Only accept dns requests going to internal IPs

[james-otten]

Problem

Because /ip/dns/allow-remote-requests=yes and the default firewall rule for port 53 is to allow any traffic (for mesh users to use their omni as a cache) if an omni is given a public IP and no firewall rules are changed, it will respond to DNS requests from the internet. This was being abused in some cases.

Solution

To make this less error prone, the default firewall rule for port 53 is made to be more restrictive. This is fine in the default case without a public IP, and now volunteers giving out new public IPs don't need to think about DNS.

[Andrew-Dickinson]

Should we use the meshaddr address list instead?

[james-otten]

It includes 2 public mesh IP blocks which I think we want to deny just in case something from one of them gets assigned to an omni. This applies to just the input filter, and not the forward filter, so users can still access DNS servers at public mesh IPs.

[zgiles]

I'm of the same mind as Andrew here. We should be using src-address-list=meshaddr similar to the "drop input if not from meshaddr" line a few lines down. It is a little odd to have a dst-address here for the input, and actually this would break the use-case that Andrew and I were talking about a few days ago where we would have a public IP routed to the member's router and they reply to the public IP on the router.

The reason for this allow line even though we have an input drop line is to allow wlan2 users to access dns despite not being allowed to access the router's management interface. So, another option is to just add in-bridge-port=wlan2 on this line instead of your suggestion, which would resolve that problem, and everyone else would be covered by the "drop input if not from meshaddr".

Thoughts?

[james-otten]

I think I misread at fist thinking about dest not src. Updated to src-address-list=meshaddr