How to protect MikroTik against DoS and DDoS attacks related to open recursive DNS

By allowing your MikroTik's DNS service to receive queries from other devices on your network, it is important to ensure that it is not exposed on the internet. A recursive DNS server open on the internet can become a target of DoS (Denial of Service) attacks and can be abused to participate in DDoS (Distributed Denial of Service) attacks via DNS.

How to protect your MikroTik against DNS service abuse from the Internet

When you have a MikroTik that has been configured to respond to DNS queries received from other devices (via the "Allow Remote Requests" option), it is important to ensure that it does not allow incoming DNS queries originating from locations other than your internal network.

To perform this protection you can use firewall rules in your Mikrotik. These rules will allow incoming DNS traffic from your internal network while blocking other DNS traffic destined for the router.

1. Go to the web management interface of your MikroTik router, for example 'http://192.168.88.1', and login.

2. At the top of the page, click the WebFig button.

3. From the menu on the left, go to New Terminal. A new window will open with access to the terminal.

4. Copy the commands below one at a time and paste them into the terminal window. Before confirming with Enter, replace the address 192.168.88.0/24 in the commands with your internal network address.

• Displays the current firewall rules

undefined/ip firewall filter print;

• Block incoming dns 53 UDP not originating from the internal network

undefined/ip firewall filter add chain=input dst-port=53 protocol=udp src-address=!192.168.88.0/24 action=drop place-before=0;

• Block incoming dns 53 tcp not originating from the internal network

undefined/ip firewall filter add chain=input dst-port=53 protocol=tcp src-address=!192.168.88.0/24 action=drop place-before=0;

5. Done.

Updated on: 12/07/2024