8Oca
Constant DNS Port Scanning Traffic
I'm using a Mikrotik router and for the past few weeks have noticed constant scanning activity on the WAN interface (Internet --> MyPublicIP:53) after enabling logging for the "drop all not coming from LAN" input chain rule. I'm not too concerned since the traffic is being dropped. I've double checked that DNS is only available internally and have done the grc.com shields up test to verify. I'm just curious why these IPs are constantly port scanning DNS port all day. Maybe something to do with data collection from IOT devices? I'm surprised these IPs haven't been reported as malicious yet. I'm running the latest firmware version.
Here is a sample of logs below. I replaced my public IP with 1.2.3.4:
DROP- input: in:ether1 out:(unknown 0), src-mac 00:17:10:95:78:1b, proto UDP, 179.107.49.163:13505->1.2.3.4:53, len 70
DROP- input: in:ether1 out:(unknown 0), src-mac 00:17:10:95:78:1b, proto UDP, 179.107.49.213:21788-1.2.3.4:53, len 66
DROP- input: in:ether1 out:(unknown 0), src-mac 00:17:10:95:78:1b, proto UDP, 179.107.49.217:23208->1.2.3.4:53, len 66
DROP- input: in:ether1 out:(unknown 0), src-mac 00:17:10:95:78:1b, proto UDP, 191.7.145.99:11204->1.2.3.4:53, len 66
DROP- input: in:ether1 out:(unknown 0), src-mac 00:17:10:95:78:1b, proto UDP, 179.107.49.175:48206->1.2.3.4:53, len 70
DROP- input: in:ether1 out:(unknown 0), src-mac 00:17:10:95:78:1b, proto UDP, 191.7.145.232:45993->1.2.3.4:53, len 66
DROP- input: in:ether1 out:(unknown 0), src-mac 00:17:10:95:78:1b, proto UDP, 191.7.145.37:48335->1.2.3.4:53, len 66