R
R
r3aly2014-12-08 14:15:37
Domain Name System
r3aly, 2014-12-08 14:15:37

Mikrotik cpu loading 100% due to DNS. How to be?

Hello! I have more than 5 Mikrotik SOHO routers installed, in different places from different wires, and with different throughput speeds. And I began to notice that from time to time the load of routers approaches somewhere around 100%, the connection falls out on others due to the low bandwidth of the Internet channel. As it turned out, the reason for all this in all cases is some kind of unhealthy activity on the Mikrotik DNS server, which either clogs the channel, or if the wide channel eats up all the cpu. And on all installed routers - external IP addresses.
I configured everything according to the manuals, I did not add any rules in the firewall. Removed only access to Mikrotik, leaving WinBox.
What is the best way to close port 53? So as not to break anything inside :)

Answer the question

In order to leave comments, you need to log in

8 answer(s)
K
kirmw, 2017-02-07
@kirmw

if via webcam or winbox, uncheck Allow remote request (IP->DNS)

S
Sergey, 2014-12-08
@bk0011m

Close TCP port 53
Deny all DNS requests from outside

J
Jeff Lebowski, 2014-12-09
@StanislavFTW

The same thing happened about a year ago. It was decided by closing 53 ports.
chain input; Dst Address @your IP
Protocol 6 (tcp)
Dst port 53.
action drop
(or if you want to add these flood addresses to the list and ban that list for a certain time)
And 1 more rule the same rule for UDP
Protocol 17 (udp)

E
Eugene, 2015-12-30
@LongJek

It?
What's new in 6.22 (2014-Nov-11 14:46):
*) ovpn - added support for null crypto;
*) files - allow to remove empty disk folders;
*) sntp - fix problems with dns name resolving failures that were triggering
system watchdog timeout;
*) eoip/eoipv6/gre/gre6/ipip/ipipv6/6to4 tunnels have new features:
tunnels go down when no route to destination;
tunnels go down for 1 minute when transmit loop detected, warning gets logged;
new keepalive-retries setting;
keepalives enabled by default for new tunnels (10sec interval, 10 retries);
*) improved connection-state matcher in firewall - can match multiple states in one rule, supports negation;
*) added connection-nat-state matcher - can match connections that are srcnatted,dstnatted or both;
*) 100% CPU load caused by unclassified services fixed;
*) 6to4 tunnel fixed;
*) new RouterBOOT firmware for Metal 2SHPn to improve wireless stability;
forum.mikrotik.com/viewtopic.php?p=456188

R
r3aly, 2014-12-08
@r3aly

Tell me how to do it correctly, because I banned in the firewall: input, source_adr 0.0.0.0/0 , dst. adr own_external_ip , 53 tcp. After that, the intranet began to have difficulties with "resolving" addresses, etc.

G
Gem, 2014-12-08
@Gem

and even better, completely disable dns on mikrotik and use \ distribute via dhcp - dns provider, public google (8.8.8.8 4.4.4.4) or yandex dns.yandex.ru

N
nimbo, 2014-12-09
@nimbo

1. update ROS to the latest version
2. reset settings to zero
3. configure everything via quick set by checking the Firewall checkbox.

S
shaytan, 2014-12-18
@shaytan

Allow DNS requests from your locale and deny DNS requests for others.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question