Community discussions

MikroTik App
 
Jefte
just joined
Topic Author
Posts: 12
Joined: Wed Apr 06, 2016 2:23 pm

DNS Flood

Fri Dec 07, 2018 6:47 pm

Hello my dear, I have a client generating a lot of DNS traffic over the network, I would like to know a smart way to solve this problem, I looked at some mangrove rules, but I would like something that caught only the clients that generate this unnecessary traffic and perhaps puts them on a blacklist or redirects them.
You do not have the required permissions to view the files attached to this post.
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: DNS Flood

Fri Dec 07, 2018 8:47 pm

This looks like normal traffic, DNS resolvers use a new socket for every resolution as an added protection against DNS spoofing. I would not consider 28kbps a "flood".
 
Jefte
just joined
Topic Author
Posts: 12
Joined: Wed Apr 06, 2016 2:23 pm

Re: DNS Flood

Fri Dec 07, 2018 9:54 pm

This image was for 1 second, the client generates that amount several times, figuring out further to find out his CPE was "hacked". But I would like to know about this traffic before it gets worse, in this case I redirected the client to a secondary DNS
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: DNS Flood

Fri Dec 07, 2018 10:27 pm

Hi

You could rate limit access to dns /ip basis. can be done in firewall

Ex:
add action=accept chain=prerouting comment="Accept: dns < limit" dst-limit=10,20,src-address/1m protocol=udp ...
add action=drop chain=prerouting comment="Drop: dns" protocol=udp ...
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: DNS Flood

Fri Dec 07, 2018 11:37 pm

This image was for 1 second, the client generates that amount several times, figuring out further to find out his CPE was "hacked". But I would like to know about this traffic before it gets worse, in this case I redirected the client to a secondary DNS
That's still well within the realm of normal traffic. The user could have a bittorrent client open for example that is doing reverse lookups on connecting IPs. You should always be careful with setting limits as not every user is the same and one person's outlier is another's normal traffic.

Obviously if you've determined the CPE is hacked then the discussion about DNS is moot, you should wipe and reinstall the CPE :).
 
Jefte
just joined
Topic Author
Posts: 12
Joined: Wed Apr 06, 2016 2:23 pm

Re: DNS Flood

Thu Dec 20, 2018 1:36 pm

Well, I created the following rule, and so far it's helping me by putting the IP address on a temporary blacklist.
/ip firewall mangle add chain=postrouting protocol=udp dst-port=53 connection-limit=500,32 address-list-timeout=60m action=add-src-to-address-list address-list="DNS_FLOOD" comment="DNS_FLOOD_MANGLE"
 
bazanga
just joined
Posts: 3
Joined: Sun Mar 29, 2020 12:46 pm

Re: DNS Flood

Mon Jan 04, 2021 9:41 pm

small bump


Ive setup pihole and use it as a DNS for my Mikrotik router (RB4011) only. Clients in LAN use 8.8.8.8 as of now.
In a matter of less than 30min Mikrotik sent more than 10000 queries.

Is this normal ? Im not allowing remote requests btw
Screenshot_2021-01-04 Pi-hole - pihole-ubuntu.png

EDIT: Solved
You do not have the required permissions to view the files attached to this post.
 
Lebzul
Member Candidate
Member Candidate
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: DNS Flood

Tue Feb 16, 2021 3:37 am

small bump


Ive setup pihole and use it as a DNS for my Mikrotik router (RB4011) only. Clients in LAN use 8.8.8.8 as of now.
In a matter of less than 30min Mikrotik sent more than 10000 queries.

Is this normal ? Im not allowing remote requests btw

Screenshot_2021-01-04 Pi-hole - pihole-ubuntu.png


EDIT: Solved
How did you solve it?
 
User avatar
16again
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Fri Dec 29, 2017 12:23 pm

Re: DNS Flood

Wed Feb 17, 2021 7:13 pm

I would look at those dns requests in a sniffer , to see what is going on.