Input chain will only protect the router in question and nothing behind it. If you want to have your entire network protected you need to do the same thing on the forward chain on the router that is connected to your upstream, this way a single router can protect all your internal routers with public ips.
/ip firewall filter add dst-port=53 protocol=udp in-interface=internet action=drop /ip firewall filter add dst-port=53 protocol=tcp in-interface=internet action=drop This will kill all new inbound connections to any DNS server on the inside of your network, but will still allow your internal dns servers to request DNS info from servers out on the internet. Eje Gustafsson WISP-Router, Inc From: [email protected] [mailto:[email protected]] On Behalf Of Jeremy Grip Sent: Friday, November 14, 2014 8:01 AM To: 'Mikrotik Users' Subject: Re: [Mikrotik Users] DNS caching on PPPoE concentrator Yup, I am dropping tcp and udp port 53 on the input chain from outside. Mike what do you use for a resolver? From: [email protected] <mailto:[email protected]> [mailto:[email protected]] On Behalf Of Christian Palecek Sent: Thursday, November 13, 2014 10:32 PM To: Mikrotik Users Subject: Re: [Mikrotik Users] DNS caching on PPPoE concentrator I block dns on the input chain so it only works on the local address which is a private/loopback ip. Sent from my Verizon Wireless 4G LTE smartphone -------- Original message -------- From: Mike Hammett <[email protected] <mailto:[email protected]> > Date:11/13/2014 8:14 PM (GMT-07:00) To: Mikrotik Users <[email protected] <mailto:[email protected]> > Subject: Re: [Mikrotik Users] DNS caching on PPPoE concentrator Mine are open, but my border stops DNS that isn't otherwise allowed. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com _____ From: "Chuck Breitkreutz" <[email protected] <mailto:[email protected]> > To: "Mikrotik Users" <[email protected] <mailto:[email protected]> > Sent: Thursday, November 13, 2014 9:13:57 PM Subject: Re: [Mikrotik Users] DNS caching on PPPoE concentrator No disrespect, but you are asking for a dns attack _____ From: [email protected] [mailto:[email protected]] On Behalf Of Christian Palecek Sent: Thursday, November 13, 2014 8:26 PM To: Mikrotik Users Subject: Re: [Mikrotik Users] DNS caching on PPPoE concentrator Allow remote requests under the dns settings. Whatever the local address on your pppoe connection should be handed out as the primary dns. Sent from my Verizon Wireless 4G LTE smartphone -------- Original message -------- From: Jeremy Grip <[email protected] <mailto:[email protected]> > Date:11/13/2014 7:14 PM (GMT-07:00) To: 'Mikrotik Users' <[email protected] <mailto:[email protected]> > Subject: [Mikrotik Users] DNS caching on PPPoE concentrator I hand out IPs to client routers from 450G gateways via PPPoE. The 450s are configured for DNS caching with remote requests enabled, but the PPPoE servers configured on the LAN interfaces specify my upstream provider and Google DNS nameservers. Do DNS requests from PPPoE clients use the cache, or do I need to specify the router itself as a DNS server in the PPPoE server/s? _______________________________________________ Mikrotik-users mailing list [email protected] <mailto:[email protected]> http://lists.wispa.org/mailman/listinfo/mikrotik-users
_______________________________________________ Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users
