DHCP client receives DNS servers I did not configure

RouterOS General
1

Dear forum members!

Usually I use DOH but yesterday I switched to regular DNS so I can use FWD entries in ROS.

Now I have a behaviour I do not understand and I could not find any information regarding this in MT docs (DNS and DHCP-SERVER docs).

I have a single dhcp-server configured and added 2 DNS resolvers.

/ip dns
set allow-remote-requests=yes servers=2a07:a8c0::bc:79c1,2a07:a8c1::bc:79c1 verify-doh-cert=yes
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.254 domain=home.arpa gateway=192.168.0.254 netmask=24

No dynamic servers, just the static ones.

[user@mikrotik] /ip/dns> pri
                      servers: 2a07:a8c0::bc:79c1,2a07:a8c1::bc:79c1
              dynamic-servers: 
               use-doh-server: 
...

But DNS clients apparently also receive these 2 DNS servers that I configured under “/ip/dns”.

On one of my Linux clients, resolvectl shows:

Link 34 (wlan0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.0.254
       DNS Servers: 192.168.0.254 2a07:a8c0::bc:79c1 2a07:a8c1::bc:79c1

I can observe this behaviour on multiple clients. Over time it happens that the client suddenly switches to the second/third DNS and all my local DNS resolution stops working (as it relies on ROS DNS service).

I already tried:

/ip/dhcp-server/network/set dns-none=yes 0

But then there is not any DNS server promoted at clients anymore - even though docs just say: “If set, then DHCP Server will not pass dynamic DNS servers configured on the router to the DHCP clients if no DNS Server in DNS-server is set. By default, if there are no DNS servers configured, then the dynamic DNS Servers will be passed to DHCP clients.”

I understand in simple words: if there aren’t any dynamic servers, then I just pass the explicitely configured DNS server to the client. And I do have that explicit configuration of “dns-server”. So I am confused why not even the DNS at 192.168.0.254 is passed to the clients anymore.

What I’d like to achieve is, that DHCP clients only get a single DNS: 192.168.0.254 (mikrotik router). I don’t think I need to use FWD entries for these additional servers - that would be super odd.

Thanks for listening! I would be glad for any hint.

2 
/ipv6/nd/export

?

3 
/ipv6/nd/export

is empty.

But there is a default configuration:

[user@mikrotik] /ipv6/nd> print 
Flags: X - disabled, I - invalid; * - default 
 0  * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m ra-preference=medium hop-limit=unspecified advertise-mac-address=yes advertise-dns=yes 
      managed-address-configuration=no other-configuration=no dns="" pref64=""

So “advertise-dns=yes” is the suspect? This could really be the reason. I watched the output of “resolvectl” right on bringing the wlan0 link up, I first saw just the single DNS server listed - and only after a few seconds the other addresses appeared. They come from IPV6 neighbor discovery?

4

Indeed! If I use IPv4 DNS servers for “/ip/dns/servers”, these are not promoted to clients. So it is IPv6 ND.

But then Mikrotik docs are wrong. It states “advertise-dns” is “no” by default. But on ROS 7.13.5 it is “advertise-dns=yes”.

https://help.mikrotik.com/docs/display/ROS/IPv6+Neighbor+Discovery
2024-02-27_10-19.png

5

they are definetely comes from ipv6 nd, but you haven’t set any dns servers here, looks abnormal.
Try to unmark DNS in the nd and see what’s happends

6

I found in changelog of ROS 6.46:

*) ipv6 - changed “advertise-dns” default value to “yes”;

Mikrotik, well played. Your docs are always on the bleeding edge.

7

When I set advertise-dns=no, the I dont receive these IPv6 DNS servers anymore.

/ipv6 nd
set [ find default=yes ] advertise-dns=no

But as pointed out by you, I would expect that only DNS servers listed at “/ipv6/nd/dns-servers” are being advertised? Not the ones from “/ip/dns/servers”.

8

9

Just found an example in the old wiki. IPv6 DNS servers configured under “/ip/dns/server” are advertised when “advertise-dns=yes” is set.
https://wiki.mikrotik.com/wiki/Manual:IPv6/ND#Stateless_autoconfiguration_example