dns cache not working

shielder · October 22, 2005, 2:47pm

Hi here’s my dns configuration

primary-dns: 202.155.0.10
secondary-dns: 202.43.160.50
allow-remote-requests: yes
cache-size: 2048 kB
cache-max-ttl: 7d
cache-used: 433 kB

When i point my client dns using 10.0.0.1 (mikrotik ip) it could not resolve some websites, but when i point my client to ISP dns (202.43.160.50), it resolves very fine. WHat have i done wrong? Could anyone help me please? Thank you very much

sergejs · October 23, 2005, 12:27pm

Try to set 202.43.160.50 as primary-dns, and see what happens.

shielder · October 23, 2005, 2:50pm

Thank you for your reply, i have change it to 202.43.160.50 as the primary dns, but the same things happens, it still couldn’t resolve some websites, seems like my dns request couldn’t forward it to my ISP dns. Anyone could help?

jaytcsd · October 24, 2005, 2:16am

Look in IP / DHCP server, networks tab, there are fields for DNS settings there as well.

ip dhcp-server network> print

ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN

0 ;;; hotspot network
10.20.7.0/24 10.20.7.1 66.5.1.205.100
66.5.1.206.100

shielder · October 24, 2005, 1:26pm

All of my client are not using DHCP, they are all using static IP so i think the problem is not there. But thank you for your reply.

andrewluck · October 24, 2005, 2:09pm

Do you have any firewall rules listed in either the input or output chains? If so, could you post them here.

Regards

Andrew

shielder · October 25, 2005, 9:21am

I used source-nat for all of my clients here’s my config :

0 dst-address=202.78.xxx.xxx/32 action=nat to-src-address=202.78.xxx.xxx

1 out-interface=Internet flow=Flow-planet-http action=nat
to-src-address=219.83.xxx.xxx

2 X out-interface=Internet flow=Flow-WR-Http action=nat
to-src-address=219.83.xxx.xxx

3 X out-interface=Internet flow=Flow-WR-Irc action=nat
to-src-address=219.83.xxx.xxx

4 X src-address=10.0.0.3/32 out-interface=Internet action=nat
to-src-address=219.83.96.51

5 src-address=10.0.0.5/32 out-interface=Internet action=nat
to-src-address=219.83.xxx.xxx

6 X src-address=10.0.0.8/32 out-interface=Internet action=nat
to-src-address=219.83.xxx.xxx

7 X src-address=10.0.0.10/32 out-interface=Internet action=nat
to-src-address=219.83.xxx.xxx

8 X ;;; Down Warnet
src-address=10.0.0.0/19 out-interface=Internet action=nat
to-src-address=219.83.xxx.xxx-219.83.xxx.xxx

9 X ;;; Down Personal
src-address=10.10.0.0/19 out-interface=Internet action=nat
to-src-address=219.83.xxx.xxx-219.83.xxx.xxx

10 src-address=10.10.1.16/32 out-interface=Internet action=nat
to-src-address=219.83.xxx.xxx

11 src-address=10.10.1.31/32 out-interface=Internet action=nat
to-src-address=219.83.xxx.xxx

12 src-address=10.10.1.35/32 out-interface=Internet action=nat
to-src-address=219.83.xxx.xxx

13 src-address=10.20.0.0/19 out-interface=Internet action=nat
to-src-address=219.83.xxx.xxx

14 src-address=10.0.0.2/32 action=nat
to-src-address=202.78.xxx.xxx-202.78.xxx.xxx

15 src-address=10.0.0.3/32 action=nat to-src-address=202.78.xxx.xxx

16 src-address=10.0.0.4/32 action=nat to-src-address=202.78.xxx.xxx

17 X src-address=10.0.0.5/32 action=nat to-src-address=202.78.xxx.xxx

18 src-address=10.0.0.6/32 action=nat to-src-address=202.78.xxx.xxx

19 X src-address=10.0.0.7/32 action=nat to-src-address=202.78.xxx.xxx

10 src-address=10.0.0.8/32 action=nat to-src-address=202.78.xxx.xxx

21 src-address=10.0.0.10/32 action=nat to-src-address=202.78.xxx.xxx

22 src-address=10.0.0.0/19 action=masquerade

23 src-address=10.10.0.0/19 action=nat to-src-address=202.78.xxx.xxx

Do i need to add a rule to forward dns request to some ip? i have been facing this problem for months and it couldn’t be solved. Please help me, thank you very much

andrewluck · October 25, 2005, 10:15am

I’m having trouble working out what you’re trying to achieve with this jumble of source & destination NATs. It might have been easier if you’d hidden the first 3 digits which are the same in each case, instead of the last 6 which show the detail of what’s going on.

In particular;
Can you explain what rule 0 is doing.
Rule 14 NATs a single Ip to a range.
Rule 22 is incomplete as it doesn’t specify an interface.

Rule 22 is also a problem because in general, either you will be using source nat OR you’re using masquerade.

However, I suspect that Rule 0 is the cause of your problems. 202.78.xxx.xxx includes your ISPs DNS servers and you’re changing the source address of packets destined for those servers. This means that, when they reply to your requests, the router is probably not receiving them.

In addition, can you confirm what firewall rules you have in the INPUT & OUTPUT chains. As DNS traffic to and from the DNS cache traverses these chains this is really important.

Regards

Andrew

Hugh_Hartman · October 25, 2005, 10:39am

Change- primary-dns: 202.155.0.10 to 10.0.0.1 (Mikrotik IP)
make seconadary-dns:202.155.0.10

try those settings on the clients end as well

ericsooter · October 25, 2005, 8:47pm

I’m guessing you are using DHCP with your natting? There is an option in your DHCP network settings that specifies the DNS number to give out to clients. You want to make sure it’s giving itself out as the primary.

Eric

shielder · October 26, 2005, 5:05am

I am sorry for troubling you all as my firewall explanation are using xxx.xxx, but please let me explain what have confused you :

Rule 0 :

It’s for natting my client request to one of my server (126) which address is out of my ip pool. So all my client request dest to 126 would be nat as 125.

And i think is not the main problem because ip 126 is not in my ip pool so it would not affect my dns resolving.

My dns request is for my mikrotik ip (10.0.0.1). When i pointed my client dns request to 10.0.0.1, it could resolve some websites but most website it couldn’t resolve.

For hugh :
If i try to set my client secondary dns to my ISP dns i think it should work, but my dns problem is still there, means that my dns is still not resolving.

andrewluck · October 26, 2005, 7:18pm

OK. So what about rules 14 & 22?

Also, you still haven’t answered my main question:

In addition, can you confirm what firewall rules you have in the INPUT & OUTPUT chains. As DNS traffic to and from the DNS cache traverses these chains this is really important.

Regards

Andrew

shielder · October 27, 2005, 4:13am

Rule 14 is for natting my client to a range of ip to help them connect to irc server as irc server only allowed a few computer to connected to it so i have to give it a range of ip.

Rule 22 is for masquerade my client of 10.0.0.0/19 to an ip.

Here’s my mikrotik setup :

ISP ↔ Mikrotik <–Wireless–> Client (10.xx.xx.xx) ↔ Computer (more than 10)

For my firewall rule in INPUT & OUTPUT, i don’t have any setting. I just set in my FORWARD chain as followed :

0 X src-address=10.0.0.2/32 dst-address=:80 protocol=tcp action=drop

1 dst-address=:30200 protocol=tcp action=drop

2 dst-address=:137-139 protocol=tcp action=drop

3 dst-address=:1433 protocol=tcp action=drop

4 src-address=10.10.0.0/19 p2p=all-p2p action=drop

5 p2p=all-p2p action=drop

6 dst-address=:445 protocol=tcp action=drop

7 dst-address=:135 protocol=tcp action=drop

8 src-address=10.10.1.15/32 dst-address=:1025 protocol=tcp action=drop

9 src-address=10.10.1.15/32 dst-address=:6129 protocol=tcp action=drop

10 src-address=10.10.1.24/32:1279 protocol=tcp action=drop

11 src-address=10.10.1.18/32 dst-address=38.113.212.216/32 action=drop

12 src-address=10.0.0.8/32 dst-address=66.218.66.240/32 action=drop

13 src-address=10.0.0.5/32 dst-address=202.43.167.72/32 action=drop

14 src-address=10.0.0.8/32 dst-address=4.68.212.13/32 action=drop

Do i need to add some rule in INPUT or OUTPUT chain to make my dns working?

Regards,
Lim

andrewluck · October 27, 2005, 5:53pm

Lim

If you have empty INPUT and OUTPUT chains then you’re OK for this problem. All traffic is passed by default. From a security point of view though, this is very bad.

I can’t see any good reason why you have DNS issues. It should just work.

Your Source NAT and Masquerade rules look over complicated to me though. I have a /29 subnet mask here. My Internal LAN and DMZ are source natted to two IPs with just two rules:

 0   ;;; Internal LAN NAT
     chain=srcnat out-interface=Internet src-address=192.168.1.0/24 
     action=src-nat to-addresses=xxx.xxx.230.205 to-ports=0-65535 

 1   ;;; Nat for DMZ
     chain=srcnat out-interface=Internet src-address=192.168.2.0/24 
     action=src-nat to-addresses=xxx.xxx.230.201 to-ports=0-65535

I would suggest trying to simplify you current rules and decide whether you’re using Masquerade OR Source NAT. I wouldn’t recommend mixing both together.

Regards

Andrew

shielder · October 28, 2005, 4:15am

Thank you very much andrew, my main purpose with so many natting is that i wish different client would have different ip. such as 10.0.0.2 would go to xx.xx.xx.116, 10.0.0.3 would go to xx.xx.xx.118. That’s my main purpose.

What i see from the dns cache is that the dns of mikrotik is caching and doing well, but when i point my client dns primary server to 10.0.0.1 (mikrotik ip), it couldn’t resolve most of the websites, only a small amount of websites such as yahoo could be resolve perfectly by mikrotik dns.

So anyone know what this problem is? Please help me. Thank you

mengong · November 7, 2005, 12:42pm

to use local dns as resolver try to put it at dns static

maroon · November 9, 2005, 4:34pm

“”" wish different client would have different ip. such as 10.0.0.2 would go to xx.xx.xx.116, 10.0.0.3 would go to xx.xx.xx.118. “”“” you have to set the action to nat and not masequarde to let this works properly,

second concerning the dns, I have it working. by setting a fix ip on mikrotik / ip address add address=10.10.10.10/32 interface=clients
and set the primary dns=10.10.10.10 secondary dns=isp’s dns server
and set on clients side dns=10.10.10.10 and i’m using 2.8.16

everything is working properly !!

g.luck