I run DNS and NTP servers on my router. Most of my network clients use them but there are a few that use hard coded addresses. I recently added dst-nat rules to redirect DNS and NTP requests to the servers on the router. Since then, my default drop rule for the input chain has been logging lots of external attempts to access the servers on the router. They are usually UDP protocol but there have been a few TCP SYN attempts, even for NTP. I have investigated some of the source addresses and found them on some blacklists. Can someone explain why adding the dst-nat rules caused these server access attempts to start happening? Have I had a security issue until now?

I can only speculate without seeing your configuration, but I’d guess you neglected to specify a direction on the dstnat rules, so they affected both directions, input and output.

In normal use, these are single-packet UDP protocols — one in each direction, request and reply — so there are parts of your firewall that don’t come into play like TCP conntracking. That may have left you exposed, if you were depending on that to protect you for UDP as well.

You probably mean the same, but I wouldn't use "direction", because to me it's confusing term, all dstnat rules are for "input" or incoming packets to router (with one very special exception). But yes, dstnat rules need to be limited. E.g. if there's:
It will catch DNS requests coming from everywhere. It should be something like:

Good explanations. I have change the dst-nat rules to only apply to not-WAN input. There are rules for both TCP and UDP, Thanks.

Hi!

Sorry to latch on this thread, but wanted to expand on the above with an additional question:

What if I want to catch clients using other dns servers only?

I run my mikrotik as dns catching server. Would like to catch all other requests and redirect/server from the device. However, most clients are already using it, so don't want to catch all unnecessarily.

Would I only need:

ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=53 protocol=udp dst-address=!192.168.0.1 in-interface=bridge dst-port=53
ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.0.1 to-ports=53 protocol=tcp dst-address=!192.168.0.1 in-interface=bridge dst-port=53

Or also add a masquerade rule? Looks like the masquerade rule would catch all.

Any suggestions most welcome! Thanks!

I think what you have would work. I was only interested in catching those that were not using the router DNS. I probably catch all DNS access, but I don't think that really matters. I did it a little different in that I did not use !dst-address as a test. I used !intrface list (I had WAN defined). I could have also used !in interface (ether1). Don't forget about analogous rules for IPv6 Firewall NAT if you are advertising the router DNS to the IPv6 clients. Clients could be using external IPv6 DNS servers as well as IPv4 servers.