DNS - can't be tunnelled?

RouterOS General
1

I’m in an interesting situation.

There is an ISP. My HAP AC2 (TIK1) connects to it via Wifi (wlan0), and it gets an IP address from this ISP. Also it allows ISP’s DNS to be used (dhcp client’s config)

TIK1’s other wifi (wlan1) is setup as AP, allowing other devices (my phone) to connect to it. I also added a dhcp server, with the TIK1’s IP as DNS server.

Traffic is then masqueraded ofc.

I also setup a fixed DNS server (8.8.8.8) in TIK1.

Everything went smooth until now: ISP seems blocking UDP53 to anywhere else but its own DNS server.

With 8.8.8.8 set as fixed in TIK1, neither my phone nor my computer can access the internet.

Once I removed this fix DNS server from TIK1, both devices can connect just fine.

Things get interesting from here.

TIK1 creates a wireguard site-2-site tunnel with TIK2. All necessary mangles are created for marking certain connections and packets to use the tunnel. Currently used only for clients on TIK1 to access TIK2’s lan.

I however need to tunnel my phone’s traffic to this tunnel, and I also created mangles for it: when 8.8.8.8 set as fixed DNS in TIK1, this worked as intended: all traffic of my phone went through the tunnel, and it also used the tunnel for UDP53 to 8.8.8.8.

No as I had to remove 8.8.8.8, if I enable this “phone-2-tunnel” mangle, phone loses internet access with this tunnel. I assume UDP53 is tunnelled, but ISP’s dynamic DNS server is not reachable through the tunnel. But this is only assumption!

Mangle rule is on “prerouting”: it just a “mark connection” from the phone’s IP. So in this case if my phone gets the DNS server as TIK1s IP, will UDP53 be tunneled, or not? Shall I create a mangle for “input” chain too?

Temporarily I added a “tcp” setting to the original mangle, and it’s working now: my phone can see internet through the tunnel (but I assume it get’s dns records from the ISP).

As this is a theoretical topic, I might not have solid question(s) beside of what do you think? Can I solve this somehow better?

2

Have you masqueraded TIK1’s DNS traffic on TIK2?

3

This scheme seem unnecessary complicated.

Is just DNS is the issue, there are number of ways to go around:

  1. Use DoH (supported by google’s 8s, just as many other public DNS)

  2. Use local DNS server on TIK1 for your LAN

  3. Use DNS forwarder on TIK1 to TIK2

Also, WG (just like IPsec) is policy based, which makes it painful to even mention. So you might consider using other tunneling (routing based) protocols instead, or use GRE\IPIP over WG as workaround.

4

On TIK2 I do only masquerade packets towards WAN. There is no masq for TIK1s DNS traffic. Shall I create one?

5

What exactly are you referring to by this?

1 Like
6

I added a dst-nat for all packages on udp53 with connection-mark=wireguard-tunnel-to-tik2.

This solved the dns issue.

Problem was ISP's nasty DNS and firewall on 10.0.16.1: it is strict:

  • DNS replies to only lan clients
  • blocks udp53 toward anything else but 10.0.16.1

My tik1 is 192.168.1.1. Dhcp server is setup from this pool, and it defines DNS server: 192.168.1.1.

Tik1's ip/DNS doesn't define a fixed DNS server, it just knows the dynamically added 10.0.16.1.

So when my phone blows out its DNS query: it goes to 192.168.1.1. But when I squeeze this traffic into wg tunnel, tik1 perfectly forwards all traffic to tik2.

On tik2 i can see my phone's DNS query: myphone:xyz→192.168.1.1:53. Now this comes back on the wg tunnel (as tik2 has a static route for reaching tik1), and tik1 forwards to 10.0.16.1. It will immediately drop it due to not originating from lan anymore.

I added (onto tik1) a dstnat for all udp53 packets having the connection mark “wg-to-tik2" and dstnatted to tik2's ip. This way tunnelled traffic uses tik2 as DNS.

I believe similar dstnat would work on tik2 also: wg tunnelled traffic on udp53 should be dstnatted to tik2's local DNS facility.

Why it was worked before is that isp's firewall was less strict earlier.

Is there anything I'm mistaken?