Exposed DNS service – (Risk of  DNS escalation attack)

If you have been directed to this page, it means that we have detected that your MikroTik router’s DNS server is open to the Internet, and your  MikroTik router can be used  in a DNS amplification attack.

Our systems automatically disable your Enforcer when this issue is detected, and you are requested to please remedy the issue, before Enabling the Enforcer again.

To remedy this issue one simply needs to block the Internet from accessing the MikroTik router’s DNS server service, using the firewall on  said MikroTik router.

Below, Is an example of a firewall rule that you need to apply to prevent the internet from accessing your MikroTik DNS server.

Script, if ether1 is your Internet facing port:

/ip firewall filter add chain=input action=reject connection-state=new in-interface=ether1 port=53 protocol=udp
/ip firewall filter add chain=forward action=reject connection-state=new in-interface=ether1 port=53 protocol=udp
/ip firewall filter add chain=input action=reject connection-state=new in-interface=ether1 port=53 protocol=tcp
/ip firewall filter add chain=forward action=reject connection-state=new in-interface=ether1 port=53 protocol=tcp

Via Winbox, if ether1 is your Internet facing port:

Place the above rules above all the other filter rules. Be sure to change ether1 to your Internet facing interface.

We also recommend that you look at the lvcloud DNS intercept under Firewall, NAT, and ensure it only redirects DNS requests from your network, such as LAN interface list, or local network ranges, to the DNS server.

 
Here is the Link to check Open Resolver test. 
 

Your Enforcer profile has been disabled in the meantime. Once you have resolved the situation, please feel free to reactivate your Enforcer via the LucidView MikroTik portal. (Scroll down for tutorial).

 

Testing whether your DNS is visible to the Internet

Step 1

Get your public IP address. Either by performing a lookup – see image on the right.

OR

by looking at the IP address on RouterOS.

Step 2

Perform a host lookup from a location outside of the network to your RouterOS IP. 

host <domain> <public IP> 
or
nslookup
server <public IP>
<host>
 
If there is a valid host lookup then the Mikrotik DNS is visible to the Internet. In the example provided it is clear the DNS port is open to the Internet. There should be no result for DNS.

Example of DNS ports not responding from the Internet.

 

 

Once you have confirmed that the DNS is NOT visible to the Internet you can safely re-enable the Enforcer.  See instructions below:

Re-activating your Enforcer profile

  • Logging into your MikroTik Enforcer Profile
  • Locate the Enforcer Profile in question
  • Click ‘Edit Config’ of Profile
  • In the footer of page, click “Enable Device”, and confirm the action.
  • All services will be restored to the Enforcer
Back to FAQs