DNS Best Practice Question

tabate47 · October 9, 2013, 4:11pm

On my routers I normally use the isp’s dns servers. The way I do this is by checking “allow remote requests” under the dns setup. I do nothing else. It works. Is this the best way to do this?

asaleh75 · October 9, 2013, 4:31pm

This is enough for DNS configuration.

Rudios · October 9, 2013, 4:34pm

The only thing to be sure is that there is a forwarder dns configured.
If you use DHCP-client or pppoe then there could be an dns automatically.

efaden · October 9, 2013, 4:37pm

Yeah… Set your clients to use your routers IP for DNS, set your router to allow remote DNS, block the DNS server from WAN things…

Unless you need a more full featured Bind9 or something this works well. If you need Bind9 functionality or DNSMasq or etc… then youll need to run that on another box.

Something particular you were trying to do? Or block ? or ?..

tabate47 · October 10, 2013, 5:49am

Eric I think that is what I am currently doing. What does that look like using command line so I can check it against my setup?

efaden · October 10, 2013, 10:36am

Post your export from filter, dhcp-server and dns and I can tell you.

Sent from my SCH-I545 using Tapatalk 4

janisk · October 10, 2013, 11:37am

if you have DNS set to providers DNS servers, then your router is still doing nothing (at best). If you have the default configuration left on the router you are fine, else, make sure nobody can connect from outside to your local DNS or your router could be used as DDoS tool.

Next is set up “/ip dns” servers and then point your PC to use your router to resolve domain names.

you can look up topics here on forums on how to secure your DNS service on the router, also, you can find general information about that on wiki.mikrotik.com

tabate47 · October 10, 2013, 3:59pm

/ip dhcp-server
add address-pool=pool-local disabled=no interface=bridge-local name=local
add address-pool=pool-vlan1 disabled=no interface=bridge-vlan1 name=vlan1
add address-pool=pool-vlan2 disabled=no interface=bridge-vlan2 name=vlan2

/ip dns
set allow-remote-requests=yes

efaden · October 10, 2013, 4:11pm

Just make sure under DHCP networks your set to use your routers IP as the DNS server… also ensure that somewhere in your firewall you are blocking port 53 via UDP and TCP from all the WAN interfaces. Otherwise seems correct.

tabate47 · October 10, 2013, 4:55pm

Like this:
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1and then have a default drop rule in the firewall?

efaden · October 10, 2013, 4:57pm

Yeah. That should work.

Sent from my SCH-I545 using Tapatalk 4

janisk · October 11, 2013, 7:22am

actually, if you have DNS servers set up in “/ip dns” you can leave DNS server field empty in dhcp-server setup.

efaden · October 11, 2013, 11:35am

Which will it use? Itself or the listed servers?

Sent from my SCH-I545 using Tapatalk 4

janisk · October 11, 2013, 1:12pm

it sends itself and from the configured.

for example, I had 8.8.8.8 set as DNS server and i got was 192.168.88.1 and 8.8.8.8

efaden · October 11, 2013, 1:39pm

Hmm… cool. Thanks for the info.