Built-in DNS Client fails via VRF?

RouterOS General
1

Hi

Assume fresh configuration with ether1 and ether2 connected to the same switch…

  1. Assign 192.168.1.2/24 gw 192.168.1.1 to ether1 (assume 192.168.1.1 is our WAN on another router altogether)
  2. Assign 192.168.0.1/24 to ether2, which we’ll use to telnet/winbox into this mikrotik
  3. Assign ether1 to a new VRF, let’s call it “gw”.
  4. Add new route as follows: /ip route add dst-address=1.1.1.1/32 gateway=192.168.1.1@gw routing-table=main
  5. Mikrotik can now access the internet normally, eg ping 1.1.1.1 without specifying “vrf=gw” and receives replies
  6. Prepare the DNS client: /ip dns/set servers=1.1.1.1
  7. Try to resolve with the DNS client
    [admin@RouterOS] > /resolve google.com
    failure: dns server failure
    [admin@RouterOS] >

Conclusion:
It seems as if mikrotik’s DNS client doesn’t recognize INPUT traffic coming to it from the VRF interface, although that traffic appears in the log if I enable input logs, eg:

input: in:(unknown 152) out:(unknown 0), src-mac 04:4f:4c:8e:f0:db, proto UDP 1.1.1.1:53->102.168.1.2:36084, len 71

I presume this is somewhat expected right now, and related to these posts?
http://forum.mikrotik.com/t/vrf-management/120446/1
http://forum.mikrotik.com/t/vrf-aware-management-services-winbox-ssh-http/94517/1
http://forum.mikrotik.com/t/make-ros-services-vrf-aware/45566/1

Any pointers welcome

I’m using v7.1rc5

Thnx

2

Same issue here… any hints? RouterOS 7.5

3

same under 7.6beta10

each of my WAN is in a own VRF.

main VRF traffic is balanced via PCC into the two VRF. Traffic entering a WAN-VRF from main VRF is connection-marked, to be routed back into main directly. Every works perfectly except traffic initiated by the router itself.

using a secondary mini RB as workaround currently (DNS, NTP and IPSec)

4

instead of
/resolve google.com

try this:
:put [:resolve google.com]