Greetings! I have a configured rule which in the future I use for selective (based on the domain and its subdomains) routing:
Everything works great, but there are some nuances.
For example, when I open the somedomain.com page in the browser, mikrotik adds this domain resolved ip to the cache and to the address-list. Packets from this address-list are marked according to the mangle rule and routed to the interface that I need.

Further, entries from the address-list are deleted after the TTL for the corresponding entry in the dns cache has expired.
At this moment the problems begin...
If I now refresh the page in the browser, it will use its resolve cache and accordingly... somedomain.com ip will not be added to the router's DNS cache, and it will not be added to the address-list, which means it will not be routed correctly.
In other words, if an application uses its resolve cache and does not request ip every time from router, then sooner or later it is doomed to lose the correct route to the requested domain.
The problem can only be solved by restarting the browser/application.

In this regard, the question is: is it possible to somehow extend the life of entries in my address-list, after they added to it with /ip dns static rule?

It's a pity that there is no solution to such an elementary problem. For many years, many users have been waiting for the opportunity to redirect certain domains with their subdomains to the desired interface, and now it would seem that such a functionality has been made, it even almost works, there are a lot of instructions everywhere on how to use it, but in essence it is completely useless, so how it was not completed properly, and the required result (constant redirection of individual domains to the desired interface) is not there.
Why was it necessary to add a piece of functionality that did not give the required result?.. It’s not clear..

It would be nice if they added the timeout option in the DNS Static menu to the address list.
I had no better idea than a scheduled script that runs every 1 minute and copies from that address list to another one that I named with the _fixed suffix, I use that list in the firewall.
Add this to the scheduler, set the interval so that it is approximately half of the dns record TTL (so you have a chance for at least one copy before the expiration) and use the vpn1_list_fixed address list in the mangle rule. I hope it will work...

Thanks, @tamagochi!
I changed your script a little and applied it this way:

As a result, the script, executed on a schedule, copy the resolved IP addresses of the domains and their subdomains what I need into a new list vpn1_list2 used in the second mangle rule.
It’s very fortunate that when this script runs, the addresses already in vpn1_list2 are not duplicated, but are simply skipped by the script
Also I need to have two mangle rules:
The first mangle rule will fire when an address is detected in vpn1_list1 and stop further processing. And the second will work in the case when the address of the required domain is no longer in the vpn1_list1, but still exist in vpn1_list2


Thus, resolved IP addresses will be valid longer than the TTL of a static DNS entry. I have set the timeout to 24 hours (1d), but the benefits of decreasing or increasing this period are still under consideration.
I think this method has a couple of disadvantages.
Firstly, with a large number of domains, the list of addresses stored for 24 hours (or more if you change the script) may turn out to be quite large, and it is unknown how the router will react to this. Perhaps it will be overloaded with processing long lists, Personally, I only use three-four dozen domains, so this is not a problem for me...
Also, there is still a possibility that after the timeout expires, some address may still be “in the dead zone”, and its resolve will not be requested from the router, and as a result will not be redirected to the correct route. And I think heres we can't do anything with this.


I’m also wondering if it’s possible to change the trigger for running the script in some way, so that the script is executed when a record is added to vpn1_list1? I think this would be as effective as possible, given the available capabilities.

It would be nice if they added the timeout option in the DNS Static menu to the address list

I completely agree with you, that in order to avoid all this hassle, we need just this option.

At this time I ended up with another way.
With this way i'm NOT use static FWD DNS entries. Instead I used firewall RAW rules:
I found that in this way, it is also possible, during a DNS request obtain and store in the specified addess-list the resolved IP addresses of the domain(and all its subdomains), specified in this rule.
I also found that this loads the router’s processor significantly, which means what this method is not suitable for intensive operation of the router on a large network. However, this is still a less expensive way than every two or three minutes to copy all addresses from one address-list to another, besides, in my case, separate routing is necessary for a couple of dozen domains (with subdomains) and for two or three clients within the network.

I think, at this moment, it is still necessary to draw the attention of the Mikrotik developers to the pointlessness of the ability they added to forward static dns if this remains without the ability to specify a timeout for entries in the address-list, longer than TTL for dns entries.

For nexts who will search for similar solutions ( selective routing according to domains and their subdomains )here all of needed settings(exept vpn settings):
Fot every needed domain you must to add the same RAW rule

I apologize for not paying attention to the thread before I got sick, I had some thoughts.

I'm glad that we made progress in solving the problem and that I was able to help a little.
I think it's a good idea to use the two lists together, it bridges the time between copying and stabilizes the route.

There may be a few more pitfalls:
- interruption of a long work process due to a route change
- due to established connections, conntrack insists on ip addresses
- several servers can operate on one IP address, with several names, therefore traffic cannot be separated
- unless you want to ban the name, an nxdomain might be a better solution (be careful, there is no dnsview)
- more dns requests, although this might matter less

I like simple, even one-liner type solutions.
If there are fewer instructions, the operation can be faster.
I also didn't think that it is possible to modify the data to be copied after the copy-from...
We also delete the vpn1_list from the list (the copies that go wrong), the number of cycles and errors could be less during the next run. For me, the first list became empty in 2-3 rounds, the script had nothing to do. I only use the "vpn_list2" list as a collection list and block the traffic in RAW prerouting chain.

Regarding duplication:
I used :do {} on-error commands because if the address is already in the list, "add" causes an error and the script stops running.
And if we search for the address in the target list with find, it takes a long time, especially for a collection list with many items.
In list management, mikrotik has an internal solution, because it manages what the dns request adds and is already on the list.
Some people use huge address lists, e.g. RBL, territorial list per country, even internet full route.
As a result of the dns search, we get /32 addresses, the size of large lists can be reduced by address aggregation, which, however, takes a long time to prepare.

I got some ideas:
What takes a lot of work is that we periodically take the elements of vpn1_list2 in order, try to resolve their names, ping them or add them to netwatch as a monitored ip, and if there is no response, the target is not alive, we delete them from the list.
This may not be worth it... Monitoring hundreds for a few IPs...

Another idea, you need these IP addresses for routing, perhaps by deleting the second list, you could transfer them to the routing table with the appropriate gateway. I didn't think about when and what should happen to the addresses - recursive route? black hole? remove?
The result can be seen in the firewall and cpu load, fewer packets need to be marked for routing, in exchange for a larger routing table, address aggregation would be useful here as well.
Maybe you don't want to make the "change back" conditional, is it good if the route is reset when the addresses expire?
But that's another script...

Third idea:
In the address lists, we can use not only ip addresses, ip domains, but also dns names.
When I manually add the dns name to a list in winbox, it enters it and gets a dynamic indicator, it resolves and the ips are displayed.
The luck is that the comment contains a dns name that we got with the "Address List" (thanks mikrotik!).
The comment looks like "created for example.com.".
If you need the exact name...
If the vpn1_list were big and we would do it faster:
- we are not precise, we keep the dot that closes the domain name, it does not cause a problem in name resolution
- we do not count the length of the name
- we make bad use of the possibility that the pick does not indicate an error if the end of the string is greater than the length (be careful, not expected operation)
- we save the variable
- fqdn longer than 255 characters is not very common...
It's not "pretty", but within the right limits it works for me...
The problem you call "Dead Zone effect" (cool name, could even be the title of a game or demo)
Maybe /ip dns cache flush would solve it, because then the resolver cannot resort to anything other than external servers and its own static entries. When this should be done is a good question, but it is certain that it will cause an increase in dns traffic and some delay in name resolution.
If you shorten the "Cache Max TTL", which is the default 7d, you don't have to empty the entire dns cache, but you will get fewer hits.

Quite a few dns requests later....

Testing:
It is an "external dns name", there is an entry in the static <fqdn> fwd <external dns server> address-list <list name>.
:put [:resolve dnsname] does not always use the "local dns server", it takes a few repetitions to get into the cache,
therefore :put [:resolve fqdn server=127.0.0.1] works better.

- you make a dns request, it enters the cache, it adds the ip to the list, you remove it manually, but the next dns request doesn't include it
The TTL is still ticking in the dns cache, so it is not added, because it would be double....
dns flush cache, deletes cache and removes the ip from the list
Another request, it will be added , it works...

- you make a dns request, it is added to the cache, the ip is added to the list, you rename the list, the ip is not removed from the old list
but it will be uploaded again
But, if you rename it, the TTL or flush cache is ticked in the cache, it will be removed

- I disable the record, flush, I make a dns request, it is put in the cache, TTL starts ticking,
I enable the fwd record with the list, then it is not listed yet,
dns request, it is added to the list, but even though the TTL expires, it is not removed and the cache flush does not remove it either.
I manually delete the ip from the list, it is removed, it is not in the cache.
Dns request, cache, is added to the list, flush, cached, deleted from the list.

With a static "A record" (you manually overwrote an ip), the problem is that you cannot automatically remove the ip from the list.
- it's already in the cache, dns request, it picks up an ip, I disable the record (of course, the management of the list ends with this), it drops out of the cache
but it stays on the list
- I manually delete the ip from the list, enable the record, it is put in the cache, no matter how many requests I make, it is no longer on the list .
Well, the flush doesn't help with this either, because there will be no static, TTL expiration, no trigger.
If I give another list or ip, "it works the same way"
Is the ip on some internal list? Do you have any hidden flags in the cache?
Well, only restarting the router helps with this...

The ip included in the address list has a dynamic flag, which should be understood as "this managed by a service and preferably not tampered".
But it allows you to remove it, but then the router does not think that it has expired in the cache, there is no trigger. According to him, the ip is still on the list, so the dns request does not add it again.
Maybe that's why there is no timeout value in the list either, because the detour is not done by the list. If the timeout is shorter than the TTL, the dns request will not be added to the list, and if it is longer, it will collide.
I think avoiding multiple additions was solved this way, without searching the entire list.
This is too long and complicated for me, so I google translated it.

Hi, @tamagochi! And thank you again for your post!

I apologize for not paying attention to the thread

Very kind. Don't worry too much, you're already helping!

There are many suggestions, I will try to figure it out. English is not my strong point

We also delete the vpn1_list from the list

Correctly noted! This way there will actually be significantly less action.

I didn't think about when and what should happen to the addresses - recursive route? black hole? remove?

I use this to access via VPN, sites blocked by my local providers, if that's what you're talking about.

In the address lists, we can use not only ip addresses, ip domains, but also dns names.

Yes. This is also a very good idea!

The problem you call "Dead Zone effect" (cool name, could even be the title of a game or demo)
Maybe /ip dns cache flush would solve it

No. Unfortunately, this will not help, since the root of the problem I described in the first post, is that all chrome-like browsers have their own DNS cache. And if there is still a DNS entry in the browser cache, and the corresponding entry in the router’s address list has been deleted for some reason (or has not yet been added, for example, after rebooting the router), then routing stops working because the browser does NOT make a DNS request.


First of all, the option of copying addresses from one list to another using a script frustrates me because of the need for regular processing, even while the network is idle. I agree that this looks concise and provides almost all the required functionality (however, this still does not solve the main problem with the browsers’ DNS cache).
What would be ideal is the ability to initiate the script only after adding new entries to vpn1_list1. But as far as I understand, such functionality is not provided in Mikrotik.

I have developments on the subject.
I would not recommend the content filter as a solution for collecting dns names because it causes significant cpu usage, and you cannot filter encrypted traffic with it (such as TLS).
I would use the address list option if part of the fqdn is known and must be matched with Match Subdomain or regex.
If you know the dns names, you only have to add them to the firewall list manually, then the list should not even expire.
The existence of the VPN connection should control the route.
The (semi-)finished list only needs to be routed if the addresses have been uploaded or collected beforehand.

If you establish the VPN connection with the router and it is of ppp type, the management of routes can be scripted in the ppp profile.
If you connect is another way, e.g. wireguard peer (on/off), you can monitor the tunnel ip and script it from Netwatch.
Then you just have to enable or disable the two mangle rules based on the "VPN" comment. The DNS name-based address list has a problem that I only discovered later. As the names are resolved in the vpn1_list2 list, they will appear again in the vpn1_list list, since the "filtering" in /ip dns static will match them again.

But I found something else that popped up during an export: address-list-extra-time. Thanks Mikrotik!
I couldn't find it in the documentation, in the release history, but it does what its name says, it adds the expiration time of the IP that goes to the "Address List" with this time.
It may have entered somewhere around 7.9-7.10.
This way, you don't need the scheduled script and you only need a mangle rule and its VPN-dependent on/off.

I agree that this looks concise and provides almost all the required functionality (however, this still does not solve the main problem with the browsers’ DNS cache).

If the browser also enters the dns cache via the router, the router can build an address list even before the VPN is created.