Protecting your Mikrotik from DNS Amplification

There are several reasons and benefits to using your Mikrotik as a DNS caching server.  Queries to the client are just a tad faster, which makes the overall user experience seem snappier.  It also allows you to quickly change upstream DNS servers in the even of an outage, attack, etc.

There are two main avenues to think about when protecting Mikrotik from DNS.

The first is the incoming port 53 requests to the router.  You only want your customers to have access to query the Mikrotik.  In a simple scenario we have this:.


ether1 is our upstream ISP connection.  Customers are other ports.  In this case if we want to block all port 53 requests from the outside world we specify the WAN interface to drop in the following code:

/ip firewall filter
add chain=input in-interface=ether1 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether1 protocol=tcp dst-port=53 action=drop

This will still allow your Mikrotik to send out DNS queries because they are sourced from a non reserved port. We are simply blocking the Mikrotik from not answering port 53 requests on the external interface.

In a later post we will talk about what to do if you have multiple wan interfaces or multiple exit paths on your router (say running OSPF)

Post Show Specials

MTIN is offering some post WISPAPALOOZA specials

-Dude monitoring Instance. Bring up your own external Dude service for monitoring your network.
$20 a month with a free setup ($400 value)

-Hosted Spam Filtering for 1 domain $12 per month. 99.99% accurate

-Backup DNS Services $10 per month.

These specials are good until Halloween. After that they expire.

Most Popular Services

I was recently asked what some of our most popular services we offer to clients are.  The following are the top ones that come to mind

1.Converting bridged networks to routed
2.Remote Monitoring from our Data Centers. This allows a client to be notified in case they lose connectivity to the outside world.
3.Backend automation.  Implementing radius, monitoring links, and other things to give the ISP more information
4.Data Center services such as DNS hosting, circuit termination, and bandwidth.
5.Mikrotik configuration and support