Community discussions

MikroTik App
  4. RouterOS
  5. General

DNS server not working

Post Reply
 
PogMoThoin
newbie
Topic Author
Posts: 26
Joined: Sun Aug 14, 2011 3:18 pm

DNS server not working

Mon Jul 11, 2016 2:01 pm

I've copied lots of my config from my old RB951 to my new CRS and I'm completely stumped as to why DNS is not working. My clients work fine with static Google DNS but I cannot get the local Mikrotik one that I'm handing out in the DHCP leases to work. Can someone have a quick look at my config, it must be something simple I'm missing.
Code: Select all
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master name=ether3-slave
set [ find default-name=ether4 ] master-port=ether2-master name=ether4-slave
set [ find default-name=ether5 ] master-port=ether2-master name=ether5-slave
set [ find default-name=ether6 ] master-port=ether2-master name=ether6-slave
set [ find default-name=ether7 ] master-port=ether2-master name=ether7-slave
set [ find default-name=ether8 ] master-port=ether2-master name=ether8-slave
set [ find default-name=ether9 ] master-port=ether2-master name=ether9-slave
set [ find default-name=ether10 ] master-port=ether2-master name=ether10-slave
set [ find default-name=ether11 ] master-port=ether2-master name=ether11-slave
set [ find default-name=ether12 ] master-port=ether2-master name=ether12-slave
set [ find default-name=ether13 ] master-port=ether2-master name=ether13-slave
set [ find default-name=ether14 ] master-port=ether2-master name=ether14-slave
set [ find default-name=ether15 ] master-port=ether2-master name=ether15-slave
set [ find default-name=ether16 ] master-port=ether2-master name=ether16-slave
set [ find default-name=ether17 ] master-port=ether2-master name=ether17-slave
set [ find default-name=ether18 ] master-port=ether2-master name=ether18-slave
set [ find default-name=ether19 ] master-port=ether2-master name=ether19-slave
set [ find default-name=ether20 ] master-port=ether2-master name=ether20-slave
set [ find default-name=ether21 ] master-port=ether2-master name=ether21-slave
set [ find default-name=ether22 ] master-port=ether2-master name=ether22-slave
set [ find default-name=ether23 ] master-port=ether2-master name=ether23-slave
set [ find default-name=ether24 ] master-port=ether2-master name=ether24-slave
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway name=pppoe-out1 \
    user=vodafone@vodafone.ie
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.100-10.0.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=3d name=dhcp1
/queue type
add kind=sfq name=qos
/queue tree
add max-limit=48M name=All-Download parent=global queue=default
add max-limit=19M name=All-Upload parent=global queue=default
add limit-at=10M max-limit=48M name=P1-dn packet-mark=p1-dn parent=All-Download \
    priority=1 queue=qos
add limit-at=10M max-limit=48M name=P2-dn packet-mark=p2-dn parent=All-Download \
    priority=2 queue=qos
add limit-at=10M max-limit=48M name=P3-dn packet-mark=p3-dn parent=All-Download \
    priority=3 queue=qos
add max-limit=48M name=P4-dn packet-mark=p4-dn parent=All-Download priority=4 \
    queue=qos
add max-limit=48M name=P5-dn packet-mark=p5-dn parent=All-Download priority=5 \
    queue=qos
add max-limit=48M name=P6-dn packet-mark=p6-dn parent=All-Download priority=6 \
    queue=qos
add max-limit=48M name=P7-dn packet-mark=p7-dn parent=All-Download priority=7 \
    queue=qos
add max-limit=48M name=P8-dn packet-mark=p8-dn parent=All-Download queue=qos
add limit-at=4M max-limit=19M name=p1-up packet-mark=p1-up parent=All-Upload \
    priority=1 queue=qos
add limit-at=4M max-limit=19M name=p2-up packet-mark=p2-up parent=All-Upload \
    priority=2 queue=qos
add limit-at=4M max-limit=19M name=p3-up packet-mark=p3-up parent=All-Upload \
    priority=3 queue=qos
add max-limit=19M name=p4-up packet-mark=p4-up parent=All-Upload priority=4 \
    queue=qos
add max-limit=19M name=p5-up packet-mark=p5-up parent=All-Upload priority=5 \
    queue=qos
add max-limit=19M name=p6-up packet-mark=p6-up parent=All-Upload priority=6 \
    queue=qos
add max-limit=19M name=p7-up packet-mark=p7-up parent=All-Upload priority=7 \
    queue=qos
add max-limit=19M name=p8-up packet-mark=p8-up parent=All-Upload queue=qos
/interface bridge port
add bridge=bridge1 interface=ether2-master
add bridge=bridge1 interface=sfp1
/interface ethernet switch port
set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 9 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
    wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 13 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 14 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 15 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 16 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 17 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 18 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 19 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 20 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 21 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 22 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 23 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 24 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 25 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
    ,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
/interface pptp-server server
set enabled=yes max-mru=1460 max-mtu=1460
/ip address
add address=10.0.0.1/24 interface=ether2-master network=10.0.0.0
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 domain=colfin22.local gateway=\
    10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-udp-packet-size=512 \
    servers=8.8.8.8
/ip firewall filter
add chain=input comment="allow icmp" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_rdp \
    address-list-timeout=1d chain=input comment="list IP's who try rdp" \
    dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login \
    address-list-timeout=1d chain=input comment=\
    "list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp src-address-list=\
    rdp-allow-address-list
add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp
add action=add-src-to-address-list address-list=syn-flooder \
    address-list-timeout=30m chain=input comment="add syn flood IP to list" \
    connection-limit=100,32 disabled=yes protocol=tcp tcp-flags=syn
add action=drop chain=input comment="drop to syn flood list" disabled=yes \
    src-address-list=syn-flooder
add action=add-src-to-address-list address-list=port-scanner \
    address-list-timeout=4w2d chain=input comment="port scanner detect" \
    disabled=yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="drop to port scan list" disabled=yes \
    src-address-list=port-scanner
add action=log chain=forward comment="tcp connection limit" connection-limit=\
    100,32 disabled=yes log-prefix=TCP_connection_limit: protocol=tcp \
    tcp-flags=syn
add action=drop chain=forward comment="tcp connection limit" connection-limit=\
    100,32 disabled=yes protocol=tcp tcp-flags=syn
add action=fasttrack-connection chain=forward comment=\
    "fastract established and related" connection-state=established,related
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=input comment="drop invalid connections" \
    connection-state=invalid
add chain=input comment="allow established connections" connection-state=\
    established
add action=drop chain=input comment="drop everything else"
add action=log chain=forward comment="time restricted" disabled=yes \
    src-address-list=time_restricted time=1h-7h30m,mon,tue,wed,thu,fri
add action=drop chain=forward comment="time restricted" disabled=yes \
    src-address-list=time_restricted time=1h-7h30m,mon,tue,wed,thu,fri
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark all management traffic to this router as priority 1" \
    dst-address-type=local dst-port=21,22,23,80,443,8291,8728,8729 \
    new-connection-mark=p1 protocol=tcp
add action=mark-connection chain=prerouting comment="VOIP to our VOIP gateways" \
    connection-mark=no-mark new-connection-mark=p1 src-address-list=\
    VOIP_Gateways
add action=mark-connection chain=prerouting comment=POP3 new-connection-mark=p6 \
    packet-mark=no-mark port=110 protocol=udp
add action=mark-connection chain=prerouting comment=SMTP new-connection-mark=p6 \
    packet-mark=no-mark port=25 protocol=tcp
add action=mark-connection chain=prerouting comment=SMTP new-connection-mark=p6 \
    packet-mark=no-mark port=465 protocol=tcp
add action=mark-connection chain=prerouting comment=FTP new-connection-mark=p2 \
    packet-mark=no-mark port=20 protocol=tcp
add action=mark-connection chain=prerouting comment=FTP new-connection-mark=p2 \
    packet-mark=no-mark port=21 protocol=tcp
add action=mark-connection chain=prerouting comment=SSH new-connection-mark=p2 \
    packet-mark=no-mark port=22 protocol=tcp
add action=mark-connection chain=prerouting comment=Telnet new-connection-mark=\
    p2 packet-mark=no-mark port=23 protocol=tcp
add action=mark-connection chain=prerouting comment=DNS new-connection-mark=p3 \
    packet-mark=no-mark port=53 protocol=tcp
add action=mark-connection chain=prerouting comment=DNS new-connection-mark=p3 \
    packet-mark=no-mark port=53 protocol=udp
add action=mark-connection chain=prerouting comment=HTTP new-connection-mark=p5 \
    packet-mark=no-mark port=80 protocol=tcp
add action=mark-connection chain=prerouting comment=HTTPS new-connection-mark=\
    p5 packet-mark=no-mark port=443 protocol=tcp
add action=mark-connection chain=prerouting comment=Winbox new-connection-mark=\
    p1 packet-mark=no-mark port=8291 protocol=tcp
add action=mark-connection chain=prerouting comment="Remote Desktop" \
    new-connection-mark=p2 packet-mark=no-mark port=3389 protocol=tcp
add action=mark-connection chain=prerouting comment=PLEX new-connection-mark=p6 \
    packet-mark=no-mark port=32400 protocol=tcp
add action=mark-connection chain=prerouting comment=P2P new-connection-mark=p8 \
    packet-mark=no-mark port=24106 protocol=tcp
add action=mark-connection chain=prerouting comment="NZB SSL" \
    new-connection-mark=p8 packet-mark=no-mark port=563 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment=rdp disabled=yes dst-port=3389 \
    protocol=tcp to-addresses=10.0.0.252 to-ports=3389
add action=dst-nat chain=dstnat comment="nzbget " dst-port=6789 protocol=tcp \
    to-addresses=10.0.0.253 to-ports=6789
add action=dst-nat chain=dstnat comment=nzbdrone dst-port=8989 protocol=tcp \
    to-addresses=10.0.0.253 to-ports=8989
add action=dst-nat chain=dstnat comment=couchpotato dst-port=5050 protocol=tcp \
    to-addresses=10.0.0.253 to-ports=5050
add action=dst-nat chain=dstnat comment="plex server" dst-port=32400 protocol=\
    tcp to-addresses=10.0.0.253 to-ports=32400
add action=dst-nat chain=dstnat comment="subsonic server" dst-port=4443 \
    protocol=tcp to-addresses=10.0.0.253 to-ports=4443
add action=dst-nat chain=dstnat comment="alien 2" dst-port=8787 protocol=tcp \
    to-addresses=10.0.0.120 to-ports=8787
add action=dst-nat chain=dstnat dst-port=8787 protocol=udp to-addresses=\
    10.0.0.120 to-ports=8787
add action=dst-nat chain=dstnat dst-port=8008 protocol=udp to-addresses=\
    10.0.0.252 to-ports=8008
add action=dst-nat chain=dstnat comment=Airvision dst-port=7080 protocol=tcp \
    to-addresses=10.0.0.253 to-ports=7080
add action=dst-nat chain=dstnat dst-port=7443-7447 protocol=tcp to-addresses=\
    10.0.0.253 to-ports=7443-7447
add action=dst-nat chain=dstnat comment=SteamTCP dst-port=27015 protocol=tcp \
    to-addresses=10.0.0.136 to-ports=27015
add action=dst-nat chain=dstnat comment=SteamUDP dst-port=25500-25700 protocol=\
    udp to-addresses=10.0.0.136 to-ports=25500-25700
add action=dst-nat chain=dstnat comment=DmanGamesTCP dst-port=25565 protocol=\
    tcp to-addresses=10.0.0.253 to-ports=25565
add action=dst-nat chain=dstnat comment=DmanGamesUDP dst-port=25565 protocol=\
    udp to-addresses=10.0.0.253 to-ports=25565
add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=\
    10.0.0.253 src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment=sabnzb disabled=yes dst-port=8282 \
    protocol=tcp to-addresses=10.0.0.252 to-ports=8282
add action=dst-nat chain=dstnat comment=headphones disabled=yes dst-port=8182 \
    protocol=tcp to-addresses=10.0.0.252 to-ports=8182
add action=dst-nat chain=dstnat disabled=yes dst-port=8182 protocol=udp \
    to-addresses=10.0.0.252 to-ports=8182
add action=dst-nat chain=dstnat comment="utorrent web" disabled=yes dst-port=\
    8008 protocol=tcp to-addresses=10.0.0.252 to-ports=8008
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes ports=1723
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=89
/ip upnp
set enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=ether1-gateway type=external
add interface=ether2-master type=internal
/ppp secret
add name=colm profile=default-encryption service=pptp
add name=fiona profile=default-encryption service=pptp
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Dublin
/system identity
set name=Khaleesi
/system ntp client
set enabled=yes primary-ntp=54.229.222.210 secondary-ntp=54.194.18.100
Top
 
PogMoThoin
newbie
Topic Author
Posts: 26
Joined: Sun Aug 14, 2011 3:18 pm

Re: DNS server not working

Mon Jul 11, 2016 5:15 pm

Ok, I got this working by disabling my drop everything else filter rule. Can someone have a quick look at my filters and tell me where I'm going wrong.
Code: Select all
/ip firewall filter
add chain=input comment="allow icmp" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_rdp \
    address-list-timeout=1d chain=input comment="list IP's who try rdp" \
    dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login \
    address-list-timeout=1d chain=input comment=\
    "list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp src-address-list=\
    rdp-allow-address-list
add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp
add action=add-src-to-address-list address-list=syn-flooder \
    address-list-timeout=30m chain=input comment="add syn flood IP to list" \
    connection-limit=100,32 disabled=yes protocol=tcp tcp-flags=syn
add action=drop chain=input comment="drop to syn flood list" disabled=yes \
    src-address-list=syn-flooder
add action=add-src-to-address-list address-list=port-scanner \
    address-list-timeout=4w2d chain=input comment="port scanner detect" \
    disabled=yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="drop to port scan list" disabled=yes \
    src-address-list=port-scanner
add action=log chain=forward comment="tcp connection limit" connection-limit=\
    100,32 disabled=yes log-prefix=TCP_connection_limit: protocol=tcp \
    tcp-flags=syn
add action=drop chain=forward comment="tcp connection limit" connection-limit=\
    100,32 disabled=yes protocol=tcp tcp-flags=syn
add action=fasttrack-connection chain=forward comment=\
    "fastract established and related" connection-state=established,related
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=input comment="drop invalid connections" \
    connection-state=invalid
add chain=input comment="allow established connections" connection-state=\
    established
add chain=input comment="acccept lan" in-interface=!pppoe-out1 src-address=\
    10.0.0.0/24
add action=drop chain=input comment="drop everything else" disabled=yes
add action=log chain=forward comment="time restricted" disabled=yes \
    src-address-list=time_restricted time=1h-7h30m,mon,tue,wed,thu,fri
add action=drop chain=forward comment="time restricted" disabled=yes \
    src-address-list=time_restricted time=1h-7h30m,mon,tue,wed,thu,fri
Top
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:
Contact cdiedrich

Re: DNS server not working

Mon Jul 11, 2016 5:21 pm

You might specify an in-interface (your WAN port) in your "drop everything else" rule.
Or you keep it as it is and place an accept rule fur udp/53 on top of that. This rule should definitely have either an in-interface or a dst-address confuigured for not exposing your DNS to the outside and make it a member of DNS amplification attacks.
-Chris
Top
 
PogMoThoin
newbie
Topic Author
Posts: 26
Joined: Sun Aug 14, 2011 3:18 pm

Re: DNS server not working

Mon Jul 11, 2016 5:31 pm

Thank you kindly. Adding the in-interface worked. I'm puzzled as to how the same rules worked on my RB951
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot] and 24 guests
  4. RouterOS
  5. General