Adding CNAME to ROS does not work as it should. I have a case with MT where they have confirmed this issue.
What I see is that a CNAME I add does not work at all. Now I use network.local as the suffix for the CNAME Key but a “real” FQDN as value.
This only works if I resolve the value first and get it into the cache.
For example. If I add a CNAME with key test.example.local with value dns.google.com I cannot resolve test.example.local.-
This will not work for me unless I have dns.google.com in cache. So for example if I run nslookup dns.google.com that will put the IP for this value for a short while.
During this time test.example.local will reolve.
The reason is that the DNS resolved will send the CNAME externally to resolve as I saw network.local in my external DNS provider logs, and they should not be there.
I’m not sure this is applicable to you but CNAME does not work as it should and could very well be affecting you.
I still this the issue apply even for you. In this case you ask for the domain aaa.exmaple.com and that does not exist in public DNS.
Now I cannot be sure but the issue I see is that the question I send for a CNAME is not managed within the device but is sent to the external DNS resolved you have.
Did a little test:
I added the following:
/ip dns static
add address=1.1.1.1 regexp="\\.cnn\\.com"
So in this case I see the answer I was expecting. Then we remove A record and add this:
/ip dns static
add cname=one.one.one.one regexp="\\.cnn\\.com" type=CNAME
This produced the following:
Non-authoritative answer:
Name: turner-tls.map.fastly.net
Addresses: 2a04:4e42:14::323
151.101.85.67
Aliases: www.cnn.com
As you can see I get a response but this is the “real” IP’s you get from external resolver. So this indicated the CNAME question www.cnn.com is sent externally and not managed in your device
And just to prove my point here I added this:
/ip dns static
add cname=one.one.one.one regexp="\\.example\\.com" type=CNAME
This gave me this result:
*** UnKnown can’t find aaa.example.com: Non-existent domain
Then I went to the logs of my external resolved (NextDNS) and found this in the log:
So in this case the question for aaa.example.com is not honored on the DNS resolved in Mikrotik but is instead send to my external resolved asking for an A record.
So I think you have the same issue. MT has confirmed they have found the issue but there are not fix for this in the pipeline yet as far as I know.
/ip dns static
add address=1.1.1.1 name=one.one.one.one
add cname=one.one.one.one regexp="\\.example\\.com" type=CNAME
then, manual resolve
one.one.one.one
and find it in that cache to ensure cache is valid
/ip dns cache> :put [:resolve one.one.one.one]
1.1.1.1
/ip dns cache> print where name=one.one.one.one
Flags: S - static
# NAME TYPE DATA TTL
0 S one.one.one.one A 1.1.1.1 1d
then, manual resolve
aaa.example.com
Result:
/ip dns cache> :put [:resolve aaa.example.com]
failure: dns name does not exist
when I change
/ip dns static add cname=one.one.one.one regexp="\\.example\\.com" type=CNAME
to
/ip dns static add cname=one.one.one.one name=aaa.example.com type=CNAME
it works:
/ip dns static> :put [:resolve aaa.example.com]
1.1.1.1
So,You have said:
So in this case the question for aaa.example.com is not honored on the DNS resolved in Mikrotik
YES!
But you also have said :
For example. If I add a CNAME with key test.example.local with value dns.google.com I cannot resolve test.example.local.-
This will not work for me unless I have dns.google.com in cache
NO! ,This is different issue I have
one.one.one.one
in dns cache, and it works without Regexp when I have
one.one.one.one
in dns cache, but not work with Regexp entry
And:
I still interested in how to let mikrotik know my issue
I added this: