Hey
I am facing some issues to use the hexs as dns. Suddenly it stopped to work... what can be the issue?
Re: HEX s as DNS [SOLVED]
found the solution I think:)
In Winbox under IP -> DNS ensure that Allow Remote Request Box is checked, that should be the first step. Then under IP -> DHCP Server -> Networks and the configurations that the DNS server is set to the IP of the router board, also specify a Domain suffix (eg Home.local).
In Winbox under IP -> DNS ensure that Allow Remote Request Box is checked, that should be the first step. Then under IP -> DHCP Server -> Networks and the configurations that the DNS server is set to the IP of the router board, also specify a Domain suffix (eg Home.local).
Re: HEX s as DNS
I also needed to allow DNS in firewall
Code: Select all
[admin@MikroTik] /ip firewall filter> add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \ \... in-interface-list=LAN protocol=udp [admin@MikroTik] /ip firewall filter> add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\ \... 53 in-interface-list=LAN protocol=tcp
Re: HEX s as DNS
That is correct, but MAKE SURE that you have a CORRECT FIREWALL set up!
The default firewall is OK. When you have changed it (maybe following some bad advice from Youtube) it can be that your DNS service is reachable from internet.
If so, you are going to be in big trouble soon. Fix it before it is too late.
Edit: I see you are already fiddling with the firewall. That should not be required to get it working. Please show your entire firewall config.
The default firewall is OK. When you have changed it (maybe following some bad advice from Youtube) it can be that your DNS service is reachable from internet.
If so, you are going to be in big trouble soon. Fix it before it is too late.
Edit: I see you are already fiddling with the firewall. That should not be required to get it working. Please show your entire firewall config.
Re: HEX s as DNS
I have checked the dns queries from wan which isnt working so probably it looks ok.
Re: HEX s as DNS
See attached
Code: Select all
# jul/29/2020 22:16:14 by RouterOS 6.47
/ip firewall filter
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=add-src-to-address-list address-list=port:X000 \
address-list-timeout=1d chain=input comment=\
"Allow port known for port X000 and then X080 from secure addresses" \
dst-port=X000 protocol=tcp
add action=add-src-to-address-list address-list=secure address-list-timeout=\
1d chain=input dst-port=X080 protocol=tcp src-address-list=port:X000
add action=add-src-to-address-list address-list-timeout=none-static chain=\
input src-address-list=secure
add action=accept chain=input src-address-list=secure
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input
Re: HEX s as DNS
Ok you apparently have implemented some form of "port knocking" to access the router, and therefore it does not accept the DNS queries without those
additional rules. It would be better to place them lower in the chain, after the established/related rules.
And also I think it is not a good idea to allow external access using such a mechanism. It is not secure against portscanners.
When you want to use it on your LAN (to guard against LAN users trying to peek in your router), it may be fine. For the internet it is better to just
not allow external access to the config interface, or at least use a VPN.
additional rules. It would be better to place them lower in the chain, after the established/related rules.
And also I think it is not a good idea to allow external access using such a mechanism. It is not secure against portscanners.
When you want to use it on your LAN (to guard against LAN users trying to peek in your router), it may be fine. For the internet it is better to just
not allow external access to the config interface, or at least use a VPN.
Re: HEX s as DNS
totally, thats what I did...
tnx much for your reply
tnx much for your reply