I wouldn't leave it open either though because your router will be
abused via DDoS using DNS amplification.
Personally, I would either create an address list of allowed outside IPs
that can communicate on the DNS input chain or block it completely on
the outside-facing interface.
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
On 8/6/2014 12:54 PM, Chupaka wrote:
Then you definitely don't want to block that =)
--
Подпись:
(добавляется в конце всех исходящих писем)
2014-08-06 20:01 GMT+03:00 Mike Hammett <[email protected]>:
The router itself is still answering DNS for some devices.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
----- Original Message -----
From: "Chupaka" <[email protected]>
To: "Mikrotik discussions" <[email protected]>
Sent: Wednesday, August 6, 2014 11:56:06 AM
Subject: Re: [Mikrotik] DNS Firewall
Why do you need to block it in input chain? Forward is quite enough.
--
Подпись:
(добавляется в конце всех исходящих писем)
2014-08-06 18:32 GMT+03:00 Mike Hammett <[email protected]>:
Would this be a good DNS ruleset? Assuming I put my DNS servers in the
DNS_Servers address list. Well, and assuming I enable them...
add action=accept chain=forward disabled=no dst-address-list=DNS_Servers
dst-port=53 protocol=tcp
add action=reject chain=forward disabled=yes dst-port=53 protocol=udp
reject-with=icmp-network-unreachable src-address-list=!DNS_Servers
add action=reject chain=input disabled=yes dst-port=53 protocol=udp
reject-with=icmp-network-unreachable src-address-list=!DNS_Servers
add action=tarpit chain=forward disabled=yes dst-port=53 protocol=tcp
src-address-list=!DNS_Servers
add action=tarpit chain=input disabled=yes dst-port=53 protocol=tcp
src-address-list=!DNS_Servers
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/fd0101dc/attachment.html
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/d3b3ec39/attachment.html
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/2bc6cdf8/attachment.html
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/5186c8ad/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
