To download this as a text file use this link: MikroTik DNS Attack Prevention Rev 4.0 (Firewall Filter)
###################################################################################################
# Rick Frey’s MikroTik DNS Attack Prevention Rev 4.0 #
#########################################################################################################
# Author: Rick Frey #
# email: rickfrey1000@gmail.com #
# Username in MikroTik Forum is rickfrey #
#########################################################################################################
# License #
# This script has been created for use by the general public and may be used freely. This script may #
# not be sold! #
########################################################################################################
# Features # #
# -Mitigates DNS based attack on your MikroTik router #
#########################################################################################################
############################################################################################################################
#### Remove any private subnets that you are not using. Ensure that your LAN subnet is listed here. ##
############################################################################################################################
/ip firewall address-list
add address=10.0.0.0/8 list=”LAN Addresses (RFC1918)”
add address=172.16.0.0/12 list=”LAN Addresses (RFC1918)”
add address=192.168.0.0/16 list=”LAN Addresses (RFC1918)”
############################################################################################################################
#### Add your DNS servers to the DNS_Accept list. Remove and DNS servers you are not using for your network. ##
############################################################################################################################
/ip firewall address-list
add address=8.8.8.8 comment=Google list=”DNS Servers”
add address=8.8.4.4 comment=Google list=”DNS Servers”
add address=4.2.2.1 comment=”Level 3″ list=”DNS Servers”
add address=4.2.2.2 comment=”Level 3″ list=”DNS Servers”
add address=208.67.222.222 comment=OpenDNS list=”DNS Servers”
add address=208.67.220.220 comment=OpenDNS list=”DNS Servers”
add address=1.1.1.1 comment=Cloudflare list=”DNS Servers”
add address=1.0.0.1 comment=Cloudflare list=”DNS Servers”
add address=4.2.2.3 comment=”Level 3″ list=”DNS Servers”
add address=4.2.2.4 comment=”Level 3″ list=”DNS Servers”
add address=4.2.2.5 comment=”Level 3″ list=”DNS Servers”
add address=4.2.2.6 comment=”Level 3″ list=”DNS Servers”
add address=45.90.28.225 comment=NextDNS list=”DNS Servers”
add address=45.90.30.225 comment=NextDNS list=”DNS Servers”
add address=948953.dns.nextdns.io comment=NextDNS list=”DNS Servers”
add address=188.94.192.215 comment=FlastStart list=”DNS Servers”
add address=45.76.84.187 comment=FlastStart list=”DNS Servers”
/ip firewall filter
add action=jump chain=input comment=”Jump to DNS_INPUT Chain” dst-port=53 jump-target=DNS_INPUT log=yes protocol=udp
add action=accept chain=DNS_INPUT comment=”Make exceptions for LAN DNS inquiries” port=53 protocol=udp src-address-list=”LAN Addresses (RFC1918)”
add action=add-src-to-address-list address-list=DNS_DDoS address-list-timeout=none-dynamic chain=DNS_INPUT comment=”Add other DNS inquriries to DNS_DDoS Offenders List” port=53 protocol=udp \
src-address-list=”!LAN Addresses (RFC1918)”
add action=drop chain=DNS_INPUT comment=”Drop Traffic Sourced from DNS_DDoS Offenders” src-address-list=DNS_DDoS
add action=return chain=DNS_INPUT comment=”Return from DNS_INPUT Chain”
add action=jump chain=output comment=”Jump to DNS_OUTPUT Chain” dst-port=53 jump-target=DNS_OUTPUT protocol=udp
add action=accept chain=DNS_OUTPUT comment=”Make Exceptions for Traffic to the DNS Servers” dst-address-list=”DNS Servers” dst-port=53 protocol=udp
add action=drop chain=DNS_OUTPUT comment=”Drop All Other Out Bound DNS Traffic” dst-port=53 protocol=udp
add action=return chain=DNS_OUTPUT comment=”Return from DNS_OUTPUT Chain”
add action=jump chain=forward comment=”Jump to DNS_FORWARD Chain” jump-target=DNS_FORWARD
add action=accept chain=DNS_FORWARD comment=”Make Exceptions for Traffic from the DNS Servers going to the LAN” dst-address-list=”LAN Addresses (RFC1918)” port=53 protocol=udp src-address-list=\
“DNS Servers”
add action=accept chain=DNS_FORWARD comment=”Make Exceptions for Traffic from the LAN going to the DNS Servers” dst-address-list=”DNS Servers” port=53 protocol=udp src-address-list=\
“LAN Addresses (RFC1918)”
add action=drop chain=DNS_FORWARD comment=”Drop All Other DNS Traffic” port=53 protocol=udp
add action=drop chain=forward comment=”Drop Traffic to DNS DNS_DDoS Offenders” dst-address-list=DNS_DDoS
/
Like this:
Like Loading...
Related
Hi Ricky,
Please I just want to clarify something about this firewall rules. #### Add your DNS servers to the DNS_Accept list. Remove and DNS servers you are not using for your network. ##
I’m only using Google DNS, do that mean I should delete the rest of the DNS in this firewall?