MikroTik

I recommend dropping incoming DNS requests from the internet unless specifically required, there is huge active DNS amplification attacks going on and mikrotik is kinda vulnerable when it runs the dns proxy with "allow remote requests" checked.

Typical symptoms to look out for would be CPU pegged at 100% and higher than normal packet rates and outbound traffic on Internet links.

Here is the CERT alert http://www.us-cert.gov/ncas/alerts/TA13-088A

Jon

The problem is not configuring DNS with "allow remote requests" selected - the problem is not installing appropriate input filters!

If the device is internet facing and acting as a firewall then it should have drop all rules in both the input chain and forward chain thus should only be responding to externally sourced DNS requests if those requests have been explicitly permitted in the input chain.

If the filter settings are allowing the device to be vulnerable to DNS amplification attack then there is a good chance it has a host of other vulnerabilities too!

I have been trying to block this attack with no luck, as soon as I press allow remote requests for the DNS to work on the mikrotik the attack is back.

Can someone post a tested input chain for blocking all remote DNS requests without breaking local DNS resolution (im using googles DNS as the server on the mikrotik)

/ip fire add chain=input proto=udp dst-port=53 action=drop

You probably should add another identical to the above rule with proto=tcp as well since many implementations will respond to either protocol.

So corrected version would look like this, if your wan interface is called wan-1. Don't forget to put specific deny rules before your allow rules in the chain.

/ip firewall filter add chain=input in-interface=wan-1 protocol=udp dst-port=53 action=drop
/ip firewall filter add chain=input in-interface=wan-1 protocol=tcp dst-port=53 action=drop