I recently installed a hAP ac2 and I have Pi-hole installed on a device in my network, which I set up as DNS server.
From the Pi-hole's logs, it looks like I received some DNS queries from external addresses (by googling them, they look mostly Chinese addresses). I noticed that because of some (~20) warnings: "ignoring query from non-local network <ip-address>", all of them from the same day within a window of few hours.
I don't have the Pi-hole exposed to the internet, at least it's not supposed to be, and I didn't make changes to the firewall in the past days. how is it possible I'm receiving those queries?
The MikroTik device is behind my ISP's modem router, a Vodafone Station Revolution which has been configured to act only as a modem and has a static NAT enabled towards the hAP ac2.
I have some firewall rules to redirect every DNS query from my network to the Pi-hole.
The Pi-hole also acts as a WireGuard server.
My network structure:
Internet <-> Vodafone Station <--(static NAT)--> mikrotik.local <-> NATted devices, including Pi-hole
Code: Select all
# may/02/2022 14:17:33 by RouterOS 6.49.6
# software id = 0GMD-Z5IT
#
# model = RBD52G-5HacD2HnD
/ip firewall address-list
add address=192.168.88.2 list=pi-hole
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Block NetBIOS" dst-port=135,137-139 protocol=tcp
add action=drop chain=forward dst-port=135,137-139 protocol=udp
add action=drop chain=forward protocol=tcp src-port=135,137-139
add action=drop chain=forward protocol=udp src-port=135,137-139
/ip firewall mangle
add action=mark-connection chain=prerouting comment=DNS dst-port=53,853 new-connection-mark=dns passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=DNS dst-port=53,853 new-connection-mark=dns passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=dns new-packet-mark=dns passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Redirect all DNS queries to the Pi-hole (TCP)" dst-address=!192.168.88.2 packet-mark=dns protocol=tcp \
src-address=!192.168.88.2 src-address-list=!pi-hole to-addresses=192.168.88.2 to-ports=53
add action=dst-nat chain=dstnat comment="Redirect all DNS queries to the Pi-hole (UDP)" dst-address=!192.168.88.2 packet-mark=dns protocol=udp \
src-address=!192.168.88.2 src-address-list=!pi-hole to-addresses=192.168.88.2 to-ports=53
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment=WireGuard dst-port=51337 protocol=udp to-addresses=192.168.88.2 to-ports=51337
My DHCP configuration:
Code: Select all
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip dhcp-server lease
<cut>
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.2 gateway=192.168.88.1
Thanks!