Hello everyone,
I have adguard on my NAS as DNS Server.
What I want to do now in my Mikrotik router is to set my Adguard DNS as primary DNS server, e.g. 10.0.0.10. In case that server would be offline (e.g. NAS crashes, updates, etc.), I want to use an alternate DNS like 9.9.9.9
I didn’t find a way how to do that. Is there a way to configure that?
Thank you and best regards
AFAIK 2 places where this is to be done.
IP / DNS
set primary and secondary DNS
That’s for your router.
IP / DHCP server settings
There you can specify which DNS server your client devices need to use. I use the router IP there (so it in return uses the settings which have been set in IP / DNS).
But you can use different settings in DHCP server if you want (e.g. I have a separate VLAN for IoT devices, I don’t handle that one via PiHole DNS, I direct them immediately to Google 8.8.8.8 ).
To be clear you want primary DNS to be your NAS.
If the NAS crashes you still want folks to be able to access the internet by a public DNS service.
This will not be possible without some intervention after the NAS crashes.
For example you could do this…
address=192.168.0.0/24 dns-server=adguard-server-ip gateway=192.168.0.1
/ip dns
add allow-remote-requests severs=1.1.1.1,9.9.9.9
In this scenario the router would first try the adguard address and if no joy would go to 1.1.1.1 and then 9.9.9.9
The problem is that once adguard comes back up, likely the router will stick with what is working 1.1..1.1 and 9.9.9.9 until you reboot the router.
Perhaps another approach is to use the above but also use the following dstnat rules.
Where the firewall address-list Excluded, consists of those devices exempt from being forced to adguard server ( minimum the adguard server itself )
add chain=dstnat action=dst-nat src-address=SUBNETX src-address-list=!Excluded dst-port=53 protocol=udp to-address=adguard-server-ip
add chain=dstnat action=dst-nat src-address=SUBNETX src-address-list=!Excluded dst-port=53 protocol=udp to-address=adguard-server-ip
Note src-address=SUBNETX could be in-interface=bridge or in-interface-list=LAN
The difference between the two is that you will not have to reboot the router but you will have to DISABLE the rules if the NAS is crashed and the RE ENABLE the rule when the NAS is back and working.
I imagine there is a way to script this so the router can detect if the nas server is reachable or not and appropriately disable and enable the dstnat rules.
Someone with skills would be needed for that addition.
A bit of DNS theory:
DNS doesn’t know concept of “primary” or “secondary” server, in principle all are equal. Setting DNS server addresses in DHCP server config might make DHCP server to place those DNS addresses in a particular order inside DHCP lease metadata, but DHCP client can use those in any order it chooses.
As to use of multiple servers: basic assumption is that all servers will reply with same answers. Which means that if some server replies with negative answer (e.g. NXDOMAIN), then client has no reason to try other servers for same query. Client will use multiple servers either in round-robin manner (rarely) or in HA manner … client starts using one server and if server completely fails to answer, client will start using next server and will keep using it until next server completely fails to answer.
Which means that what you want (use primary until it fails) may work for some clients and not for others … because the others might decide to start by using secondary server. If you want to explicitly control behaviour, then you’ll have to get more inovative … go with concept of @holvoetn but configure only AdGuard’s address as DNS server on your router. Then set up netwatch script which checks AdGuard server vitality and if it fails, change DNS server address on router with a public one. After AdGuard starts to show signs of life, change DNS server address on router with AdGuard’s address again. Or, if you don’t want to use ROS DNS service, you can create a dst-nat rule for DNS access and change to-address property from netwatch script (in this case DHCP setting of DNS server would be router’s address as well).
Clearly indicating as noted that any hands off adaptation will require scripting.