DNS Sehat

1.  
2. /ip firewall address-list
3. add address=10.0.0.0/8 list=local
4. add address=172.16.0.0/12 list=local
5. add address=192.168.0.0/16 list=local
6.  
7. /ip firewall filter
8. add action=drop chain=input comment=drop-dns-flood dst-port=53,5353 protocol=tcp src-address-list=!local
9. add action=drop chain=input comment=drop-dns-flood dst-port=53,5353 protocol=udp src-address-list=!local
10.  
11. /ip dns
12. set allow-remote-requests=no servers=103.80.80.248,103.80.80.249
13.  
14. /ip firewall nat
15. add action=dst-nat chain=dstnat comment=dns-sehat src-address-list=local disabled=no dst-port=53,5353 nth=4,1 protocol=tcp to-addresses=103.80.80.248 to-ports=5353
16. add action=dst-nat chain=dstnat comment=dns-sehat src-address-list=local disabled=no dst-port=53,5353 nth=2,1 protocol=tcp to-addresses=103.80.80.249 to-ports=5353
17. add action=dst-nat chain=dstnat comment=dns-sehat src-address-list=local disabled=no dst-port=53,5353 nth=3,1 protocol=udp to-addresses=103.80.80.248 to-ports=5353
18. add action=dst-nat chain=dstnat comment=dns-sehat src-address-list=local disabled=no dst-port=53,5353 nth=1,1 protocol=udp to-addresses=103.80.80.249 to-ports=5353
19.  
20. /ip firewall nat
21. add action=dst-nat chain=dstnat comment=dns-trust src-address-list=local disabled=no dst-port=53,5353 nth=4,1 protocol=tcp to-addresses=103.80.80.243 to-ports=5353
22. add action=dst-nat chain=dstnat comment=dns-trust src-address-list=local disabled=no dst-port=53,5353 nth=2,1 protocol=tcp to-addresses=103.80.80.244 to-ports=5353
23. add action=dst-nat chain=dstnat comment=dns-trust src-address-list=local disabled=no dst-port=53,5353 nth=3,1 protocol=udp to-addresses=103.80.80.243 to-ports=5353
24. add action=dst-nat chain=dstnat comment=dns-trust src-address-list=local disabled=no dst-port=53,5353 nth=1,1 protocol=udp to-addresses=103.80.80.244 to-ports=5353
25.  
26. /ip firewall nat
27. add action=dst-nat chain=dstnat comment=dns-open src-address-list=local disabled=no dst-port=53,5353 nth=4,1 protocol=tcp to-addresses=208.67.222.222 to-ports=5353
28. add action=dst-nat chain=dstnat comment=dns-open src-address-list=local disabled=no dst-port=53,5353 nth=2,1 protocol=tcp to-addresses=208.67.220.220 to-ports=5353
29. add action=dst-nat chain=dstnat comment=dns-open src-address-list=local disabled=no dst-port=53,5353 nth=3,1 protocol=udp to-addresses=208.67.222.222 to-ports=5353
30. add action=dst-nat chain=dstnat comment=dns-open src-address-list=local disabled=no dst-port=53,5353 nth=1,1 protocol=udp to-addresses=208.67.220.220 to-ports=5353
31.  
32. /tool netwatch
33. add down-script="/ip firewall nat disable [find to-addresses=103.80.80.248 comment=dns-sehat]" host=103.80.80.248 up-script=\
34. "/ip firewall nat enable [find to-addresses=103.80.80.248 comment=dns-sehat]"
35. add down-script="/ip firewall nat disable [find to-addresses=103.80.80.249 comment=dns-sehat]" host=103.80.80.249 up-script=\
36. "/ip firewall nat enable [find to-addresses=103.80.80.249 comment=dns-sehat]"
37. add down-script="/ip firewall nat disable [find to-addresses=103.80.80.243 comment=dns-trust]" host=103.80.80.243 up-script=\
38. "/ip firewall nat enable [find to-addresses=103.80.80.243 comment=dns-trust]"
39. add down-script="/ip firewall nat disable [find to-addresses=103.80.80.244 comment=dns-trust]" host=103.80.80.244 up-script=\
40. "/ip firewall nat enable [find to-addresses=103.80.80.244 comment=dns-trust]"