{"id":3685,"date":"2020-12-03T16:59:31","date_gmt":"2020-12-03T22:59:31","guid":{"rendered":"http:\/\/www.incredigeek.com\/home\/?p=3685"},"modified":"2020-12-04T11:55:01","modified_gmt":"2020-12-04T17:55:01","slug":"troubleshooting-dns-cpu-usage-on-mikrotik-router","status":"publish","type":"post","link":"https:\/\/www.incredigeek.com\/home\/troubleshooting-dns-cpu-usage-on-mikrotik-router\/","title":{"rendered":"Troubleshooting DNS CPU Usage on Mikrotik Router"},"content":{"rendered":"\n

Problem : Lots of CPU utilization. Profile shows a good bit of it is DNS related.<\/p>\n\n\n\n

\"\"
DNS eating CPU on Router<\/figcaption><\/figure>\n\n\n\n

The router is setup to allow DNS to pass through to web servers so rDNS and other records can be looked up and resolved. This is a specific IP block that gets it’s addresses from the router. The firewall rules explicitly allow this address range. We’ll say 192.168.88.0\/24, and blocks everything else. This works for the web servers. But why are we still getting a bunch of CPU utilization with DNS?<\/p>\n\n\n\n

As it turns out, the firewall rule that allows the server address range also includes routers own address! So we have unintentionally whitelisted DNS access to our router. <\/p>\n\n\n\n

To resolve the issue we can add another firewall rule that explicitly blocks DNS traffic to the routers IP address. We are using two rules, one to block TCP and the other UDP.<\/p>\n\n\n\n

ip firewall filter add chain=input dst-address=192.168.88.1 protocol=6 dst-port=53 in-interface-list=WAN action=drop\nip firewall filter add chain=input dst-address=192.168.88.1 protocol=17 dst-port=53 in-interface-list=WAN action=drop<\/pre>\n\n\n\n
<\/p>\n\n\n\n
Rules 6 & 7 are the two new rules we just applied.  14 & 15 block input to the router, however rules 8 & 9 inadvertently allowed access to the router’s public IP.<\/p>\n\n\n\n
\"\"
Firewall Rules for Router<\/figcaption><\/figure>\n\n\n\n
The Result?  Our CPU usage dropped!<\/p>\n\n\n\n
\"\"
CPU Usage dropped after adding DNS firewall rules.<\/figcaption><\/figure>\n\n\n\n
Quite dramatically too as the following LibreNMS screenshot shows.<\/p>\n\n\n\n
\"\"
LibreNMS CPU graph showing the overall CPU utilization improvement<\/figcaption><\/figure>\n\n\n\n
For more information about DNS Amplification attacks, refer to the following links.<\/p>\n\n\n\n
https:\/\/ask.wireshark.org\/question\/6865\/dns-amplification-attack\/<\/a>
https:\/\/security.stackexchange.com\/questions\/237127\/why-would-hackers-attack-a-dns-server-with-a-dos<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Problem : Lots of CPU utilization. Profile shows a good bit of it is DNS related. The router is setup to allow DNS to pass through to web servers so rDNS and other records can be looked up and resolved. … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[452,573],"tags":[1119,277,1120,301,502,388],"class_list":["post-3685","post","type-post","status-publish","format-standard","hentry","category-mikrotik","category-security","tag-cpu-utilization","tag-dns","tag-dns-amplification","tag-mikrotik","tag-routerboard","tag-routeros"],"_links":{"self":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/3685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/comments?post=3685"}],"version-history":[{"count":3,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/3685\/revisions"}],"predecessor-version":[{"id":3697,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/3685\/revisions\/3697"}],"wp:attachment":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/media?parent=3685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/categories?post=3685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/tags?post=3685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}