress port 53

Thu Jan 12, 2023 11:56 pm

I think the ISP knew what a dangerous game you are playing with hosting port 53 on the WAN side and blocked you for your own good LOL
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS can't use ingress port 53

Thu Jan 12, 2023 11:58 pm

Once again MKX and REXTENDED are bang on, and the OP is a fail, believing ISP technicians and not IT and MT experts................................
Why bother coming here at all...........

Who is online

Users browsing this forum: Amazon [Bot], anav, intania, patrikg, sirbryan and 89 guests