Community discussions

MikroTik App
 
TomSF
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

DNS, NTP firewall rules question

Sat Apr 16, 2022 6:35 pm

I run DNS and NTP servers on my router. Most of my network clients use them but there are a few that use hard coded addresses. I recently added dst-nat rules to redirect DNS and NTP requests to the servers on the router. Since then, my default drop rule for the input chain has been logging lots of external attempts to access the servers on the router. They are usually UDP protocol but there have been a few TCP SYN attempts, even for NTP. I have investigated some of the source addresses and found them on some blacklists. Can someone explain why adding the dst-nat rules caused these server access attempts to start happening? Have I had a security issue until now?
 
tangent
Forum Guru
Forum Guru
Posts: 1329
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: DNS, NTP firewall rules question

Sat Apr 16, 2022 7:06 pm

I can only speculate without seeing your configuration, but I’d guess you neglected to specify a direction on the dstnat rules, so they affected both directions, input and output.

In normal use, these are single-packet UDP protocols — one in each direction, request and reply — so there are parts of your firewall that don’t come into play like TCP conntracking. That may have left you exposed, if you were depending on that to protect you for UDP as well.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS, NTP firewall rules question

Sat Apr 16, 2022 7:16 pm

You probably mean the same, but I wouldn't use "direction", because to me it's confusing term, all dstnat rules are for "input" or incoming packets to router (with one very special exception). But yes, dstnat rules need to be limited. E.g. if there's:
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 action=redirect
It will catch DNS requests coming from everywhere. It should be something like:
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 in-interface-list=LAN action=redirect
 
TomSF
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Re: DNS, NTP firewall rules question

Sat Apr 16, 2022 7:42 pm

Good explanations. I have change the dst-nat rules to only apply to not-WAN input. There are rules for both TCP and UDP, Thanks.
 
xr1s
just joined
Posts: 10
Joined: Wed May 12, 2021 7:50 pm

Re: DNS, NTP firewall rules question

Wed May 11, 2022 10:40 pm

Hi!

Sorry to latch on this thread, but wanted to expand on the above with an additional question:

What if I want to catch clients using other dns servers only?

I run my mikrotik as dns catching server. Would like to catch all other requests and redirect/server from the device. However, most clients are already using it, so don't want to catch all unnecessarily.

Would I only need:

ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=53 protocol=udp dst-address=!192.168.0.1 in-interface=bridge dst-port=53
ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=53 protocol=tcp dst-address=!192.168.0.1 in-interface=bridge dst-port=53

Or also add a masquerade rule? Looks like the masquerade rule would catch all.

Any suggestions most welcome! Thanks!
 
TomSF
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Re: DNS, NTP firewall rules question

Wed May 11, 2022 11:47 pm

I think what you have would work. I was only interested in catching those that were not using the router DNS. I probably catch all DNS access, but I don't think that really matters. I did it a little different in that I did not use !dst-address as a test. I used !intrface list (I had WAN defined). I could have also used !in interface (ether1). Don't forget about analogous rules for IPv6 Firewall NAT if you are advertising the router DNS to the IPv6 clients. Clients could be using external IPv6 DNS servers as well as IPv4 servers.

Who is online

Users browsing this forum: Ahrefs [Bot], diasdm, SMARTNETTT and 65 guests