Community discussions

MUM Europe 2020
 
qwertysqwerty
just joined
Topic Author
Posts: 24
Joined: Sun Mar 30, 2014 12:43 am

Correct Firewall Rule for DNS

Wed Nov 19, 2014 12:44 am

Hello, as the title suggests I'm looking for the correct firewall rules to allow the router to perform DNS requests on behalf of the LAN.

So basically, all systems on my LAN use the default gateway (my router) for DNS lookup.

Currently I have UDP port 53 allowed from LAN address list on INPUT and OUTPUT chain. I think this should just be OUTPUT though yes?

I'm seeing an awful LOT of external connections to my WAN interface IP on port 53. I am worried about this.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1748
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Correct Firewall Rule for DNS

Wed Nov 19, 2014 1:03 am

Two ways of blocking DNS-attack on WAN:
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1-gateway protocol=udp
add action=reject chain=input dst-port=53 in-interface=ether1-gateway protocol=tcp reject-with=icmp-host-unreachable
There is no consensus if it is better to DROP or to REJECT but:
A. DROP makes your router a blackhole and sender terminates connection after many retries as there is no response.
B. REJECT generates outgoing data stream but fools sender that there is no host if the sender cares about it and stops sending data.

If attacker is just sending constant stream of 53-type packets with false src field then your router sends packet back to the router which is the real attack destination so DROP seems to be better.

To block LAN users from asking external DNS servers:
A. your DHCP server should point users to router as DNS server
B. router's DNS should be configured: http://wiki.mikrotik.com/wiki/Manual:IP/DNS
C. Firewall should block 53-types packetes excluding router as source (assuming 192.168.88.1 as it's address)
/ip firewall filter
add action=drop chain=output dst-port=53 out-interface=ether1-gateway protocol=udp src-address=!192.168.88.1
add action=drop chain=output dst-port=53 out-interface=ether1-gateway protocol=tcp src-address=!192.168.88.1
Real admins use real keyboards.
 
coylh
Member Candidate
Member Candidate
Posts: 160
Joined: Tue Jul 12, 2011 12:11 am

Re: Correct Firewall Rule for DNS

Wed Nov 19, 2014 2:58 am

Something like this... allow from lan, drop everything else.

Don't just copy/paste though. :)
/ip firewall filter
add chain=input dst-port=53 in-interface=ether1-lan protocol=udp
add chain=input dst-port=53 in-interface=ether1-lan protocol=tcp
#add action=drop chain=input
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Re: Correct Firewall Rule for DNS

Wed Nov 19, 2014 8:04 am

I guess tarpit on tcp is better.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1748
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Correct Firewall Rule for DNS

Wed Nov 19, 2014 9:25 am

@coyhl:
A. You assume that requests are going only from ether1-LAN interface and do not care about other ones so you need to repeat rules for each interface.
B. My rules blocks each device except router....just outgoing interface.
C. Yes, I assume that requests are NATed to 192.168.88.1 as source...this should be tuned but it is just idea not full working code.
Real admins use real keyboards.

Who is online

Users browsing this forum: Anumrak, erlinden, fabrix, Guntis, metuus and 108 guests