Containerized DNS app

entepcetfevo · January 14, 2026, 12:51pm

I want to express my appreciation to the Mikrotik team for the Containerized App feature.
I started a small project that involves having my own DNS server.
There are two apps that can help achieve this goal: goaway and technitium.
I have tested both of them, one at a time, of course.
Unfortunately, after I set the router DNS server to the container IP address (172.18.0.2 in my case), there is no name resolution anymore for the clients.
I am not knowledgeable in networking or Mikrotik, but it appears that the containerized DNS server is not able to access the internet at all.
I mention that because I am able to observe a message like this on the GoAway web interface, 'Upstream DNS servers' page.

1.1.1.1:53 DNS Ping: Failed (dns) ICMP Ping: Failed (tcp)

Any suggestions are welcome.
I am grateful and have my best regards,

Here my config

2026-01-14 14:09:28 by RouterOS 7.21

software id = xxx

model = C53UiG+5HPaxD2HPaxD

serial number = xxx

/disk
add file-path=/usb2-part1/swap file-size=8.0GiB slot=file-usb2-part1-swap
swap=yes type=file
add parent=usb2 partition-number=1 partition-offset=512 partition-size=
31004294656 type=partition
/interface bridge
add name=BR1 port-cost-mode=short protocol-mode=none vlan-filtering=yes
add name=internal protocol-mode=none
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=
10min-cac .width=20/40/80mhz configuration.country=xxx .mode=ap
.ssid=xxx disabled=no security.authentication-types=wpa3-psk
.disable-pmkid=no
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=
10min-cac .width=20/40mhz configuration.country=xxx .mode=ap .ssid=
xxx security.authentication-types=wpa2-psk,wpa3-psk
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=
xxx
/interface veth
add address=172.18.0.2/24 container-mac-address=1E:C5:40:C1:2C:E3 dhcp=no
gateway=172.18.0.1 gateway6="" mac-address=1E:C5:40:C1:2C:E2 name=
veth-app-goaway
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add name=WAN
add name=VLAN
add name=BASE
/ip pool
add name=BASE_POOL ranges=192.168.88.10-192.168.88.254
add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server
add address-pool=BASE_POOL interface=BASE_VLAN lease-time=8h name=BASE_DHCP
add address-pool=BLUE_POOL interface=BLUE_VLAN lease-time=8h name=BLUE_DHCP
/ip smb users
set [ find default=yes ] disabled=yes
/app
set goaway disabled=no
/app settings
set disk=usb2-part1 lan-bridge=BR1 router-ip=192.168.88.1
/container
add env="DNS_PORT=53,WEBSITE_PORT=8094" hosts=goaway:172.18.0.2 interface=
veth-app-goaway layer-dir=/usb2-part1/apps/layers mount="/usb2-part1/apps/
goaway/config:/app/config:rw,/usb2-part1/apps/goaway/data:/app/data:rw"
name=app-goaway remote-image=docker.io/pommee/goaway:latest root-dir=
/usb2-part1/apps/goaway/goaway_root stop-time=30s workdir=/app
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
wifi1 internal-path-cost=10 path-cost=10 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
wifi2 internal-path-cost=10 path-cost=10 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
ether2 internal-path-cost=10 path-cost=10 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
ether3 internal-path-cost=10 path-cost=10 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
ether4 internal-path-cost=10 path-cost=10 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=
ether5 internal-path-cost=10 path-cost=10 pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=BASE
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=BLUE_VLAN list=VLAN
add interface=BASE_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.88.1/24 interface=BASE_VLAN network=192.168.88.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=250000KiB
doh-max-concurrent-queries=200 doh-max-server-connections=6
max-concurrent-queries=200 max-concurrent-tcp-sessions=40 servers=
172.18.0.2 verify-doh-cert=yes
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow VLAN DNS" dst-port=53
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DNS" dst-port=53
in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow Base_Vlan Full Access"
in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only"
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding"
connection-nat-state=dstnat
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade"
out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=udp
add action=redirect chain=dstnat dst-port=53 protocol=tcp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set ssh address=192.168.88.0/24
set telnet disabled=yes
set www disabled=yes
set winbox address=192.168.88.0/24
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall filter
add action=accept chain=input comment="Allow Estab & Related"
connection-state=established,related
add action=accept chain=input in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related"
connection-state=established,related
add action=drop chain=forward comment=Drop
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/system identity
set name=xxx
/system ntp client
set enabled=yes
/tool bandwidth-server
set enabled=no
/tool graphing
set store-every=24hours
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Additionally, some dynamic rules were not saved when I exported the configuration to the file.

5 D ;;; app internal network masquerade rule to allow outgoing traffic be routed back
chain=srcnat action=masquerade in-interface=internal
6 D ;;; app goaway redirect to dns
chain=dstnat action=dst-nat to-addresses=172.18.0.2 to-ports=53 protocol=udp dst-address=192.168.88.1 dst-port=53
7 D ;;; app goaway redirect to dns
chain=dstnat action=dst-nat to-addresses=172.18.0.2 to-ports=53 protocol=tcp dst-address=192.168.88.1 dst-port=53
8 D ;;; app goaway redirect to web
chain=dstnat action=dst-nat to-addresses=172.18.0.2 to-ports=8094 protocol=tcp dst-address=192.168.88.1 dst-port=8094

Amm0 · February 6, 2026, 3:32am

Replacing DNS with /app things is a little tricky. The print from /ip/firewall/nat has a clue. What you may want to do, instead of using internal as the "Network", is set the /app to use the bridge, so container get an IP address in the 192.168.88.x range. This avoid the dst-nat rules, so then you can use that IP address as the DNS server where needed.

That may not be the whole story on what's going on, as I didn't check all the config.

entepcetfevo · February 6, 2026, 1:23pm

@Amm0 , I appreciate your feedback. Honestly, I felt the need to change the DNS because Mikrotik's ROS DNS is not currently supporting any DoH (such as Mullvad or Quad9).
The /app feature tempted me precisely because I thought it was easy to use, like in the Mikrotik youtube video, as an alternative to pure containerization mode where everything has to be set from scratch. Ideally I would have wanted Unbound dns software, but in the list of applications only goaway and technitium are available.
I became aware that /app works without any issues, probably only in the ROS default configuration, the basic one.

/ip/firewall/nat print

Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; Default masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" 
 1    chain=dstnat action=redirect protocol=udp dst-port=53 log=no log-prefix="" 
 2    chain=dstnat action=redirect protocol=tcp dst-port=53 log=no log-prefix=""