Hello,

We deployed routerboards in our regional branches.
All our remote computers belongs to ms active directory domain, domain controllers are located in central office.
Dns servers for remote computers are set to domain controllers, for a proper AD work.
Now, I want to setup routerboard to act as DNS server for remote computers, and forward DNS queries in a smart way:
if NAME ends with my zone to forward queries to my domain controllers, else forward them to local internet provider.
This will improve response speed, and network performance.

Something like bind has:

zone "mydomain.com" {
type forward;
forward only;
forwarders { 22.22.22.22; };
};

PLEASE include it in TODO list for v5, i think it's not hard to implement it, as you already have forwarders.
Just define "Dns Zones" as entities and linked forwarders to that zone.

Thanks in advice!

I have not tested this, yet, but it should be possible to create a layer7 protocol that digs into the DNS packet and matches the domain. If the domain is matched then just silently redirect the packet to the proper dns server.


I will post again once I find time to craft and test this.

just be sure that packet that come from that other DNS resolver are with correct src address in reply, other way packet will be rejected by host, how initiated the process.

Here is a little run down on how to do this, the only thing left to do is to check what janisk says but im pretty sure this handles it decently enough.

1. Change the regex to match your domain.
2. Change 4.2.2.2 to be your RB DNS server
3. Change 8.8.8.8 to be your AD DNS server

*edit*
/me applies this little craft for his work domain on his home RB

To make sure this works on all networks regardless of hops and directly connected servers and clients, you could run the test for the regex in prerouting and just mark the packet, and then do both source and destination NAT on the packet so that it's forced back to the router, enabling it to send it back to the client in a format the client expects:


Or something like that.

_________________
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

wow, did not even think of that... that seems like that should be a better solution.


Also should this thread not be moved to a different forum due to its not really a beta issue anymore?

Hello,

Big thanks to all experts for suggestiong solutions for this task.
I'll try to apply it, but it is a bit complicated for me, layer7, mangle, prerouting ... a lot of rules, a lot of router cpu usage.
I'd like to have it in DNS area of winbox, and with 2 clicks done it.

Anyway, to developers, take it in account,

I suppose dns zone forwarders, masters are a part of DNS standart, if BIND implemented it.

Thanks in advice!