We run our DNS off of our Mikrotik CORE router. What is the recommended cache size? If I set to 5000, DNS queries are brutally slow once the cache is fulll.... We use OPEN DNS for our dns queries. Our CORE router has a max CPU usage of 11%.

What has prompted me playing with all this is that we used to have a NAT rule masq. requests (forcing) all DNS requests through our DNS... we have been starting to get ALOT of page not found errors. I think it must be over loading or something.

Should we be using a seperate DNS box instead of using our CORE?

Any recommendations?

We service over 2500 users on our network.

In my opinion 2500 users justifies a dedicated caching resolver.

Any recommendations? Linux box??

I'd go with a FreeBSD or Linux server running maradns, but you'll find lots of people with different preferences.

Personally I like Bind just because it's been around awhile and seems to be the most widely used; I am also familiar with it. As mentioned, there are lots of choices though.

Mikrotik is a Router OS. Can you expect a Cisco to be a full-featured DNS/HTTP/xyz server? With Mikrotik, it seems we went "everything" included, and I too find myself saying "just this one more feature would be great", but of course 1 feature * 1000's of requests would make Mikrotik bloated and RAM heavy.

BIND would be fine

Dedicated Dns server it is!

What is the recommended cache size? If I set to 5000, DNS queries are brutally slow once the cache is fulll.... We use OPEN DNS for our dns queries.

What, 5000 kilobytes? That is only 5 megabytes.

Yes.... And that is over 7000 dns entries.... And you figure 1000's of requests per second... The response times across the network is brutally slow. If I set the cache to 600 all is fine.

I agree with the one post on this thread... MT is a routing device not a DNS server.

we are facing a problem with MT dns cache , at cache we always found somthing like this :

jgajagjg.cc unknown type 0.0.0.0

and there are a lot of them each time after flushing the cache !!!
somtimes that rubish name is somthing known like www.yahoo.com !!!

and it effects browsing some sites like yahoo.mail , or login yahoo messenger ..

this is new problem wasnt there since years of using MT as a core router and DNS cache server ..

if we should use BIND as a dns server , should we redirect requests by dst-nat and leavin dns at MT as 0.0.0.0 ??

You should set up some DNS on the router so that the router itself can resolve names. Just disable external access.

I'd simply configure the clients to use whatever external DNS you provide, statically or via DHCP. Transparently redirecting users isn't very nice to do in my opinion, some clients use specific DNS servers for good reasons.

thanks alot , so forget MT as a dns cache server ..

but does anybody knows where this( and similar ) came from :

jgajagjg.cc unknown type address: 0.0.0.0

??

That's a cached negative reply. Some client tried to resolve that address (could be worm infected, trying to contact a control server? Wild guess, that) and DNS resolver on the router in turn attempted to resolve the address on behalf of the client. The domain does not exist, and the DNS proxy recorded that. It caches negative replies for 24 hours.

yes it seems like worm action , cause we can find like 10 addresses have the same name with one letter change in each name , but this is effecting yahoo mail and yahoo messenger , is there any way to reduce the ttl ?

AFAIK there is not. I remember seeing a feature request to that regard.

How would that negatively affect Yahoo! mail, though? If www.yahoo.com is cached as non-existant, that has nothing to do with other resolution failures unless someone is actively poisoning your cache - if you actually find proof of that you'd want to contact support. If www.yahoo.com is cached as non-existant, it's far more likely that whatever upstream DNS the router is using is giving back bad results. Try a different upstream server.

its not effecting yahoo all the time , but it happened many times, solved by flushing the dns-cache ..

these unknown names are almost the same every time appears after flushing the cache ,
look at these names :
oddracash.net , oddrbcash.net ....... oddrkcash.net ..

i need to know could this poisoning coming from the public net ? or it should be requested by one of the local clients ?

Maybe I should explain more carefully.

There are two ways that results can get into the cache - the normal way (the upstream DNS reports something, and the caching resolver caches it) or via cache poisoning (someone maliciously goes to great lengths to insert a fake entry). The latter is much, much, much, much less likely.

The most likely source to your problem is that occasionally the upstream DNS you're using is saying, "you know what, I don't know about www.yahoo.com. It does not exist." The caching resolver in RouterOS does its duty and records that fact. Try a different upstream DNS (OpenDNS comes to mind, but there are other publicly available DNS servers) and see if the problem with Yahoo goes away. It is most likely completely unrelated to the bogus entries you're seeing. The bogus entries you are seeing are there because someone is asking for them. There is no easy way to tell if it's coming from the WAN or the LAN, but you should probably block udp/tcp 53 incoming from the WAN because you don't want to be a caching resolver for the world! Again, they are most likely completely unrelated to any problems you have with Yahoo and DNS.

i have the same problem , the dns cache get full in a sec.

if there any way to block this kind of address which most likly a generated words not even a real sites

what should i do?

We solved by setting up a redirect for all dns to a Linux server running Bind9....
No more problems.

Hi All
I'm having the same problem
How do I redirect all dns requests coming to this mikrotik dns server to an external dns like quad 9