My findings so far:
- if adds addresses to address list, it doesn’t get anything from address list
- it happens when first query for hostname comes and static record exists for it, then it adds its address to list
- if there are more static records with same name, it adds them all
- it uses TTL from static record as address list timeout
- subsequent queries don’t do anything (they don’t reset address list timeout as one might expect) (*1)
- you can set it for all record types, but it only does something with A/AAAA/FWD
- when used with FWD records (which are not real records, just pointers to external servers), it adds addresses from A/AAAA queries and uses their TTLs as timeout
The last thing with FWD records is something that could be possibly useful to create some dynamic access list, because such hostnames can point to different addresses not known in advance. Same could be done with A/AAAA, although if you’re adding static DNS records, you already know their addresses, so you could also add them to address list. This would just make the linking easier, but it would require a fix for (*1), because resolver returns static records with full TTL, while timeout in address list is going down until it expired and address is then removed, but at that point the client can have still valid (possibly for a long time) resolved address.
Edit: It can be a fix/workaround for using wildcards in address list. If you want hostname-based address list, it’s possible for specific hostnames:
/ip firewall address-list
add list=mikrotik address=forum.mikrotik.com
add list=mikrotik address=www.mikrotik.com
But if you want *.mikrotik.com, it’s not possible, because * can be anything, that’s too many combinations to be resolved in advance. But if you do:
/ip dns static
add address-list=mikrotik match-subdomain=yes name=mikrotik.com type=FWD
then it seems to work (I didn’t know it, but you can omit forward-to and then it uses default resolvers), you’ll get address list with addresses of actually used hostnames.