I would like to propose allowing to choose the interface that the NTP and DNS servers built into RouterOS bind to, rather than having to set a separate firewall rule to specify access rules for them.
Letter from ISP: 'you have open DNS resolver, you may be susceptible to DDoS'.
I have NTP server enabled and DNS set to 'allow remote requests'.
I look at the firewall and see for UDP, I have the standard 'allow udp -> input' rule.
Running UDP port scanner on ISP interface, ports 53, 123 and 161 are open. So I have to add a firewall rule just above the standard 'allow UDP -> input' to block access from ISP interface. It works fine and solves the problem, but it is one extra firewall rule, for both ipv4 and ipv6. Maybe it will be better to choose the binding interfaces than have the extra firewall rule?
This also highlighted to me how I have never tested for open UDP ports before . I assumed all port scanner and security tools automatically tested them. Lesson: never assume, always check!
Any comments or feedback?