Re: [Mikrotik] DNS Firewall

2014-08-08 Thread Terri Kelley
et Broadband >> >> -Original Message- >> From: Rory McCann >> To: Mikrotik discussions >> Sent: Thu, 07 Aug 2014 3:52 PM >> Subject: Re: [Mikrotik] DNS Firewall >> >> I wouldn't leave it open either though because your router will be &

Re: [Mikrotik] DNS Firewall

2014-08-08 Thread Rory McCann
Original Message- From: Rory McCann To: Mikrotik discussions Sent: Thu, 07 Aug 2014 3:52 PM Subject: Re: [Mikrotik] DNS Firewall I wouldn't leave it open either though because your router will be abused via DDoS using DNS amplification. Personally, I would either create an address li

Re: [Mikrotik] DNS Firewall

2014-08-08 Thread Mike Hammett
Okay, let's run through the rules I have. * I create an address list of all DNS servers that should be allowed to communicate with the outside world, regardless of direction. * I create an address list of subnets allowed on my network (public and management). * First rule allows

Re: [Mikrotik] DNS Firewall

2014-08-08 Thread Terri Kelley
gt; The router itself is still answering DNS for some devices. >> >> >> >> >> - >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> >> >> - Original Message - >> >> Fr

Re: [Mikrotik] DNS Firewall

2014-08-07 Thread Rory McCann
me devices. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: "Chupaka" To: "Mikrotik discussions" Sent: Wednesday, August 6, 2014 11:56:06 AM Subject: Re: [Mikrotik] DNS Firewall Why do you need to block it in input

Re: [Mikrotik] DNS Firewall

2014-08-06 Thread Chupaka
tions > http://www.ics-il.com > > > > - Original Message - > > From: "Chupaka" > To: "Mikrotik discussions" > Sent: Wednesday, August 6, 2014 11:56:06 AM > Subject: Re: [Mikrotik] DNS Firewall > > Why do you need to block it i

Re: [Mikrotik] DNS Firewall

2014-08-06 Thread Mike Hammett
The router itself is still answering DNS for some devices. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: "Chupaka" To: "Mikrotik discussions" Sent: Wednesday, August 6, 2014 11:56:06 AM Subject

Re: [Mikrotik] DNS Firewall

2014-08-06 Thread Chupaka
Why do you need to block it in input chain? Forward is quite enough. -- Подпись: (добавляется в конце всех исходящих писем) 2014-08-06 18:32 GMT+03:00 Mike Hammett : > Would this be a good DNS ruleset? Assuming I put my DNS servers in the > DNS_Servers address list. Well, and assuming I enable

[Mikrotik] DNS Firewall

2014-08-06 Thread Mike Hammett
Would this be a good DNS ruleset? Assuming I put my DNS servers in the DNS_Servers address list. Well, and assuming I enable them... add action=accept chain=forward disabled=no dst-address-list=DNS_Servers dst-port=53 protocol=tcp add action=reject chain=forward disabled=yes dst-port=53 protoc