Create a firewall rule on the input chain to DROP port 53 TCP and 53 UDP on traffic incoming on the WAN interface.I have Rb1100AH core router (pppoe concentrator) and enabled "Allow remote requests" in DNS...
router have static public IP adddress, customers dynamic public IP.
Is there reasonable cause to block DNS requests from outside world and if it is what is most effective solution for that?
I suppose firewall filter, is there any sample code for 100% block that on core router, and customers MT's as well?
TNX
/ip firewall filter
add chain=input in-interface=ether1 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether1 protocol=tcp dst-port=53 action=drop
/ip firewall filter
add chain=forward protocol=udp dst-port=53 out-interface=!ether1 action=drop
add chain=forward protocol=tcp dst-port=53 out-interface=!ether1 action=drop
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 in-interface=!ether1 action=redirect
add chain=dstnat protocol=tcp dst-port=53 in-interface=!ether1 action=redirect
Because the attacker doesn't know that you have made such rules. Once it gets you stopped responding he will stop trying to abuse you. None new will be repeating it because they will just make a test on you and then they will search some other opened dns server.
I applied the above command but all my clients were unable to resolve thereafter, it only worked when i excluded the public name servers included my ip>dns setting. I am using my mikrotik as DNS server for my clients, is this a normal behavior? because i am not seeing the filter catching anything yet.Blocking DNS requests that are not explicitly allowed is a good practice. It will keep your router's DNS cache from filling up with unexpected queries and it will preserve your bandwidth for your customers instead of public entities.
Assuming your concentrator sits fully between your customers and the internet...
To block all external access to your concentrator DNS relay coming from ether1 add the following to the firewall (adjust ether1 as appropriate to your upstream ether port):Code: Select all/ip firewall filter add chain=input in-interface=ether1 protocol=udp dst-port=53 action=drop add chain=input in-interface=ether1 protocol=tcp dst-port=53 action=drop
I want to block access to mikrotik DNS from outside, however once i apply the rule indicated above my local users (behind mikrotik) are unable to browse (i.e they are not able to resolve a name but can ping outside). So what am I doing wrong?To block or not to block ? ....
If you serve DNS from WAN side for your clients then you have open DNS which is vulnerable for DNS DDoS.
Do you mean, the bottom 2 rules will not the users browse, if they are on google DNS ?Check it tomorrow. At least the dns server utilisation should be low immediately. Last two rules just prevent the inner devices to talk with other outer dns servers but they are not effective as they are below the general accepting rule for outbound traffic. It depends on you whether you want allow it or not.
/ip firewall filter
add chain=input in-interface=ether8 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether8 protocol=tcp dst-port=53 action=drop
/ip firewall filter
add chain=forward protocol=udp dst-port=53 out-interface=!ether8 action=drop
add chain=forward protocol=tcp dst-port=53 out-interface=!ether8 action=drop
Sorry - but what does this mean? WAN means the Internet interface (the one with the public IP address on it)My WAN is ether8 and my PPPoE port is ether3
PPPoE port is ether3okay - so use the in-interface=!pppoe-interface (not ether3, but pppoe1-out or whatever its name may be in your configuration)
/ip firewall address-list
add list=dnsClients address=x.x.x.x/m
So basically, accept the connection coming from PPPoE ether 3 port, and only allow the address list IP blocks to access the port 53 and rest IP, drop them./ip firewall filter
add chain=input connection-state=established,related action=accept
add chain=input in-interface=ether3 action=accept
add chain=input protocol=icmp action=accept
add chain=input protocol=udp dst-port=53 src-address-list=!AllowedDNS action=drop
Blocking DNS requests that are not explicitly allowed is a good practice. It will keep your router's DNS cache from filling up with unexpected queries and it will preserve your bandwidth for your customers instead of public entities.
Assuming your concentrator sits fully between your customers and the internet...
To block all external access to your concentrator DNS relay coming from ether1 add the following to the firewall (adjust ether1 as appropriate to your upstream ether port):Then, to protect your customer MTs which may be publicly accessible and also running DHCP relay add the following to the concentrator (again adjust ether1 as appropriate to your upstream ether port):Code: Select all/ip firewall filter add chain=input in-interface=ether1 protocol=udp dst-port=53 action=drop add chain=input in-interface=ether1 protocol=tcp dst-port=53 action=drop
The above will not prevent your customers from using any external publicly accessible DNS server outside your network. Unless you are prohibiting your customer s from access to certain sites and need to control DNS responses, there is no reason to block those tech-savvy customers from choosing their own upstream DNS servers. If you do want to maintain dictatorship control over DNS queries that your customers make, you would need the following rule added to capture and redirect all customer DNS queries to the local concentrator, regardless of DNS server settings on the client side:Code: Select all/ip firewall filter add chain=forward protocol=udp dst-port=53 out-interface=!ether1 action=drop add chain=forward protocol=tcp dst-port=53 out-interface=!ether1 action=drop
Code: Select all/ip firewall nat add chain=dstnat protocol=udp dst-port=53 in-interface=!ether1 action=redirect add chain=dstnat protocol=tcp dst-port=53 in-interface=!ether1 action=redirect