Saturday, July 10, 2021

Mikrotik Block Outside DNS Request

We can configure the DNS server in the Mikrotik Router. Mikrotik can provide the DNS service to the LAN user as well as the outside user over the internet connection. It is a very common thing to provide DNS service to internal users through routers. But it is not wise to use a router to provide DNS services to outside users over the internet. So we want the Mikrotik router to provide DNS services only to internal users, not to outside users. So we have to block the DNS requests from outside.

In this tutorial, we are going to learn how to block DNS requests from the WAN interface. DNS requests that come with the WAN interface will be blocked by the router.

We will use the "Winbox" tool to configure the Mikrotik router and we will go through the step-by-process.

First of all, we have to configure the Mikrotik router to provide the DNS services. As soon as the DNS server is enabled, the router will start answering all DNS requests. No matter which interfaces the DNS request comes from, the router will reply to them. 

To open the DNS configuration page, click on the "IP" and then the "DNS" button.




After opening the DNS configuration page, write your forwarder DNS address or the ISP's DNS address in the "Servers" field. We assume that our ISP's DNS address is 45.45.45.45. Then we will enable the "Allow Remote Requests" feature. Just click on the check box. The rest of the things keep the default.




After click on the "Apply" and "OK" button, our internal user or local user gets DNS service from this router. Now, we will use a firewall rule to block all DNS requests that come with a WAN interface. We assume that our WAN interface is "Ether-1". Now we will create a filter rule to drop the DNS query that is propagated from the WAN interface. 

To create a new rule, open the firewall interface. Navigate to the "Filter Rules" tab and click on the add (+) sign to add a new rule.




Navigate to the "General" tab. Select "input" as the "Chain" field value. Select "UDP" as the "Protocol" field value. Write "Dst. Port" value as "53". Select "Ether-1" in the "In. Interface" field. Because we assume that our WAN interface is "Ether-1".




Now navigate to the "Action" tab and select "drop" as the "Action" field value.



That's it. From now on the Mikrotik router will reply only to the internal users, not the external users or outside users. 

No comments:

Post a Comment