Okay, let's run through the rules I have.
* I create an address list of all DNS servers that should be allowed to
communicate with the outside world, regardless of direction.
* I create an address list of subnets allowed on my network (public and
management).
* First rule allows any traffic that is destined to those routers,
regardless of origin. I'll leave it up to the DNS server to filter on sources.
Some are authoritative, some are resolvers.
* (Just realized I only have a rule for accepting TCP. I need to add one
for UDP as well.)
* The next four rules block all DNS traffic that does not have a source
address of one of those DNS servers, TCP or UDP, to my router or through my
router. This should block off-net and on-net devices from making a DNS query to
anything on my network not in the DNS Servers list.
* The last rule (which I forgot to post) blocks DNS traffic going to my
router that isn't from a "friendly" subnet.
* (Just realized I only have a rule for accepting UDP. I need to add one
for TCP as well.)
add action=accept chain=forward disabled=no dst-address-list=DNS_Servers
dst-port=53 protocol=tcp
add action=accept chain=forward disabled=no dst-address-list=DNS_Servers
dst-port=53 protocol=udp
add action=reject chain=forward connection-limit=0,0 disabled=yes dst-port=53
protocol=udp reject-with=icmp-network-unreachable src-address-list=!DNS_Servers
add action=reject chain=input connection-limit=0,0 disabled=yes dst-port=53
protocol=udp reject-with=icmp-network-unreachable src-address-list=!DNS_Servers
add action=tarpit chain=forward connection-limit=0,0 disabled=yes dst-port=53
protocol=tcp src-address-list=!DNS_Servers
add action=tarpit chain=input connection-limit=0,0 disabled=yes dst-port=53
protocol=tcp src-address-list=!DNS_Servers
add action=reject chain=input disabled=yes dst-port=53 protocol=udp
reject-with=icmp-network-unreachable src-address-list=!Local_Networks
add action=tarpit chain=input disabled=yes dst-port=53 protocol=tcp
src-address-list=!Local_Networks
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
----- Original Message -----
From: "Mike Hammett" <[email protected]>
To: "Mikrotik discussions" <[email protected]>
Sent: Wednesday, August 6, 2014 10:32:00 AM
Subject: DNS Firewall
Would this be a good DNS ruleset? Assuming I put my DNS servers in the
DNS_Servers address list. Well, and assuming I enable them...
add action=accept chain=forward disabled=no dst-address-list=DNS_Servers
dst-port=53 protocol=tcp
add action=reject chain=forward disabled=yes dst-port=53 protocol=udp
reject-with=icmp-network-unreachable src-address-list=!DNS_Servers
add action=reject chain=input disabled=yes dst-port=53 protocol=udp
reject-with=icmp-network-unreachable src-address-list=!DNS_Servers
add action=tarpit chain=forward disabled=yes dst-port=53 protocol=tcp
src-address-list=!DNS_Servers
add action=tarpit chain=input disabled=yes dst-port=53 protocol=tcp
src-address-list=!DNS_Servers
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.butchevans.com/pipermail/mikrotik/attachments/20140808/8ef802bc/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
