Not exactly sure what you mean? I'm just referring to blocking traffic
on the input chain (the MT device itself). I don't think the MT DNS
implementation has a means of authenticating source IPs, so they can be
abused with DNS amplification DDoS attacks (I had it happen with one of
my clients). Because of this, it's better to just use it internally or
with trusted IP space and not open to the world. Do you really need
every Tom, Dick and Harry using your MT for DNS anyway?
You can still handle your forward chain (through the router) traffic
separately if you have a BIND server or something.
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
On 8/8/2014 8:19 AM, Terri Kelley wrote:
But if you block from outside traffic doesn't that also block reverse lookups
for mail traffic?
Terri Kelley
Network Engineer
254.697.6710
Farm to Market Broadband
-----Original Message-----
From: Rory McCann <[email protected]>
To: Mikrotik discussions <[email protected]>
Sent: Thu, 07 Aug 2014 3:52 PM
Subject: Re: [Mikrotik] DNS Firewall
I wouldn't leave it open either though because your router will be
abused via DDoS using DNS amplification.
Personally, I would either create an address list of allowed outside IPs
that can communicate on the DNS input chain or block it completely on
the outside-facing interface.
Rory McCann
MKAP Technology Solutions
Web: www.mkap.net
On 8/6/2014 12:54 PM, Chupaka wrote:
Then you definitely don't want to block that =)
--
Подпись:
(добавляется в конце всех исходящих писем)
2014-08-06 20:01 GMT+03:00 Mike Hammett <[email protected]>:
The router itself is still answering DNS for some devices.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
----- Original Message -----
From: "Chupaka" <[email protected]>
To: "Mikrotik discussions" <[email protected]>
Sent: Wednesday, August 6, 2014 11:56:06 AM
Subject: Re: [Mikrotik] DNS Firewall
Why do you need to block it in input chain? Forward is quite enough.
--
Подпись:
(добавляется в конце всех исходящих писем)
2014-08-06 18:32 GMT+03:00 Mike Hammett <[email protected]>:
Would this be a good DNS ruleset? Assuming I put my DNS servers in the
DNS_Servers address list. Well, and assuming I enable them...
add action=accept chain=forward disabled=no dst-address-list=DNS_Servers
dst-port=53 protocol=tcp
add action=reject chain=forward disabled=yes dst-port=53 protocol=udp
reject-with=icmp-network-unreachable src-address-list=!DNS_Servers
add action=reject chain=input disabled=yes dst-port=53 protocol=udp
reject-with=icmp-network-unreachable src-address-list=!DNS_Servers
add action=tarpit chain=forward disabled=yes dst-port=53 protocol=tcp
src-address-list=!DNS_Servers
add action=tarpit chain=input disabled=yes dst-port=53 protocol=tcp
src-address-list=!DNS_Servers
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/fd0101dc/attachment.html
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/d3b3ec39/attachment.html
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/2bc6cdf8/attachment.html
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/5186c8ad/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.butchevans.com/pipermail/mikrotik/attachments/20140808/9b655586/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
