Yep, BIND server is what I was referring to. Thanks,
Terri Kelley Network Engineer 254-697-6710 Farm to Market Broadband On Aug 8, 2014, at 9:34 AM, Rory McCann wrote: > Not exactly sure what you mean? I'm just referring to blocking traffic on the > input chain (the MT device itself). I don't think the MT DNS implementation > has a means of authenticating source IPs, so they can be abused with DNS > amplification DDoS attacks (I had it happen with one of my clients). Because > of this, it's better to just use it internally or with trusted IP space and > not open to the world. Do you really need every Tom, Dick and Harry using > your MT for DNS anyway? > > You can still handle your forward chain (through the router) traffic > separately if you have a BIND server or something. > > Rory McCann > MKAP Technology Solutions > Web: www.mkap.net > > On 8/8/2014 8:19 AM, Terri Kelley wrote: >> But if you block from outside traffic doesn't that also block reverse >> lookups for mail traffic? >> >> Terri Kelley >> Network Engineer >> 254.697.6710 >> Farm to Market Broadband >> >> -----Original Message----- >> From: Rory McCann <[email protected]> >> To: Mikrotik discussions <[email protected]> >> Sent: Thu, 07 Aug 2014 3:52 PM >> Subject: Re: [Mikrotik] DNS Firewall >> >> I wouldn't leave it open either though because your router will be >> abused via DDoS using DNS amplification. >> >> Personally, I would either create an address list of allowed outside IPs >> that can communicate on the DNS input chain or block it completely on >> the outside-facing interface. >> >> Rory McCann >> MKAP Technology Solutions >> Web: www.mkap.net >> >> On 8/6/2014 12:54 PM, Chupaka wrote: >>> Then you definitely don't want to block that =) >>> >>> -- >>> Подпись: >>> (добавляется в конце всех исходящих писем) >>> >>> >>> 2014-08-06 20:01 GMT+03:00 Mike Hammett <[email protected]>: >>> >>>> The router itself is still answering DNS for some devices. >>>> >>>> >>>> >>>> >>>> ----- >>>> Mike Hammett >>>> Intelligent Computing Solutions >>>> http://www.ics-il.com >>>> >>>> >>>> >>>> ----- Original Message ----- >>>> >>>> From: "Chupaka" <[email protected]> >>>> To: "Mikrotik discussions" <[email protected]> >>>> Sent: Wednesday, August 6, 2014 11:56:06 AM >>>> Subject: Re: [Mikrotik] DNS Firewall >>>> >>>> Why do you need to block it in input chain? Forward is quite enough. >>>> >>>> -- >>>> Подпись: >>>> (добавляется в конце всех исходящих писем) >>>> >>>> >>>> 2014-08-06 18:32 GMT+03:00 Mike Hammett <[email protected]>: >>>> >>>>> Would this be a good DNS ruleset? Assuming I put my DNS servers in the >>>>> DNS_Servers address list. Well, and assuming I enable them... >>>>> >>>>> add action=accept chain=forward disabled=no dst-address-list=DNS_Servers >>>>> dst-port=53 protocol=tcp >>>>> add action=reject chain=forward disabled=yes dst-port=53 protocol=udp >>>>> reject-with=icmp-network-unreachable src-address-list=!DNS_Servers >>>>> add action=reject chain=input disabled=yes dst-port=53 protocol=udp >>>>> reject-with=icmp-network-unreachable src-address-list=!DNS_Servers >>>>> add action=tarpit chain=forward disabled=yes dst-port=53 protocol=tcp >>>>> src-address-list=!DNS_Servers >>>>> add action=tarpit chain=input disabled=yes dst-port=53 protocol=tcp >>>>> src-address-list=!DNS_Servers >>>>> >>>>> >>>>> >>>>> >>>>> ----- >>>>> Mike Hammett >>>>> Intelligent Computing Solutions >>>>> http://www.ics-il.com >>>>> >>>>> >>>>> >>>>> >>>>> -------------- next part -------------- >>>>> An HTML attachment was scrubbed... >>>>> URL: < >>>>> >>>> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/fd0101dc/attachment.html >>>>> _______________________________________________ >>>>> Mikrotik mailing list >>>>> [email protected] >>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>> >>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>> RouterOS >>>>> >>>> -------------- next part -------------- >>>> An HTML attachment was scrubbed... >>>> URL: < >>>> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/d3b3ec39/attachment.html >>>> _______________________________________________ >>>> Mikrotik mailing list >>>> [email protected] >>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>> >>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>> RouterOS >>>> -------------- next part -------------- >>>> An HTML attachment was scrubbed... >>>> URL: < >>>> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/2bc6cdf8/attachment.html >>>> _______________________________________________ >>>> Mikrotik mailing list >>>> [email protected] >>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>> >>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>> RouterOS >>>> >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >>> <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/5186c8ad/attachment.html> >>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140808/9b655586/attachment.html> >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140808/f654b989/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
