Community discussions

MikroTik App
 
78151920
just joined
Topic Author
Posts: 15
Joined: Tue Nov 16, 2021 12:17 am

DNS "Allow Remote Requests" Firewall Configuration

Sun Nov 21, 2021 7:07 pm

Hello all,

As I continue to familiarize myself with Mikrotik Firewall Rules and its capabilities, I am looking for some guidance on "DNS / Allow Remote Requests" as it applies to FW Filters.

As indicated on the Mikrotik Wiki:

"A MikroTik router with DNS feature enabled can be set as a DNS server for any DNS-compliant client. Moreover, the MikroTik router can be specified as a primary DNS server under its DHCP server settings. When the remote requests are enabled, the MikroTik router responds to TCP and UDP DNS requests on port 53.

When both static and dynamic servers are set, static server entries are more preferred, however, it does not indicate that static server will always be used (for example, previously query was received from a dynamic server, but static was added later, then a dynamic entry will be preferred).

When DNS server allow-remote-requests are used make sure that you limit access to your server over TCP and UDP protocol port 53."

Question 1: Based off of my existing FW rules provided at the end of the post. Would it be preferred to create a filter rule between rules "3 & 4" to securely allow for requests on port 53 for all users on the LAN if utilizing the CRC as your DNS?

Question 2: Would a better approach be to redirect utilizing DSTNAT below?

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 log=yes protocol=udp to-addresses=xxx.xxx.xxx.1 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 log=yes protocol=tcp to-addresses=xxx.xxx.xxx.1 to-ports=53


LAN/WAN interfaces are identified and configured accordingly within the interface-lists.

Cheers,
[x3010@CRC100] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=jump jump-target=icmp protocol=icmp log=no log-prefix="" 

 4    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=yes log-prefix="" 

 5    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 6    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 9    ;;; Drop to bogon list (outgoing)
      chain=forward action=drop dst-address-list=not_in_internet log=yes log-prefix="" 

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

11    ;;; defconf: drop all from WAN not DSTNATed (c1)
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=yes log-prefix="" 

12    ;;; echo reply
      chain=icmp action=accept protocol=icmp icmp-options=0:0 log=no log-prefix="" 

13    ;;; net unreachable
      chain=icmp action=accept protocol=icmp icmp-options=3:0 log=no log-prefix="" 

14    ;;; host unreachable
      chain=icmp action=accept protocol=icmp icmp-options=3:1 log=no log-prefix="" 

15    ;;; host unreachable fragmentation required
      chain=icmp action=accept protocol=icmp icmp-options=3:4 log=no log-prefix="" 

16    ;;; allow echo request
      chain=icmp action=accept protocol=icmp icmp-options=8:0 log=no log-prefix="" 

17    ;;; allow time exceed
      chain=icmp action=accept protocol=icmp icmp-options=11:0 log=no log-prefix="" 

18    ;;; allow parameter bad
      chain=icmp action=accept protocol=icmp icmp-options=12:0 log=no log-prefix="" 

19    ;;; deny all other types
      chain=icmp action=drop log=no log-prefix="" 

20 X  ;;; Accept local CAPsMAN config
      chain=input action=accept src-address-type=local dst-address-type=local log=no log-prefix="" 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS "Allow Remote Requests" Firewall Configuration

Mon Nov 22, 2021 2:41 pm

The default firewall rules allow LAN to ROUTER access for such things as Router Services (DNS, NTP).
Hence the default rule
add action=drop chain=input comment="Defconf: drop all not coming from LAN" \
in-interface-list=!LAN


This blocks all WAN to router traffic allowing all LAN to router traffic.
The only reason to specifically allow LAN to Router traffic for port 53 is if you change the concept of the input chain filters to BLOCK all, vice ACCEPT all, by removing the above rule and putting a last rule in the input chain that blocks ALL traffic just not WAN to router traffic.
add chain=input action=drop.

In this case, just before this rule one would have to add LAN access to the router but ONLY for port 53.
This is actually better security overall. One warning, before you put in the drop rule at the end, above this you also need to add an access for the admin to the router otherwise you will lock yourself out!!

No need to use dst-nat rules for DNS unless you have a very specific need.
 
78151920
just joined
Topic Author
Posts: 15
Joined: Tue Nov 16, 2021 12:17 am

Re: DNS "Allow Remote Requests" Firewall Configuration

Mon Nov 22, 2021 9:01 pm

The default firewall rules allow LAN to ROUTER access for such things as Router Services (DNS, NTP).
Hence the default rule
add action=drop chain=input comment="Defconf: drop all not coming from LAN" \
in-interface-list=!LAN


This blocks all WAN to router traffic allowing all LAN to router traffic.
The only reason to specifically allow LAN to Router traffic for port 53 is if you change the concept of the input chain filters to BLOCK all, vice ACCEPT all, by removing the above rule and putting a last rule in the input chain that blocks ALL traffic just not WAN to router traffic.
add chain=input action=drop.

In this case, just before this rule one would have to add LAN access to the router but ONLY for port 53.
This is actually better security overall. One warning, before you put in the drop rule at the end, above this you also need to add an access for the admin to the router otherwise you will lock yourself out!!

No need to use dst-nat rules for DNS unless you have a very specific need.

anav,

Thank you for your reply. I had a feeling that filter/rule "4" had something to do with it. I will consider your input and continue utilizing the existing filters unless otherwise required.

Who is online

Users browsing this forum: lurker888, svh79, syslog, Wovka and 43 guests