Exposed DNS service – (Risk of  DNS escalation attack)

If you have been directed to this page, it means that we have detected that your MikroTik router’s DNS server is open to the Internet, and your  MikroTik router can be used  in a DNS amplification attack.

Our systems automatically disable your Enforcer when this issue is detected, and you are requested to please remedy the issue, before Enabling the Enforcer again.

To remedy this issue one simply needs to block the Internet from accessing the MikroTik router’s DNS server service, using the firewall on  said MikroTik router.

Below, Is an example of a firewall rule that you need to apply to prevent the internet from accessing your MikroTik DNS server.

Script, if ether1 is your Internet facing port:

/ip firewall filter add chain=input action=reject connection-state=new in-interface=ether1 port=53 protocol=udp
/ip firewall filter add chain=input action=reject connection-state=new in-interface=ether1 port=53 protocol=tcp

 

Via Winbox, if ether1 is your Internet facing port:

Place the above rules above all the other filter rules. Be sure to change ether1 to your Internet facing interface.

Your Enforcer profile has been disabled in the meantime. Once you have resolved the situation, please feel free to reactivate your Enforcer via the MikroTik Reseller portal. This can easily be achieved:

  • Logging into your MikroTik Enforcer Profile
  • Locate the Enforcer Profile in question
  • Click ‘Edit Config’ of Profile
  • In the footer of page, click “Enable Device”, and confirm the action.
  • All services will be restored to the Enforcer