But if you block from outside traffic doesn't that also block reverse lookups for mail traffic?
Terri Kelley Network Engineer 254.697.6710 Farm to Market Broadband -----Original Message----- From: Rory McCann <[email protected]> To: Mikrotik discussions <[email protected]> Sent: Thu, 07 Aug 2014 3:52 PM Subject: Re: [Mikrotik] DNS Firewall I wouldn't leave it open either though because your router will be abused via DDoS using DNS amplification. Personally, I would either create an address list of allowed outside IPs that can communicate on the DNS input chain or block it completely on the outside-facing interface. Rory McCann MKAP Technology Solutions Web: www.mkap.net On 8/6/2014 12:54 PM, Chupaka wrote: > Then you definitely don't want to block that =) > > -- > Подпись: > (добавляется в конце всех исходящих писем) > > > 2014-08-06 20:01 GMT+03:00 Mike Hammett <[email protected]>: > >> The router itself is still answering DNS for some devices. >> >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> >> >> ----- Original Message ----- >> >> From: "Chupaka" <[email protected]> >> To: "Mikrotik discussions" <[email protected]> >> Sent: Wednesday, August 6, 2014 11:56:06 AM >> Subject: Re: [Mikrotik] DNS Firewall >> >> Why do you need to block it in input chain? Forward is quite enough. >> >> -- >> Подпись: >> (добавляется в конце всех исходящих писем) >> >> >> 2014-08-06 18:32 GMT+03:00 Mike Hammett <[email protected]>: >> >>> Would this be a good DNS ruleset? Assuming I put my DNS servers in the >>> DNS_Servers address list. Well, and assuming I enable them... >>> >>> add action=accept chain=forward disabled=no dst-address-list=DNS_Servers >>> dst-port=53 protocol=tcp >>> add action=reject chain=forward disabled=yes dst-port=53 protocol=udp >>> reject-with=icmp-network-unreachable src-address-list=!DNS_Servers >>> add action=reject chain=input disabled=yes dst-port=53 protocol=udp >>> reject-with=icmp-network-unreachable src-address-list=!DNS_Servers >>> add action=tarpit chain=forward disabled=yes dst-port=53 protocol=tcp >>> src-address-list=!DNS_Servers >>> add action=tarpit chain=input disabled=yes dst-port=53 protocol=tcp >>> src-address-list=!DNS_Servers >>> >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions >>> http://www.ics-il.com >>> >>> >>> >>> >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: < >>> >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/fd0101dc/attachment.html >>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>> RouterOS >>> >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/d3b3ec39/attachment.html >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> RouterOS >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/2bc6cdf8/attachment.html >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> RouterOS >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/5186c8ad/attachment.html> > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140808/9b655586/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
