The Next Generation of Networking Now – 1-430-236-5829

MikroTik DNS Attack Prevention Rev 4.0 (Firewall Filter)

This entry was posted in MikroTik on January 23, 2020 by rickfrey1000

To download this as a text file use this link: MikroTik DNS Attack Prevention Rev 4.0 (Firewall Filter)

###################################################################################################
# Rick Frey’s MikroTik DNS Attack Prevention Rev 4.0 #
#########################################################################################################
# Author: Rick Frey #
# email: rickfrey1000@gmail.com #
# Username in MikroTik Forum is rickfrey #
#########################################################################################################
# License #
# This script has been created for use by the general public and may be used freely. This script may #
# not be sold! #
########################################################################################################
# Features # #
# -Mitigates DNS based attack on your MikroTik router #
#########################################################################################################

############################################################################################################################
#### Remove any private subnets that you are not using. Ensure that your LAN subnet is listed here. ##
############################################################################################################################
/ip firewall address-list
add address=10.0.0.0/8 list=”LAN Addresses (RFC1918)”
add address=172.16.0.0/12 list=”LAN Addresses (RFC1918)”
add address=192.168.0.0/16 list=”LAN Addresses (RFC1918)”

############################################################################################################################
#### Add your DNS servers to the DNS_Accept list. Remove and DNS servers you are not using for your network. ##
############################################################################################################################

/ip firewall address-list
add address=8.8.8.8 comment=Google list=”DNS Servers”
add address=8.8.4.4 comment=Google list=”DNS Servers”
add address=4.2.2.1 comment=”Level 3″ list=”DNS Servers”
add address=4.2.2.2 comment=”Level 3″ list=”DNS Servers”
add address=208.67.222.222 comment=OpenDNS list=”DNS Servers”
add address=208.67.220.220 comment=OpenDNS list=”DNS Servers”
add address=1.1.1.1 comment=Cloudflare list=”DNS Servers”
add address=1.0.0.1 comment=Cloudflare list=”DNS Servers”
add address=4.2.2.3 comment=”Level 3″ list=”DNS Servers”
add address=4.2.2.4 comment=”Level 3″ list=”DNS Servers”
add address=4.2.2.5 comment=”Level 3″ list=”DNS Servers”
add address=4.2.2.6 comment=”Level 3″ list=”DNS Servers”
add address=45.90.28.225 comment=NextDNS list=”DNS Servers”
add address=45.90.30.225 comment=NextDNS list=”DNS Servers”
add address=948953.dns.nextdns.io comment=NextDNS list=”DNS Servers”
add address=188.94.192.215 comment=FlastStart list=”DNS Servers”
add address=45.76.84.187 comment=FlastStart list=”DNS Servers”

/ip firewall filter
add action=jump chain=input comment=”Jump to DNS_INPUT Chain” dst-port=53 jump-target=DNS_INPUT log=yes protocol=udp
add action=accept chain=DNS_INPUT comment=”Make exceptions for LAN DNS inquiries” port=53 protocol=udp src-address-list=”LAN Addresses (RFC1918)”
add action=add-src-to-address-list address-list=DNS_DDoS address-list-timeout=none-dynamic chain=DNS_INPUT comment=”Add other DNS inquriries to DNS_DDoS Offenders List” port=53 protocol=udp \
src-address-list=”!LAN Addresses (RFC1918)”
add action=drop chain=DNS_INPUT comment=”Drop Traffic Sourced from DNS_DDoS Offenders” src-address-list=DNS_DDoS
add action=return chain=DNS_INPUT comment=”Return from DNS_INPUT Chain”
add action=jump chain=output comment=”Jump to DNS_OUTPUT Chain” dst-port=53 jump-target=DNS_OUTPUT protocol=udp
add action=accept chain=DNS_OUTPUT comment=”Make Exceptions for Traffic to the DNS Servers” dst-address-list=”DNS Servers” dst-port=53 protocol=udp
add action=drop chain=DNS_OUTPUT comment=”Drop All Other Out Bound DNS Traffic” dst-port=53 protocol=udp
add action=return chain=DNS_OUTPUT comment=”Return from DNS_OUTPUT Chain”
add action=jump chain=forward comment=”Jump to DNS_FORWARD Chain” jump-target=DNS_FORWARD
add action=accept chain=DNS_FORWARD comment=”Make Exceptions for Traffic from the DNS Servers going to the LAN” dst-address-list=”LAN Addresses (RFC1918)” port=53 protocol=udp src-address-list=\
“DNS Servers”
add action=accept chain=DNS_FORWARD comment=”Make Exceptions for Traffic from the LAN going to the DNS Servers” dst-address-list=”DNS Servers” port=53 protocol=udp src-address-list=\
“LAN Addresses (RFC1918)”
add action=drop chain=DNS_FORWARD comment=”Drop All Other DNS Traffic” port=53 protocol=udp
add action=drop chain=forward comment=”Drop Traffic to DNS DNS_DDoS Offenders” dst-address-list=DNS_DDoS

/

Related

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

One thought on “MikroTik DNS Attack Prevention Rev 4.0 (Firewall Filter)”

Log in to Reply

Sean September 30, 2022 at 9:35 AM

Hi Ricky,
Please I just want to clarify something about this firewall rules. #### Add your DNS servers to the DNS_Accept list. Remove and DNS servers you are not using for your network. ##
I’m only using Google DNS, do that mean I should delete the rest of the DNS in this firewall?

Loading...

%d bloggers like this: