Community discussions

 
marcodor
just joined
Topic Author
Posts: 12
Joined: Tue Jan 25, 2011 9:44 pm
Reputation: 0

Conditional DNS forwarding

Tue Jan 25, 2011 10:05 pm

Hello,

We deployed routerboards in our regional branches.
All our remote computers belongs to ms active directory domain, domain controllers are located in central office.
Dns servers for remote computers are set to domain controllers, for a proper AD work.
Now, I want to setup routerboard to act as DNS server for remote computers, and forward DNS queries in a smart way:
if NAME ends with my zone to forward queries to my domain controllers, else forward them to local internet provider.
This will improve response speed, and network performance.

Something like bind has:

zone "mydomain.com" {
type forward;
forward only;
forwarders { 22.22.22.22; };
};

PLEASE include it in TODO list for v5, i think it's not hard to implement it, as you already have forwarders. :)
Just define "Dns Zones" as entities and linked forwarders to that zone.

Thanks in advice!
 
mindlesstux
just joined
Posts: 13
Joined: Tue Mar 17, 2009 4:20 pm
Reputation: 0
Location: Charlotte, NC, USA
Contact:

Re: Conditional DNS forwarding

Thu Jan 27, 2011 4:59 pm

I have not tested this, yet, but it should be possible to create a layer7 protocol that digs into the DNS packet and matches the domain. If the domain is matched then just silently redirect the packet to the proper dns server.


I will post again once I find time to craft and test this.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6172
Joined: Tue Feb 14, 2006 10:46 am
Reputation: 16
Location: Riga, Latvia

Re: Conditional DNS forwarding

Thu Jan 27, 2011 5:25 pm

just be sure that packet that come from that other DNS resolver are with correct src address in reply, other way packet will be rejected by host, how initiated the process.
 
mindlesstux
just joined
Posts: 13
Joined: Tue Mar 17, 2009 4:20 pm
Reputation: 0
Location: Charlotte, NC, USA
Contact:

Re: Conditional DNS forwarding

Thu Jan 27, 2011 6:02 pm

Here is a little run down on how to do this, the only thing left to do is to check what janisk says but im pretty sure this handles it decently enough.
/ip firewall layer7-protocol
add name=testdns regexp=lantest.mindlesstux.com

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=4.2.2.2 dst-port=53 layer7-protocol=testdns protocol=udp to-addresses=8.8.8.8 to-ports=53
add action=dst-nat chain=dstnat disabled=no dst-address=4.2.2.2 dst-port=53 layer7-protocol=testdns protocol=tcp to-addresses=8.8.8.8 to-ports=53

1. Change the regex to match your domain.
2. Change 4.2.2.2 to be your RB DNS server
3. Change 8.8.8.8 to be your AD DNS server

*edit*
/me applies this little craft for his work domain on his home RB
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am
Reputation: 18

Re: Conditional DNS forwarding

Thu Jan 27, 2011 6:26 pm

To make sure this works on all networks regardless of hops and directly connected servers and clients, you could run the test for the regex in prerouting and just mark the packet, and then do both source and destination NAT on the packet so that it's forced back to the router, enabling it to send it back to the client in a format the client expects:
/ip firewall layer7-protocol
add name=testdns regexp=lantest.mindlesstux.com

/ip firewall mangle
add chain=prerouting dst-address=4.2.2.2 protocol=udp dst-port=53 layer7-protocol=testdns action=mark-connection new-connection-mark=forwarded-dns
add chain=prerouting dst-address=4.2.2.2 protocol=tcp dst-port=53 layer7-protocol=testdns action=mark-connection new-connection-mark=forwarded-dns

/ip firewall nat
add action=dst-nat chain=dstnat connection-mark=forwarded-dns to-addresses=8.8.8.8
add action=masquerade chain=srcnat connection-mark=forwarded-dns


Or something like that.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
mindlesstux
just joined
Posts: 13
Joined: Tue Mar 17, 2009 4:20 pm
Reputation: 0
Location: Charlotte, NC, USA
Contact:

Re: Conditional DNS forwarding

Thu Jan 27, 2011 7:12 pm

wow, did not even think of that... that seems like that should be a better solution.


Also should this thread not be moved to a different forum due to its not really a beta issue anymore?
 
marcodor
just joined
Topic Author
Posts: 12
Joined: Tue Jan 25, 2011 9:44 pm
Reputation: 0

Re: Conditional DNS forwarding

Fri Jan 28, 2011 4:52 pm

Hello,

Big thanks to all experts for suggestiong solutions for this task.
I'll try to apply it, but it is a bit complicated for me, layer7, mangle, prerouting ... a lot of rules, a lot of router cpu usage.
I'd like to have it in DNS area of winbox, and with 2 clicks done it.

Anyway, to developers, take it in account,

I suppose dns zone forwarders, masters are a part of DNS standart, if BIND implemented it.

Thanks in advice!
 
Fraction
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Wed Jan 16, 2013 10:42 pm
Reputation: 0
Location: Helsinki, Finland

Re: Conditional DNS forwarding

Mon Jun 02, 2014 10:01 pm

Hi,

This is definitely not a beta issue (actually not issue at all) and this topic is also quite old, but I reuse it anyway..

Explained method really works (although I would really appreciate more straightforward way to do this), but is it possible (I pretty sure it is, but my regexp-skilz are just not high enough) to forward all requests ending to '.local' with one L7 entry? If I just replace 'lantest.mindlesstux.com' with '.local', this filter hits also to addresses like domainlocal.com and http://www.localaddress.com etc.

My target is forward all requests containing domains like a.local & site.dadsgkdslf.local to one spesific dns-server and without need to add own entry for all (those are domains used in our test-lab, so they changes quite often and maintaining those is not on my shoulders, only rule is that they always end to .local)
 
MrBZA
just joined
Posts: 1
Joined: Fri Jun 20, 2014 11:05 pm
Reputation: 0

Re: Conditional DNS forwarding

Fri Jun 20, 2014 11:09 pm

Fraction wrote:
Hi,

This is definitely not a beta issue (actually not issue at all) and this topic is also quite old, but I reuse it anyway..

Explained method really works (although I would really appreciate more straightforward way to do this), but is it possible (I pretty sure it is, but my regexp-skilz are just not high enough) to forward all requests ending to '.local' with one L7 entry? If I just replace 'lantest.mindlesstux.com' with '.local', this filter hits also to addresses like domainlocal.com and http://www.localaddress.com etc.

My target is forward all requests containing domains like a.local & site.dadsgkdslf.local to one spesific dns-server and without need to add own entry for all (those are domains used in our test-lab, so they changes quite often and maintaining those is not on my shoulders, only rule is that they always end to .local)


I'm no expert in regex either, try:
^(.*)(yourdomain.local)

Works fine for me.
 
masseselsev
just joined
Posts: 6
Joined: Thu Mar 27, 2014 9:01 am
Reputation: 0
Location: Zhukovskiy, MO, Russia
Contact:

Re: Conditional DNS forwarding

Tue Jul 01, 2014 4:24 pm

Any chance of this being implemented in some future release? Cmon devs, it's not the hardest request at all.
Everyone who holds more than one local dns area will thank you for sure.

And yes, thank you in advance ;)
MTCNA, MTCWE
 
masseselsev
just joined
Posts: 6
Joined: Thu Mar 27, 2014 9:01 am
Reputation: 0
Location: Zhukovskiy, MO, Russia
Contact:

Re: Conditional DNS forwarding

Thu Jul 03, 2014 10:31 am

Also, this workaround (l7, mangle, dst-nat etc.) stops working time to time.
Seems like it just doesn't dig out any l7 info from dns packets.
Reboot and everything is back working for some time (3+hr).
Am I the only one facing such a strange behaviour?
MTCNA, MTCWE
 
JoeriBe
just joined
Posts: 7
Joined: Tue Sep 10, 2013 10:03 am
Reputation: 0

Re: Conditional DNS forwarding

Wed Sep 10, 2014 9:36 pm

I run OS X 10.10 DP7 and the conditional forward stopped working.
This is from the first beta of OS X 10.10 till now DP7.

An other solution would be nice to conditional forward DNS requests.
 
midenok
newbie
Posts: 37
Joined: Fri Dec 27, 2013 6:34 pm
Reputation: 0

Re: Conditional DNS forwarding

Mon Mar 21, 2016 6:30 pm

MrBZA wrote:
Fraction wrote:
Hi,

This is definitely not a beta issue (actually not issue at all) and this topic is also quite old, but I reuse it anyway..

Explained method really works (although I would really appreciate more straightforward way to do this), but is it possible (I pretty sure it is, but my regexp-skilz are just not high enough) to forward all requests ending to '.local' with one L7 entry? If I just replace 'lantest.mindlesstux.com' with '.local', this filter hits also to addresses like domainlocal.com and http://www.localaddress.com etc.

My target is forward all requests containing domains like a.local & site.dadsgkdslf.local to one spesific dns-server and without need to add own entry for all (those are domains used in our test-lab, so they changes quite often and maintaining those is not on my shoulders, only rule is that they always end to .local)


I'm no expert in regex either, try:
^(.*)(yourdomain.local)

Works fine for me.


Put '$' at end to specify end:
yourdomain\.local$


^(.*)() is bogus, at least in terms of standard.

I vote for DNS zone forwarding feature!!!
RouterOS 6.34
 
tmTheMaN
just joined
Posts: 1
Joined: Sat Jan 09, 2016 2:36 pm
Reputation: 0

Re: Conditional DNS forwarding

Fri May 06, 2016 10:32 pm

Five years since the request for a dns zone forwarder and still not implemented, in a way I understand RB is not an advanced DNS server to rely on, but it's still a simple add (I guess, what do I know).

Can anyone advise if using this solution will impact the DNS resolution time ?
 
i4jordan
Frequent Visitor
Frequent Visitor
Posts: 72
Joined: Mon Sep 02, 2013 1:42 am
Reputation: 0

Re: Conditional DNS forwarding

Wed Jun 15, 2016 11:25 am

I also need conditional forwarding of DNS request.
We are using a lot of Mikrotik products for VPN tunnels for branche office usage. And need DNS forwarding to AD DNS domains to authenticate users on terminals/ client computers.
 
teamer
just joined
Posts: 3
Joined: Mon Sep 12, 2016 9:18 am
Reputation: 0

Re: Conditional DNS forwarding

Mon Sep 12, 2016 9:30 am

+1
Please, add DNS zone forwarding feature in the next release!
 
GreySer
just joined
Posts: 6
Joined: Thu Apr 21, 2016 9:38 am
Reputation: 0

Re: Conditional DNS forwarding

Fri Oct 07, 2016 8:22 pm

Here's a way to help me redirect DNS requests for ONION sites to the tor server.

http://mybroadband.co.za/vb/showthread. ... ost7528499

Who is online

Users browsing this forum: No registered users and 3 guests