Conditional DNS forwarding for internal AD Server

RouterOS General
1

Hi all,

I’m opening this ticket because I found some issues with the Conditional DNS forwarding rules.
I’ve a scenario with 1 internal Active Directory Server, with IP 192.168.2.33, and domain mydomain.local and I need to redirect only the Internal DNS requests (with domain mydomain.local) on it.
So I’ve created the following rules:

/ip firewall layer7-protocol
add name=mydomain.local regexp=mydomain.local

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=0.0.0.0/0 dst-port=53 layer7-protocol=mydomain.local protocol=udp to-addresses=192.168.2.33 to-ports=53
add action=dst-nat chain=dstnat disabled=no dst-address=0.0.0.0/0 dst-port=53 layer7-protocol=mydomain.local protocol=tcp to-addresses=192.168.2.33 to-ports=53

I’ve done some tests and if I try to resolve external DNS requests, such as google.com or amazon.com, it works but with high latency (2-3 times it returns “DNS request timeout”) but if I try to resolve internal name it does not work.
When I tried with a PC directly connected to the Mikrotik (on port 2) it worked without problem.
It’s very urgent for me, can you help me?

Thanks a lot

Marco

2

Hello

L7 will not work for you here, as it needs several packets / at least 2k of stream data to do it’s work.

Maybe you coudl try “content” filter instead? https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

3

Hello Sebastia,

Thanks a lot for your reply.
Can you tell me more about that?

The only thing I need is redirect the internal DNS requests on the Domain Controller (AD) and all other DNS requets on Google DNS.
Can you help me with that?

Thanks a lot
With best regards,

Marco

4

try something like this, correcting the dns name with “\03” as length indicator & correct AD ip.

/ip firewall nat
add action=dst-nat chain=dstnat comment="Reroute AD requests" content="isc\03org" dst-port=53 protocol=udp to-addresses=8.8.8.8