Community discussions

MikroTik App
 
innidael
just joined
Topic Author
Posts: 8
Joined: Sun Feb 19, 2017 10:55 pm

DNS remotely available

Mon Aug 29, 2022 3:15 pm

Hi everyone,

After the amazing help of @anav with my previous topicviewtopic.php?p=935867. I am now seeking your guidance once more.

One of the next steps I would like to make with my network setup is to put my ISP modem into bridge mode. Main reason is that the network connection from my Mikrotik router to the ISP seems to mess up over time, a quick reboot fixes the problem again. I was told by my ISP support that moving to a bridge mode would certainly fix this issue.

To prepare to move the setup to bridge mode I wanted to check what the current public footprint of my router was. So I ran a couple of NMAP scans from a system connected directly to my ISP modem, and found that port 53 TCP (DNS) was still opened. As I did not expect this at all I tried to look for reasons why this might be the case. The firewall is configured with a specific Deny All on the input chain, so this should not happen. I did notice that the DNS setting has "Allow Remote Requests" enabled. I searched on the forums and noticed quite a few posts regarding this topic.

I have tried to disable the "Allow Remote Requests", however it ended up screwing up DNS for all clients in the various VLANs. Additionally when I did disable it NMAP is still indicating that the port remains open. It could be that NMAP is reporting a false positive, but before I make that change to Bridge mode I would like to make sure the setup is OK.

So I have two questions:
1. From what I understand from the Mikrotik manuals this DNS option should only affect DNS requests from the outside. So why does it seems to affect the DNS inside the VLANs? Have I messed something up?
2. When I disabled the option, NMAP still indicates the port to be open. Have I misconfigured anything?

Any leads or questions to help get to the bottom is highly appreciated.

Attached the configuration of the RB5009 and CRS326, and a diagram of the network. I would like to note that the "piHole" shown on the network diagram is not there yet!
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: DNS remotely available

Mon Aug 29, 2022 4:19 pm

I have tried to disable the "Allow Remote Requests"

In context of this option, "remote" refers to anything but router's internal processes. So this includes LAN computers (DNS server settings don't refer to any interface list or anything). When you allow remote requests, it's up to firewall filter rules to block requests originating from "remote" (as you refer to it, i.e. from internet) clients.

Not sure why nmap shows port open if you disable the option, the important thing is that requests don't get served. The rest is more or less cosmetics.
 
innidael
just joined
Topic Author
Posts: 8
Joined: Sun Feb 19, 2017 10:55 pm

Re: DNS remotely available

Mon Aug 29, 2022 6:37 pm

Great! Thanks for the clarification @mkx and fast support. That for sure answers my first question!
I verified this just now by manually setting the DNS server on one of the clients (from 10.0.0.1 to 8.8.8.8) after switching of the "Allow remote requests" and that indeed does function normally.

I also used the packet sniffer to see what actually happens with incoming DNS requests from a client outside of the Mikrotik network. As you suggested it is indeed cosmetics, and I can report that they are not being responded to so I assume the firewall is setup ok. Still a little strange why the port is reported open by NMAP. So now it is just me feeling annoyed why that port is reported open :D. If anyone has any idea what to check next I would be happily try that out to stop that inner OCD'er in me.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: DNS remotely available  [SOLVED]

Mon Aug 29, 2022 8:04 pm

Don't quote me on this, but I guess that normal response of IP stack to packet, targeting port not used by any service, would be reply with ICMP type 3 code 3 (Destination port unreachable), and that usual port scanners interpret as closed port. OTOH firewalled port will either simply drop incoming packet if action=drop (making scanner to timeout and conclude that port is open somehow) or send back ICMP type 3 code 13 (Communication administratively prohibited) if action=reject ... or some such.

DNS service, configured with allow-remote-requests=no, simply doesn't bind to exzernal router interfaces and IP stack can return the "port unreachable". If DNS service is configured to allow remote requests but firewaled, then remote scanners will explore firewall behaviour.
 
innidael
just joined
Topic Author
Posts: 8
Joined: Sun Feb 19, 2017 10:55 pm

Re: DNS remotely available

Mon Aug 29, 2022 8:26 pm

I think you are on to something @mkx. I just realized I was using my work laptop to scan the router from. I believe they are using a cisco Umbrella setup that captures all DNS request to the local loop back. NMAP therefore receives an ACK on the scan and therefore reports it as open with reason syn-ack. So that is definitely a false positive there.

If I scan from a RPI connected to that same network I see a Filtered result with reason no-response. I also tried that with the option disabled, but I did get the same result (Filtered reason no-response). So it is still detected, even though it should completely not be there. I even tried to reboot the router, after making the switch, but no difference.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS remotely available

Mon Aug 29, 2022 8:41 pm

What you originally described is not possible, it must show as filtered. Your firewall allows connections only from in-interface-list=VLAN and in-interface=BASE_VLAN (and the latter is not really needed, because BASE_VLAN interface is also in VLAN list, so already allowed by previous rule). So if you're testing this using machine connected to ether1, it can't pass, because ether1 is not in VLAN list. And if you didn't have firewall (or it allowed connections to tcp/53), then when you disable "Allow Remote Requests", it would show as closed.
 
innidael
just joined
Topic Author
Posts: 8
Joined: Sun Feb 19, 2017 10:55 pm

Re: DNS remotely available

Mon Aug 29, 2022 8:53 pm

It probably was because if used the switch -Pn, which forces NMAP to treat that the System is available. Scanning without it shows the system is most likely down due to all filtered no-response answers. At least that is from the RPI point of view. From my work laptop it actually received a Syn-ack response, but that was surely the result of the local DNS service on the loopback, so a false positive.

Thank you for the help :)

Who is online

Users browsing this forum: No registered users and 37 guests