cancel
Showing results for 
Search instead for 
Did you mean: 

Open DNS Resolver - Traffic from China!

gary42
Grafter
Posts: 94
Registered: 09-07-2012

Open DNS Resolver - Traffic from China!

I spotted some high upload traffic on my connection that had been running for an hour or so.
After checking it out I noticed numerous port 53 connections from an IP address in China. (See screenshot)
Hadn't realised that the Mikrotik router needs a specific firewall rule adding when using it's DNS cache.
The DNS cache has lots of entries for a.packetdevil.com
Anyone know what if anything I should be worried about now I have blocked the traffic.
Are these connections used in some form of attack?
Any repercussions for my IP address?
3 REPLIES
Community Veteran
Posts: 5,057
Thanks: 426
Fixes: 16
Registered: 10-06-2010

Re: Open DNS Resolver - Traffic from China!

I think your dns server was being used to attack other targets in a "dns amplification" attack. a.packetdevil.com is just something with a large dns answer, to maximize the amount of traffic.
192.168.1.3 seems an unusual LAN IP address for a router.
gary42
Grafter
Posts: 94
Registered: 09-07-2012

Re: Open DNS Resolver - Traffic from China!

OK, thanks.
I'm going to have to be careful with the Mikrotik router. Had a similar issue when looking at using the web proxy.
It's a pretty steep learning curve even when compared to using something like PFSense.
Re the IP, at the moment it is connected to a TG582N in it's DMZ, picking up an IP through DHCP.
Just seeing how it compared to running with the TG582N in it's bridged mode and connecting through PPPoE.
Seem to get better upstream QOS results when running this way.
nanotm
Pro
Posts: 5,682
Thanks: 111
Fixes: 1
Registered: 11-02-2013

Re: Open DNS Resolver - Traffic from China!

the reason the QoS is better has something to do with the primary router ignoring all normal rules for traffic when pointing at a DMZ....but then that's normal for all routers that cost under £200, and you probably need a qualification in cisco systems to properly setup a DMZ on the more expensive ones
the best bet is just to buy a decent primary router enable NAT +UPNP and ignore QoS, just make sure the router you get is designed to continuously connect the number of devices your household is using (most isp provided ones struggle if you have more than 8 ) and don't forget that anything with an ip address on the network counts as a device (so routers IP phones, storage, set top box/smart TV, pc's, tablets, phones etc etc) even if you assign them a static ip address outside of the dhcp range, also a lot of WIFI combi routers completely mess up when utilizing both wired and wireless, its much better to have dedicated devices.
with that in mind your optimal setup would be to use the tg582n as a slave device and get a new router that doesn't have building wifi as your primary (DHCP server) then your free to ignor QoS, just enable UPNP +NAT and ignor most everything else (unless you particularly want to block certain functions or websites)
just because your paranoid doesn't mean they aren't out to get you