At 53 / udp, the router's port drops a noticeable amount of traffic per day. Already read about the DNS Amplification DDoS.

Now I created rules that just drop all traffic on port 53. But perhaps this is the wrong decision. Advise how best to organize filtering and whether this traffic is necessary for the operation of the router.

UPD: Behind the router is a web server

    1 answer 1

    First, I want to say thank you for the question - it is really good.

    Secondly, I will answer.

    This problem occurs because Allow remote requests is enabled. enter image description here .

    If you turn it off - Mikrotik stops working as a DNS server. The situation is that your Mikrotik is initially incorrectly configured. A router looking to the Internet should not be open by default. But this is more a question not to Mikrotik itself (the default configuration there is quite reasonable), but to the one who set up. Those. summarize:

    1. If DNS is not needed - disable this checkbox.
    2. if the firewall is closed by default, then we allow all the services we need and everything is fine.
    3. if the default firewall is open for anything, then you need to close the DNS service outside.
    • Oh, thanks for the replied answer! No, DNS service is not needed. In the default configuration, Mikrotik cuts a lot of things, just opened along with the necessary services at the same time and DNS, then I already learned about the problem 53 / UDP. In principle, the decision to just drop right at the moment. Still, it is more beautiful, probably, to allow incoming traffic to this port from trusted addresses? A list of trusted addresses include root dns, their mirrors and dns provider. - while1pass
    • one
      Let's just say - DNS in Mikrotik is not quite full. This is not BIND to you after all. For example, in Mikrotik you can create only A records. Therefore, its use is to cache requests for internal network users. Otherwise, of course, it is better to do a separate machine with DNS and port ports on it. Whitelist for a firewall is also a relatively beautiful solution. We thus covered outside SSH, WWW and WinBox access to configure the router. By the way, I highly recommend disabling the MAC Server on the WAN interface ... - gecube
    • Thank. Yes, the poppy turned off on the vneshka - while1pass