As I continue to familiarize myself with Mikrotik Firewall Rules and its capabilities, I am looking for some guidance on "DNS / Allow Remote Requests" as it applies to FW Filters.
As indicated on the Mikrotik Wiki:
"A MikroTik router with DNS feature enabled can be set as a DNS server for any DNS-compliant client. Moreover, the MikroTik router can be specified as a primary DNS server under its DHCP server settings. When the remote requests are enabled, the MikroTik router responds to TCP and UDP DNS requests on port 53.
When both static and dynamic servers are set, static server entries are more preferred, however, it does not indicate that static server will always be used (for example, previously query was received from a dynamic server, but static was added later, then a dynamic entry will be preferred).
When DNS server allow-remote-requests are used make sure that you limit access to your server over TCP and UDP protocol port 53."
Question 1: Based off of my existing FW rules provided at the end of the post. Would it be preferred to create a filter rule between rules "3 & 4" to securely allow for requests on port 53 for all users on the LAN if utilizing the CRC as your DNS?
Question 2: Would a better approach be to redirect utilizing DSTNAT below?
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 log=yes protocol=udp to-addresses=xxx.xxx.xxx.1 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 log=yes protocol=tcp to-addresses=xxx.xxx.xxx.1 to-ports=53
LAN/WAN interfaces are identified and configured accordingly within the interface-lists.
Cheers,
Code: Select all
[x3010@CRC100] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=jump jump-target=icmp protocol=icmp log=no log-prefix=""
4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=yes log-prefix=""
5 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
6 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
7 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
8 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
9 ;;; Drop to bogon list (outgoing)
chain=forward action=drop dst-address-list=not_in_internet log=yes log-prefix=""
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
11 ;;; defconf: drop all from WAN not DSTNATed (c1)
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=yes log-prefix=""
12 ;;; echo reply
chain=icmp action=accept protocol=icmp icmp-options=0:0 log=no log-prefix=""
13 ;;; net unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:0 log=no log-prefix=""
14 ;;; host unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:1 log=no log-prefix=""
15 ;;; host unreachable fragmentation required
chain=icmp action=accept protocol=icmp icmp-options=3:4 log=no log-prefix=""
16 ;;; allow echo request
chain=icmp action=accept protocol=icmp icmp-options=8:0 log=no log-prefix=""
17 ;;; allow time exceed
chain=icmp action=accept protocol=icmp icmp-options=11:0 log=no log-prefix=""
18 ;;; allow parameter bad
chain=icmp action=accept protocol=icmp icmp-options=12:0 log=no log-prefix=""
19 ;;; deny all other types
chain=icmp action=drop log=no log-prefix=""
20 X ;;; Accept local CAPsMAN config
chain=input action=accept src-address-type=local dst-address-type=local log=no log-prefix=""