RouterOS can't use ingress port 53

Darryl · Tue Jan 10, 2023 9:39 pm

Hello,

If anyone can help please do. Several mikrotik routers I manage can't seem to get a socket connection to port 53. The production application would be a DNS server behind NAT where the WAN connection is the PPPoE interface. ( but I haven't got that far because of this problem )

I tried to setup a test router to experiment different configurations. The one posted here is as simple as I could make it to prove that I still can't make any connections to port 53 from the internet, and the router doesn't even count the attempts in the firewall. I know for a fact the ISP doesn't filter or throttle or otherwise manipulate the internet connection. I think i'm over looking something simple, I just can't see it and i'm out of ideas at this point. I tested other versions of RouterOS going back to 6.33.6 - same issue. If I change the port attempts to 52 or 54, there's no problem.

Here's the test config which shows no filters counting my port 53 TCP or UDP connection attempts:

[admin@TestTik] > # 1月/ 13:06:00 10/2023出口RouterOS 7.6 # software id = 7***-**** # # model = RB750 # serial number = 2F********** /interface pppoe-client add add-default-route=yes allow=pap disabled=no interface=ether1 name=\ pppoe-out1 use-peer-dns=yes user=testlogin@isp /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip dhcp-client add interface=ether1 /ip firewall filter add action=accept chain=input dst-port=53 in-interface=ether1 log=yes \ log-prefix=-mydns protocol=tcp add action=accept chain=input dst-port=53 in-interface=ether1 log=yes \ log-prefix=-mydns protocol=udp add action=accept chain=input add action=accept chain=forward add action=accept chain=output add action=log chain=input dst-port=53 log-prefix="PORT 53 TCP HIT" protocol=\ tcp add action=log chain=input dst-port=53 log-prefix="PORT 53 UDP HIT" protocol=\ udp /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set h323 disabled=yes set sip disabled=yes /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes /system clock set time-zone-name=America/Toronto /system identity set name=TestTik /system leds add interface=pppoe-out1 leds="" type=interface-activity /system routerboard settings set boot-device=nand-only

jvanhambelgium · Tue Jan 10, 2023 9:58 pm

Change the in-interface to "pppoe-out1" ?

Darryl · Tue Jan 10, 2023 10:17 pm

Change the in-interface to "pppoe-out1" ?

I made the suggested change, counters still at 0 when I tried with putty using telnet to port 53:

# 1月/ 10/2023 15:13:32 Roul雷竞技terOS 7.6 #软件雷电竞app下载官方版苹果id = 7***-**** # # model = RB750 # serial number = 2F********** /interface pppoe-client add add-default-route=yes allow=pap disabled=no interface=ether1 name=\ pppoe-out1 use-peer-dns=yes user=testlogin@isp /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip dhcp-client add interface=ether1 /ip firewall filter add action=accept chain=input dst-port=53 in-interface=pppoe-out1 log=yes log-prefix=-mydns protocol=tcp add action=accept chain=input dst-port=53 in-interface=pppoe-out1 log=yes log-prefix=-mydns protocol=udp add action=accept chain=input in-interface=pppoe-out1 add action=accept chain=forward add action=accept chain=output add action=log chain=input dst-port=53 log-prefix="PORT 53 TCP HIT" protocol=tcp add action=log chain=input dst-port=53 log-prefix="PORT 53 UDP HIT" protocol=udp /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set h323 disabled=yes set sip disabled=yes /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes /system clock set time-zone-name=America/Toronto /system identity set name=TestTik /system leds add interface=pppoe-out1 leds="" type=interface-activity /system package update set channel=testing /system routerboard settings set boot-device=nand-only

anav · Tue Jan 10, 2023 11:04 pm

Confusing post.
Forgetting about the config,
你有什么requirements, based on users, traffiic flow they need to have or not to have with respect to DNS.
A viable solution will pop out from well stated requirements.
The only issue here is that you dont understand how DNS works or ROS works or both............. and chasing a config is needlessly challenging without understanding the why.........

Ensure you add any network context like self supplied PI servers and where they reside.........

Darryl · Tue Jan 10, 2023 11:12 pm

Confusing post.
Forgetting about the config,
你有什么requirements, based on users, traffiic flow they need to have or not to have with respect to DNS.
A viable solution will pop out from well stated requirements.
The only issue here is that you dont understand how DNS works or ROS works or both............. and chasing a config is needlessly challenging without understanding the why.........

Ensure you add any network context like self supplied PI servers and where they reside.........

LoL of course I'm here because I don't understand something. Here's more simple language for you:I want to make a DNS server off my PPPoE connection.Number of users don't matter, traffic flow doesn't matter. I just needs responses from port 53 to work through the MikroTik router.

mkx · Tue Jan 10, 2023 11:24 pm

For starters, push those 2 rules with action=log above similar rules with action=accept. Firewall rules are evaluated top-to-bottom and first matching rule executes. Rules with action=accept or action=drop also stop processing of rules. So the way you have them now, the log rules will not execute for paxkets ingressing through PPPoE interface because matching packets trigger execution of accept rules above.

Does connection work from LAN? From firewall point of view either (LAN and PPPoE) should work, you actually don't have anything in firewall blocking any connection to router itself ... which also means device can be easily hacked from internet. So if connecting to DNS service on router works from LAN but doesn't from internet, then your ISP doesn't offer internet lines as transparrent as you were made to believe.

anav · Tue Jan 10, 2023 11:46 pm

Why would anyone open up port 53 on the input chain or portforward port 53 to the LAN side.........
Sounds like security breach to me........

In other words your firewall rules are not worthy of commenting upon and port 53 is the least of your problems.

Fixed for you........
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

Output chain is rarely needed and not included here.

YOu are missing many other components of a config and its no wonder nothing is working............

Darryl · Wed Jan 11, 2023 2:39 pm

For starters, push those 2 rules with action=log above similar rules with action=accept. Firewall rules are evaluated top-to-bottom and first matching rule executes. Rules with action=accept or action=drop also stop processing of rules. So the way you have them now, the log rules will not execute for paxkets ingressing through PPPoE interface because matching packets trigger execution of accept rules above.

Does connection work from LAN? From firewall point of view either (LAN and PPPoE) should work, you actually don't have anything in firewall blocking any connection to router itself ... which also means device can be easily hacked from internet. So if connecting to DNS service on router works from LAN but doesn't from internet, then your ISP doesn't offer internet lines as transparrent as you were made to believe.

I put the rules at the top:

/ip firewall filter add action=log chain=input dst-port=53 in-interface=pppoe-out1 log-prefix=\ "PORT 53 TCP HIT" protocol=tcp add action=log chain=input dst-port=53 in-interface=pppoe-out1 log-prefix=\ "PORT 53 UDP HIT" protocol=udp add action=accept chain=input dst-port=53 in-interface=pppoe-out1 log=yes \ log-prefix=-mydns protocol=tcp add action=accept chain=input dst-port=53 in-interface=pppoe-out1 log=yes \ log-prefix=-mydns protocol=udp add action=accept chain=input in-interface=pppoe-out1 add action=accept chain=forward add action=accept chain=output

Connections to port 53 always work on the LAN. In fact if I setup a NAT port forward, if the outside ports are 52 or 54 and inside port is 53, connection always works. Yes device is not secured and hackable. This config is only for demonstrating the problem with port 53. I'm not posting my production config. As for the ISP not being transparent ? I've spoken with the network engineer who built the network and have been advised at lengths that there is no filtering. Further to that, I was given and IP address of another user in my CIDR block that does have a working DNS server using port 53 on the same network I'm on at my ISP. DIG / nslookup queries to that IP still work as of this posting.

Here's a winbox showing no packets received for port 53:

Darryl · Wed Jan 11, 2023 2:44 pm

Why would anyone open up port 53 on the input chain or portforward port 53 to the LAN side.........
Sounds like security breach to me........

In other words your firewall rules are not worthy of commenting upon and port 53 is the least of your problems.

Fixed for you........
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN

Output chain is rarely needed and not included here.

YOu are missing many other components of a config and its no wonder nothing is working............

People would open up port 53 for the purpose of running an Authoritative DNS server. (https://en.wikipedia.org/wiki/Name_server) This is my purpose as I've stated before. Your fix of using the default mikrotik configuration that comes with the router also doesn't work. I've omitted it for the sake of simplicity here, that's why my config has no firewall rules. Also, everything is working, its just port 53 TCP / UDP out of all the 65535 ports that is not working for me.

R1CH · Wed Jan 11, 2023 4:54 pm

Open resolvers on port 53 are often abused for DDoS reflection attacks, your ISP or another upstream is probably filtering it.

Darryl · Wed Jan 11, 2023 5:00 pm

Open resolvers on port 53 are often abused for DDoS reflection attacks, your ISP or another upstream is probably filtering it.

I've thought so too. I'm testing from within the ISP network using the same subnet. Client / server connection not working with the MikroTik. But I can query another IP in the same subnet who is running a DNS server without a MikroTik router. No filtering going on here.

rextended · Wed Jan 11, 2023 5:09 pm

Open resolvers on port 53 are often abused for DDoS reflection attacks, your ISP or another upstream is probably filtering it.

I am one of those many.
If the customer has enough knowledge to get a DNS server online, with all the bells and whistles that go with that,
they're also able to use a VPN on remote devices to access that DNS resolver (or NAT the port 53 with some other on both sides)...

mkx · Wed Jan 11, 2023 8:55 pm

I'll phrase my thought this way: ROS doesn't have any hidden default firewall rules. So if you don't see any rule blocking pirt 53 from wan, then it's not mikrotik blocking it.

As a few already mentioned: ISPs often block port 53 even if they don't block other ports (another quite "popular" is UDP port 123). If I were you, I'd ask my ISP about it. Good luck getting an honest and accurate response though.

anav · Wed Jan 11, 2023 11:16 pm

Here locally the ISP hard codes the blocking inbound pinging on the home hub modem/router they provide. Hence one of the reasons I used their business modem instead.

rextended · Wed Jan 11, 2023 11:22 pm

I block 53 & Co. right after my edge router...
If the user wants to open his home or office to the world, he must sign an agreement
according to which if for some reason he is the target of some attack (or generate some attack),
his service is immediately blocked and he must pay the damages...

(although in reality it can only ask, after rent one static Public IP, instead of have dynamic Public IP, for ports like
20, 21, 22, 23, 80, 443, etc.
but not, just for example:
0, 53, 67, 68, 111, 123, 135, 137, 138, 139, 161, 445, 1433, 1900, 3389, 5678, 8291, 20561, etc.
of this type)

Darryl · Thu Jan 12, 2023 9:33 pm

Thanks for the comments guys. Indeed the ISP side had it accidently blocked. Problem has been resolved and it was definitely not the RouterOS.

rextended · Thu Jan 12, 2023 10:11 pm

[…]accidently[…]

What??? Seriously???

No comment...

anav · Thu Jan 12, 2023 11:56 pm

I think the ISP knew what a dangerous game you are playing with hosting port 53 on the WAN side and blocked you for your own good LOL

anav · Thu Jan 12, 2023 11:58 pm

Once again MKX and REXTENDED are bang on, and the OP is a fail, believing ISP technicians and not IT and MT experts................................
Why bother coming here at all...........

RouterOS can't use ingress port 53 [SOLVED]

RouterOS can't use ingress port 53[SOLVED]

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Re: RouterOS can't use ingress port 53

Who is online