Conditional DNS forwarding
BETA Testing and Feature Suggestions for the next RouterOS release (ROS v7)

12 posts   •   Page 1 of 1
marcodor
just joined
 
Posts: 9
Joined: Tue Jan 25, 2011 9:44 pm

Conditional DNS forwarding

by marcodor » Tue Jan 25, 2011 10:05 pm

Hello,

We deployed routerboards in our regional branches.
All our remote computers belongs to ms active directory domain, domain controllers are located in central office.
Dns servers for remote computers are set to domain controllers, for a proper AD work.
Now, I want to setup routerboard to act as DNS server for remote computers, and forward DNS queries in a smart way:
if NAME ends with my zone to forward queries to my domain controllers, else forward them to local internet provider.
This will improve response speed, and network performance.

Something like bind has:

zone "mydomain.com" {
type forward;
forward only;
forwarders { 22.22.22.22; };
};

PLEASE include it in TODO list for v5, i think it's not hard to implement it, as you already have forwarders. :)
Just define "Dns Zones" as entities and linked forwarders to that zone.

Thanks in advice!

mindlesstux
just joined
 
Posts: 11
Joined: Tue Mar 17, 2009 4:20 pm
Location: Charlotte, NC, USA

Re: Conditional DNS forwarding

by mindlesstux » Thu Jan 27, 2011 4:59 pm

I have not tested this, yet, but it should be possible to create a layer7 protocol that digs into the DNS packet and matches the domain. If the domain is matched then just silently redirect the packet to the proper dns server.


I will post again once I find time to craft and test this.

User avatar
janisk
MikroTik Support
MikroTik Support
 
Posts: 5906
Joined: Tue Feb 14, 2006 10:46 am
Location: Riga, Latvia

Re: Conditional DNS forwarding

by janisk » Thu Jan 27, 2011 5:25 pm

just be sure that packet that come from that other DNS resolver are with correct src address in reply, other way packet will be rejected by host, how initiated the process.

mindlesstux
just joined
 
Posts: 11
Joined: Tue Mar 17, 2009 4:20 pm
Location: Charlotte, NC, USA

Re: Conditional DNS forwarding

by mindlesstux » Thu Jan 27, 2011 6:02 pm

Here is a little run down on how to do this, the only thing left to do is to check what janisk says but im pretty sure this handles it decently enough.
Code: Select all
/ip firewall layer7-protocol
add name=testdns regexp=lantest.mindlesstux.com

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=4.2.2.2 dst-port=53 layer7-protocol=testdns protocol=udp to-addresses=8.8.8.8 to-ports=53
add action=dst-nat chain=dstnat disabled=no dst-address=4.2.2.2 dst-port=53 layer7-protocol=testdns protocol=tcp to-addresses=8.8.8.8 to-ports=53

1. Change the regex to match your domain.
2. Change 4.2.2.2 to be your RB DNS server
3. Change 8.8.8.8 to be your AD DNS server

*edit*
/me applies this little craft for his work domain on his home RB

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Conditional DNS forwarding

by fewi » Thu Jan 27, 2011 6:26 pm

To make sure this works on all networks regardless of hops and directly connected servers and clients, you could run the test for the regex in prerouting and just mark the packet, and then do both source and destination NAT on the packet so that it's forced back to the router, enabling it to send it back to the client in a format the client expects:
Code: Select all
/ip firewall layer7-protocol
add name=testdns regexp=lantest.mindlesstux.com

/ip firewall mangle
add chain=prerouting dst-address=4.2.2.2 protocol=udp dst-port=53 layer7-protocol=testdns action=mark-connection new-connection-mark=forwarded-dns
add chain=prerouting dst-address=4.2.2.2 protocol=tcp dst-port=53 layer7-protocol=testdns action=mark-connection new-connection-mark=forwarded-dns

/ip firewall nat
add action=dst-nat chain=dstnat connection-mark=forwarded-dns to-addresses=8.8.8.8
add action=masquerade chain=srcnat connection-mark=forwarded-dns


Or something like that.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

mindlesstux
just joined
 
Posts: 11
Joined: Tue Mar 17, 2009 4:20 pm
Location: Charlotte, NC, USA

Re: Conditional DNS forwarding

by mindlesstux » Thu Jan 27, 2011 7:12 pm

wow, did not even think of that... that seems like that should be a better solution.


Also should this thread not be moved to a different forum due to its not really a beta issue anymore?

marcodor
just joined
 
Posts: 9
Joined: Tue Jan 25, 2011 9:44 pm

Re: Conditional DNS forwarding

by marcodor » Fri Jan 28, 2011 4:52 pm

Hello,

Big thanks to all experts for suggestiong solutions for this task.
I'll try to apply it, but it is a bit complicated for me, layer7, mangle, prerouting ... a lot of rules, a lot of router cpu usage.
I'd like to have it in DNS area of winbox, and with 2 clicks done it.

Anyway, to developers, take it in account,

I suppose dns zone forwarders, masters are a part of DNS standart, if BIND implemented it.

Thanks in advice!

Fraction
newbie
 
Posts: 40
Joined: Wed Jan 16, 2013 10:42 pm
Location: Helsinki, Finland

Re: Conditional DNS forwarding

by Fraction » Mon Jun 02, 2014 10:01 pm

Hi,

This is definitely not a beta issue (actually not issue at all) and this topic is also quite old, but I reuse it anyway..

Explained method really works (although I would really appreciate more straightforward way to do this), but is it possible (I pretty sure it is, but my regexp-skilz are just not high enough) to forward all requests ending to '.local' with one L7 entry? If I just replace 'lantest.mindlesstux.com' with '.local', this filter hits also to addresses like domainlocal.com and http://www.localaddress.com etc.

My target is forward all requests containing domains like a.local & site.dadsgkdslf.local to one spesific dns-server and without need to add own entry for all (those are domains used in our test-lab, so they changes quite often and maintaining those is not on my shoulders, only rule is that they always end to .local)

MrBZA
just joined
 
Posts: 1
Joined: Fri Jun 20, 2014 11:05 pm

Re: Conditional DNS forwarding

by MrBZA » Fri Jun 20, 2014 11:09 pm

Fraction wrote:Hi,

This is definitely not a beta issue (actually not issue at all) and this topic is also quite old, but I reuse it anyway..

Explained method really works (although I would really appreciate more straightforward way to do this), but is it possible (I pretty sure it is, but my regexp-skilz are just not high enough) to forward all requests ending to '.local' with one L7 entry? If I just replace 'lantest.mindlesstux.com' with '.local', this filter hits also to addresses like domainlocal.com and http://www.localaddress.com etc.

My target is forward all requests containing domains like a.local & site.dadsgkdslf.local to one spesific dns-server and without need to add own entry for all (those are domains used in our test-lab, so they changes quite often and maintaining those is not on my shoulders, only rule is that they always end to .local)


I'm no expert in regex either, try:
Code: Select all
^(.*)(yourdomain.local)

Works fine for me.

masseselsev
just joined
 
Posts: 3
Joined: Thu Mar 27, 2014 9:01 am

Re: Conditional DNS forwarding

by masseselsev » Tue Jul 01, 2014 4:24 pm

Any chance of this being implemented in some future release? Cmon devs, it's not the hardest request at all.
Everyone who holds more than one local dns area will thank you for sure.

And yes, thank you in advance ;)

masseselsev
just joined
 
Posts: 3
Joined: Thu Mar 27, 2014 9:01 am

Re: Conditional DNS forwarding

by masseselsev » Thu Jul 03, 2014 10:31 am

Also, this workaround (l7, mangle, dst-nat etc.) stops working time to time.
Seems like it just doesn't dig out any l7 info from dns packets.
Reboot and everything is back working for some time (3+hr).
Am I the only one facing such a strange behaviour?

JoeriBe
just joined
 
Posts: 6
Joined: Tue Sep 10, 2013 10:03 am

Re: Conditional DNS forwarding

by JoeriBe » Wed Sep 10, 2014 9:36 pm

I run OS X 10.10 DP7 and the conditional forward stopped working.
This is from the first beta of OS X 10.10 till now DP7.

An other solution would be nice to conditional forward DNS requests.

12 posts   •   Page 1 of 1

Who is online

Users browsing this forum: No registered users and 10 guests

It is currently Mon Nov 24, 2014 4:03 am