Does the Mikrotik DNS cache listen on both TCP and UDP port 53? In past I always dropped both in input chain on the pppoe interface but I am not sure it actually listens on the TCP port?
> Assuming you have DNS set to Allow Remote Requests (which must be on for > local customers to use the Mikrotik as their DNS server), make sure you have > an Input chain rule to drop UDP and TCP destination port 53 on the WAN > interface. Mikrotik’s QuickSet leaves the router open to DNS amplification > attacks. > > Also check if you have NTP server enabled, that’s another amplification > attack method. >