Community discussions

MUM Europe 2020
 
borregator
just joined
Topic Author
Posts: 5
Joined: Thu Jun 09, 2016 8:46 pm
Location: Caracas,Venezuela
Contact:

ATTACKS TO UDP PORT 53 (DNS)

Fri Jun 29, 2018 3:39 pm

ATTACKS TO UDP PORT 53 (DNS)

Hello Mikrotik Developers and Users.
I did found several mikrotik routers (any model) connected to the Internet failing due to induced saturation in WAN Port. The users report extreme slowness when browsing the Internet. When the Router is disconnected from LAN side the saturation continues like the Router is sending packets toward the Internet Cloud (Tx Saturation).
This problem often occurs when static public addresses are used in the WAN port.

I solved it by adding a filter rule dropping any incoming packets in WAN Port with destination port 53 UDP.

Does any of you has experienced with it ?

Does Mikrotik is working in this issue ?

Any recommendations ?

Thanks.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: ATTACKS TO UDP PORT 53 (DNS)

Fri Jun 29, 2018 3:55 pm

http://bfy.tw/IpI6

Simply: deny any incoming unexpected/unrelated traffic to your router.
Real admins use real keyboards.
 
Sob
Forum Guru
Forum Guru
Posts: 4889
Joined: Mon Apr 20, 2009 9:11 pm

Re: ATTACKS TO UDP PORT 53 (DNS)

Sat Jun 30, 2018 2:09 am

Does Mikrotik is working in this issue ?
There's not much here for MikroTik to do. The issue is misconfigured router working as open resolver. Blame the admin. Even the default firewall is now secure by default. MikroTik could probably make some small changes to make it harder to misconfigure router like this, but still, it's the admin who's responsible.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Redmor
Member Candidate
Member Candidate
Posts: 250
Joined: Wed May 31, 2017 7:40 pm
Location: Italy

Re: ATTACKS TO UDP PORT 53 (DNS)

Sat Jun 30, 2018 6:02 pm

You could accept DNS only from LAN if you're on a client, as default configuration firewall does.
/ip firewall
add action=accept chain=input comment=DNS dst-port=53 in-interface=LAN-interface
protocol=udp
add action=accept chain=input comment=DNS dst-port=53 in-interface=LAN-interface protocol=tcp
add action=drop chain=input
ImageImage
 
Sob
Forum Guru
Forum Guru
Posts: 4889
Joined: Mon Apr 20, 2009 9:11 pm

Re: ATTACKS TO UDP PORT 53 (DNS)

Sat Jun 30, 2018 6:30 pm

Careful with the last one, you want to allow few more things (admin access) before adding the last drop rule.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
WirtelPL
newbie
Posts: 34
Joined: Sat Nov 11, 2017 11:22 am
Location: Poland

Re: ATTACKS TO UDP PORT 53 (DNS)

Tue Jul 03, 2018 12:57 pm

Will disabling the "allow remote requests" option be an additional security?
[Router]> ip dns print 
         allow-remote-requests: no
RB951G-2HnD for home production
RBmAP2nD | RB952Ui-5ac2nD-TC for home lab
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: ATTACKS TO UDP PORT 53 (DNS)

Tue Jul 03, 2018 1:20 pm

http://lmgtfy.com/?q=mikrotik+dns+allow+remote

Devices at LAN are also remote for router so only router can itself use DNS.
Yes, security is higher but fincionality is lower.
Real admins use real keyboards.

Who is online

Users browsing this forum: MSN [Bot] and 101 guests