Articles on: Deployment

How to protect MikroTik against DoS and DDoS attacks related to open recursive DNS

By allowing your MikroTik's DNS service to receive queries from other devices on your network, it is important to ensure that it is not exposed on the internet. A recursive DNS server open on the internet can become a target of DoS (Denial of Service) attacks and can be abused to participate in DDoS (Distributed Denial of Service) attacks via DNS.

How to protect your MikroTik against DNS service abuse from the Internet



When you have a MikroTik that has been configured to respond to DNS queries received from other devices (via the "Allow Remote Requests" option), it is important to ensure that it does not allow incoming DNS queries originating from locations other than your internal network.

To perform this protection you can use firewall rules in your Mikrotik. These rules will allow incoming DNS traffic from your internal network while blocking other DNS traffic destined for the router.

The following suggested configuration is simple and will not be the most appropriate for scenarios with multiple networks, when there are already several other firewall rules in place or using IPv6. These scenarios would require more elaborate rules adapted to the situation in order to keep the firewall working and optimize performance.

Go to the web management interface of your MikroTik router, for example 'http://192.168.88.1', and login.

At the top of the page, click the WebFig button.

From the menu on the left, go to New Terminal. A new window will open with access to the terminal.

Copy the commands below one at a time and paste them into the terminal window. Before confirming with Enter, replace the address 192.168.88.0/24 in the commands with your internal network address.

Displays the current firewall rules
/ip firewall filter print;


Block incoming dns 53 UDP not originating from the internal network
/ip firewall filter add chain=input dst-port=53 protocol=udp src-address=!192.168.88.0/24 action=drop place-before=0;


Block incoming dns 53 tcp not originating from the internal network
/ip firewall filter add chain=input dst-port=53 protocol=tcp src-address=!192.168.88.0/24 action=drop place-before=0;


Done.

Updated on: 12/07/2024

Was this article helpful?

Share your feedback

Cancel

Thank you!