If under DNS cache you do not have "Allow Remote Requests" checked, and the router LAN is assigned 192.168.1.1, dhcp clients to the router are assigned out of 192.168.1.0/24 and router receives DNS servers from PPPoE will the clients be able to use the DNS cache on 192.168.1.1?
I do see the docs but still am not sure.
http://wiki.mikrotik.com/wiki/Manual:IP/DNS
What does "Allow Remote Requests" exactly change?
-
-
BinaryCrash
newbie
- Posts: 41
- Joined:
Re: DNS Allow Remote Requests
Allow Remote Requests:
enabled = Will be a DNS Server, responding to dns requests.
disabled = Will be a DNS Client, not responding to dns request. Used only for local dns resolve. (the mikrotik itself)
enabled = Will be a DNS Server, responding to dns requests.
disabled = Will be a DNS Client, not responding to dns request. Used only for local dns resolve. (the mikrotik itself)
Re: DNS Allow Remote Requests
So it would likely be a good idea to do this to protect the DNS cache if "Allow Remote Requests" is enabled?
/ip firewall filter
add action=drop chain=input dst-port=53 protocol=udp src-address=!192.168.1.0/24
or
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=udp
/ip firewall filter
add action=drop chain=input dst-port=53 protocol=udp src-address=!192.168.1.0/24
or
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=udp
-
-
BinaryCrash
newbie
- Posts: 41
- Joined:
Re: DNS Allow Remote Requests
Yes, you should block others from using your DNS Server and enable only your network to use it. Using filters, like you said.
Re: DNS Allow Remote Requests
Not so fast.........
It depends upon the fiilter rules in place.
For example I have drop all else rules at the end and work on the principle of - if its not permitted its dropped.
So my input rules are as such.....
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp
Any other traffic on port 53 will be dropped by my last rule.
add action=drop chain=input comment="DROP ALL ELSE"
If you want to be slightly more paranoid you could always add these rules in the forward chain BEFORE
the first accept, established rule............
add action=drop chain=forward comment="Drop LAN DNS queries-UDP" dst-port=53 \
in-interface-list=WAN protocol=udp
add action=drop chain=forward comment="Drop LAN DNS queries - TCP" dst-port=\
53 in-interface-list=WAN protocol=tcp
However since I have a drop all else rule in my forward chain as the last rule, I dont think I need this.
It depends upon the fiilter rules in place.
For example I have drop all else rules at the end and work on the principle of - if its not permitted its dropped.
So my input rules are as such.....
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp
Any other traffic on port 53 will be dropped by my last rule.
add action=drop chain=input comment="DROP ALL ELSE"
If you want to be slightly more paranoid you could always add these rules in the forward chain BEFORE
the first accept, established rule............
add action=drop chain=forward comment="Drop LAN DNS queries-UDP" dst-port=53 \
in-interface-list=WAN protocol=udp
add action=drop chain=forward comment="Drop LAN DNS queries - TCP" dst-port=\
53 in-interface-list=WAN protocol=tcp
However since I have a drop all else rule in my forward chain as the last rule, I dont think I need this.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
MTUNA Certified, by the Ascerbic Llama!
-
-
pegasus123
Frequent Visitor
- Posts: 58
- Joined:
Re: DNS Allow Remote Requests
you replied to a post from 2012
Re: DNS Allow Remote Requests
I need the practice LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
MTUNA Certified, by the Ascerbic Llama!
Who is online
Users browsing this forum: Majestic-12 [Bot] and 140 guests