Community discussions

MUM Europe 2020
 
maxstel
Trainer
Trainer
Topic Author
Posts: 70
Joined: Fri Jun 18, 2010 1:54 pm

DNS flood answering despite filter rules!

Sat Jul 06, 2013 5:12 pm

Hi everybody,
I would like to share a very strange behavior of filters rules on my router today (RB2011 - ROS 6.1)
Yesterday evening I was flooded for some times by dns requests. I was out, so I see it on the graphs and from logs...
Today similar things happened, but I was in front of the monitor...
My router has always had filter rules to drop everything is unneeded and I was really surprised to see that the RB2011 was answering to DNS requests coming from internet!!!
Many IPs doing traffic (udp:53) FROM my router!!
I tried many things to understand... Even some change on filters rules, but nothing happened! It seems that the router simply ignore the rules... If I disable "allow remote requests", of course, outbound traffic stops... But I need it, so, I reboot the router...
Magically, after reboot, the same filters rules that before doesn't catch udp packets, now works perfect, and my router doesn't answer to DNS requests anymore... I still see DNS requests through "torch", but there is no answer from my router!

This is the first time I see this weird behavior on a MikroTik router, so some explanation will be welcome...

Thanks
Massimo Passerini
STEL S.r.l.
Ferrara - Italy
MikroTik Certified Trainer
 
Zebble
newbie
Posts: 45
Joined: Mon Oct 17, 2011 4:07 am

Re: DNS flood answering despite filter rules!

Sat Jul 06, 2013 6:45 pm

We saw exactly the same thing on an RB532 running ROS 6.1. I thought it was a rules issue, but couldn't find the culprit. Refreshed the rules with a new set, rebooted and the problem was gone... I'm now not sure if a simple reboot would have sufficed.
 
Rudios
Forum Veteran
Forum Veteran
Posts: 966
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: DNS flood answering despite filter rules!

Sat Jul 06, 2013 7:39 pm

And what about disable and enable the needed rule, would that fix the issue
Testing setup with: 2 x RB750UP | 2 x RB750GL | 1 x RB951G-2HnD | 1 x RB2011UiAS-IN
 
antoninn
newbie
Posts: 30
Joined: Wed Nov 14, 2007 12:59 pm

Re: DNS flood answering despite filter rules!

Sat Jul 06, 2013 11:50 pm

I had similar problem. Setup is like this: Application in internet sends every few second UDP packet with some data to WAN interface of Mikrotik. Mikrotik contains two NAT rules to dst-nat incoming packet to production and development servers in internal LAN. Only one NAT rule is enabled, so packets are directed to production server. Few days ago I have to test new version of server so I disabled dst-nat rule to production server and enabled dst-nat rule to development server. I have found that packets were still destined to production server. Solution was simple - I had to manually delete appropriate UDP connection in firewall connection list. After this action packet started to flow to development server according to enabled dst-nat rule.
So it seems that UDP connections are somehow resistent to firewall rules changes once they are "established".
I did not make any other experiments regarding this because my primary goal was to test server.
 
maxstel
Trainer
Trainer
Topic Author
Posts: 70
Joined: Fri Jun 18, 2010 1:54 pm

Re: DNS flood answering despite filter rules!

Mon Jul 08, 2013 4:36 pm

And what about disable and enable the needed rule, would that fix the issue
No... It doesn't work... :shock:
Massimo Passerini
STEL S.r.l.
Ferrara - Italy
MikroTik Certified Trainer
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: DNS flood answering despite filter rules!

Mon Jul 08, 2013 4:53 pm

This drops udp port 53 (dns request) packets to your router from the internet only.
/ip firewall filter
add chain=input dst-port=53 protocol=udp in-interface=ether1 action=drop

move X 0
Replace ether1 with your WAN interface if that is not it, and the X with the line number of this new rule. That moves it to the top of the rules.

I hear they can use that to poison your dns if it isn't blocked. I don't know for certain.
 
maxstel
Trainer
Trainer
Topic Author
Posts: 70
Joined: Fri Jun 18, 2010 1:54 pm

Re: DNS flood answering despite filter rules!

Mon Jul 08, 2013 5:14 pm

This drops udp port 53 (dns request) packets to your router from the internet only.
/ip firewall filter
add chain=input dst-port=53 protocol=udp in-interface=ether1 action=drop

move X 0
Replace ether1 with your WAN interface if that is not it, and the X with the line number of this new rule. That moves it to the top of the rules.

I hear they can use that to poison your dns if it isn't blocked. I don't know for certain.
Thanks for your tip, but I have a "drop all" rule at the bottom of my filters rules and it works perfectly if the RouterOS do its job... as he did after the reboot...

Eventually read my first post...

Thanks...
Massimo Passerini
STEL S.r.l.
Ferrara - Italy
MikroTik Certified Trainer
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: DNS flood answering despite filter rules!

Mon Jul 08, 2013 5:32 pm

I saw your first post. I actually read it. It mentioned nothing of this. I'm just guessing.
http://wiki.mikrotik.com/wiki/Manual:IP ... protection

Who is online

Users browsing this forum: aghsistemas, lastovsky, pablorib, ptarmu, thuan678 and 166 guests