mikrotik server dns hijacked 20150624

Remote rogues spoiling your web experience?

To the terminally impatient who can not read long posts, scroll to the last paragraph.

In the quest for speedy web browsing and Internet bandwidth savings, many of us make use of servers/appliances that have HTTP and DNS caching functionality. Of course, the lazy (or accidental) administrator does the barest minimum to get the service working and moves on.

In the old days with lean VSAT bandwidth, many could (mis)configure their Web and DNS devices yet nothing bad would happen (mostly). Now that we have optic fibre internet connections however, it is a very different case.

Because we have lots of unused upload bandwidth and our tendency to underestimate the need for security, networks in third-world countries are becoming prime targets for bad people looking for open relays to hijack for anonymous browsing, phishing, spamming and distributed denial of service (ddos) attacks.

In the course of my network optimization consulting, I have seen servers and routers enjoyed by rogue remote users while the companies paying for the services lamented snail-speed access. Of course their ISPs were able to produce bandwidth utilization graphs that showed that they were delivering the bandwidth.

You just might be in the same situation so here is my free advice for you to rescue yourself. I will only touch on DNS and HTTP caching but the same principles can be extended to any local services.

One thing you can do to protect your local services from being exploited by outsiders is an access list that is typically built into the application you are using.

For BIND DNS caching server, that would be an acl directive specifying that the server should only perform recursive lookups for your internal networks. See http://zytrax.com/books/dns/ch7/acl.html

For Squid web caching server,that would be an acl directive specifying that the server should only answer to requests from your internal networks. See http://www.squid-cache.org/Doc/config/acl/ and  http://www.squid-cache.org/Doc/config/http_access/

Another thing you can do is simply prevent traffic to your service ports from coming in via your external network interfaces at your border router or firewall.

For Mikrotik there is an web proxy access control option but I don’t trust my knowledge of that configuration menu so in addition to specifying the local networks in the acl, I create firewall filter rules to drop incoming connections to my web proxy port (default tcp 3128 or whatever other port I configured the proxy to run on).

A lot of people ignorantly think Mikrotik is bullet-proof but you see, it provides no acl option for the DNS caching service. In the last few weeks, I have cleaned up multiple networks which were among other things messed up by insecure DNS configuration on Mikrotik routerboards.

Mikrotik treats both LAN and WAN requests as “remote requests” so once you turn on DNS in Mikrotik, it is available to your local network as well as to anyone that can reach the public address of your router. To be safe, you  should create a firewall rule to drop DNS (udp port 53) requests coming in from your external interfaces.

 /ip firewall filter add chain=input action=drop protocol=udp in-interface=name_of_wan_interface dst-port=53 

With this one line, I was able to drop 3.5Mbps of outgoing DNS answers/attacks and 1Mbps of incoming DNS requests on a client’s network this morning. Of course you can’t control the requests that come your way but after some minutes the requests stop coming once the bad people see there is no response from your device. The image below is a  breakdown of such DNS pilferage as it was happening.

mikrotik server dns hijacked 20150624

If you are really paranoid and think there might be evil spirits inside your router itself, you can create additional firewall rules to drop outgoing answers originating from the DNS service.

/ip firewall filter add chain=output action=drop protocol=udp out-interface=name_of_wan_interface src-port=53 

Simple as that! You can do same with iptables rules on a linux server but usually you wouldn’t need to since you have proper access control list functionality available.

If you have lots of money to spend, you could also buy an expensive firewall appliance.

Would you like to have your network audited to identify the issues affecting your quality of service? Send me a message so I can better understand your setup and give you an estimate.

For the impatient:
Na wah for you o. Just go and block any access to your local services from external networks.

3 thoughts on “Remote rogues spoiling your web experience?”

  1. I appreciate your concern and I thank you very much for the information. I want you to recommend the best Authentication Server and the firewall as well as monitoring software for my Internet Network of about 5,000 local user.
    Thank you.

    1. Thanks for your comment, Taiye.

      The “best” of anything really depends on your own unique environment and what is most important to you. A commercial entity for example may be willing to spend 100 times as much as an educational institution and their main focus may be to restrict people from doing things; the educational institution on its own part may find it most important that their users have full unrestricted access to the internet without them spending too much.

      I will send you an email and introduce you to a couple of options you might find interesting for your organization.

Leave a Reply

Your email address will not be published. Required fields are marked *