Community discussions

 
KenSanta
just joined
Topic Author
Posts: 5
Joined: Thu Apr 28, 2016 8:28 pm

DNS

Thu Apr 28, 2016 8:41 pm

Hi everyone, I would like to have my router to stop all the DNS coming from my clients and not reaching my ISP provider. Any idea?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: DNS

Thu Apr 28, 2016 8:58 pm

To just block it:

/ip firewall filter add chain=forward in-interface=LAN protocol=udp dst-port=53 connection-state=new action=drop

To intercept it and redirect it to your own server:

/ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=dst-nat to-address=IP.OF.DNS.SERVER

To force proxy resolver on the Mikrotik itself:
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
-----> be sure that your input chain blocks new DNS connecions incoming on the WAN interface. Test this with http://openresolver.com/

EDIT: if enforcing that DNS queries go to some internal host, be sure that the internal host itself is exempted from the above rules with an accept rule for DNS traffic from its/their IP address(es).
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
KenSanta
just joined
Topic Author
Posts: 5
Joined: Thu Apr 28, 2016 8:28 pm

Re: DNS

Wed May 04, 2016 7:30 pm

Hi, thanks for the assist, but it doesn't work!




:shock:
To just blok it:

/ip firewall filter add chain=forward in-interface=LAN protocol=udp dst-port=53 connection-state=new action=drop

To intercept it and redirect it to your own server:

/ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=dst-nat to-address=IP.OF.DNS.SERVER

To force proxy resolver on the Mikrotik itself:
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
-----> be sure that your input chain blocks new DNS connecions incoming on the WAN interface. Test this with http://openresolver.com/

EDIT: if enforcing that DNS queries go to some internal host, be sure that the internal host itself is exempted from the above rules with an accept rule for DNS traffic from its/their IP address(es).
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: DNS

Wed May 04, 2016 9:10 pm

make sure these block rules / nat rules appear in the right order in your chains.

If you added the block rule, for instance, and this rule comes after a rule that allows all traffic outbound on the WAN interface, then the block rule is never going to be reached.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
config
just joined
Posts: 15
Joined: Sat Nov 28, 2015 10:04 pm

Re: DNS

Thu May 05, 2016 2:51 am

add this to the rule
place-before=0
 
KenSanta
just joined
Topic Author
Posts: 5
Joined: Thu Apr 28, 2016 8:28 pm

Re: DNS

Thu May 05, 2016 12:16 pm

Hi, have realized that it has blocked only wireless connection, but LAN is still through!? :? :?

To just block it:

/ip firewall filter add chain=forward in-interface=LAN protocol=udp dst-port=53 connection-state=new action=drop

To intercept it and redirect it to your own server:

/ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=dst-nat to-address=IP.OF.DNS.SERVER

To force proxy resolver on the Mikrotik itself:
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
-----> be sure that your input chain blocks new DNS connecions incoming on the WAN interface. Test this with http://openresolver.com/

EDIT: if enforcing that DNS queries go to some internal host, be sure that the internal host itself is exempted from the above rules with an accept rule for DNS traffic from its/their IP address(es).
 
KenSanta
just joined
Topic Author
Posts: 5
Joined: Thu Apr 28, 2016 8:28 pm

Re: DNS

Fri May 06, 2016 11:33 am

ZeroByte,
hey, that really worked thanks a lot men, now i still need your help, nowadays my ISP is redirecting accounts to quarantine if they find out that your dns traffic is high :( any solution to avoid quarantine?

Thanks.




Hi, have realized that it has blocked only wireless connection, but LAN is still through!? :? :?

To just block it:

/ip firewall filter add chain=forward in-interface=LAN protocol=udp dst-port=53 connection-state=new action=drop

To intercept it and redirect it to your own server:

/ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=dst-nat to-address=IP.OF.DNS.SERVER

To force proxy resolver on the Mikrotik itself:
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
-----> be sure that your input chain blocks new DNS connecions incoming on the WAN interface. Test this with http://openresolver.com/

EDIT: if enforcing that DNS queries go to some internal host, be sure that the internal host itself is exempted from the above rules with an accept rule for DNS traffic from its/their IP address(es).
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: DNS

Fri May 06, 2016 8:41 pm

If you force the local users to use the Mikrotik as their resolver, then the Mikrotik will cache most lookups so any burst of traffic will only get cached replies and not send them to the ISP.

chain=dstnat protocol=udp dst-port=53 in-interface=LAN action=redirect
chain=dstnat protocol=tcp dst-port=53 in-interface=LAN action=redirect
chain=dstnat protocol=udp dst-port=53 in-interface=WLAN action=redirect
chain=dstnat protocol=tcp dst-port=53 in-interface=WLAN action=redirect

Also, set RP Filter to strict in /IP Settings so that if a LAN workstation is a member of a botnet, spoofed-source DNS queries will not be answered.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
KenSanta
just joined
Topic Author
Posts: 5
Joined: Thu Apr 28, 2016 8:28 pm

Re: DNS

Sat May 07, 2016 8:27 pm

Hi Byte,

i have done that but all the machines loses internet.
:shock:




If you force the local users to use the Mikrotik as their resolver, then the Mikrotik will cache most lookups so any burst of traffic will only get cached replies and not send them to the ISP.

chain=dstnat protocol=udp dst-port=53 in-interface=LAN action=redirect
chain=dstnat protocol=tcp dst-port=53 in-interface=LAN action=redirect
chain=dstnat protocol=udp dst-port=53 in-interface=WLAN action=redirect
chain=dstnat protocol=tcp dst-port=53 in-interface=WLAN action=redirect

Also, set RP Filter to strict in /IP Settings so that if a LAN workstation is a member of a botnet, spoofed-source DNS queries will not be answered.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: DNS

Mon May 09, 2016 5:26 pm

You must have DNS servers configured for the Mikrotik itself in /ip dns
You must also enable "allow remote requests" in order for this redirection to work.

Of course make sure that the WAN interfaces will block DNS queries

You can test your configuration by entering your public IP address into this test site:
http://openresolver.com/
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: Bing [Bot] and 19 guests