dns doesn't work with management vrf

RouterOS General
1

hi, following gordian knot problem:

simple two vrf’s:

  • existing default ‘main’ for production without services/management
  • ‘mgmt’ for in band management
/ip vrf
add interfaces=mgmt name=mgmt

give the box two ip addresses - one for production, the other one for management:

/ip address
add address=47.11.8.15/24 interface=v777-production
add address=192.168.8.15/24 interface=v999-mgmt

make two default routes - one for production and the other one for the management:

/ip route
add dst-address=0.0.0.0/0 gateway=47.11.8.1
add dst-address=0.0.0.0/0 gateway=192.168.8.1@mgmt routing-table=mgmt

bind the services used for vrf (other services are disabled):

/ip service
set ssh vrf=mgmt
set winbox vrf=mgmt

associate the management vlan ‘999’ to the interface list ‘mgmt’ to activate the management vrf:

/interface list
add name=mgmt
/interface list member
add interface=v999-mgmt list=mgmt

set the dns server to the private management dns server (eg. for sending notification emails etc):

/ip dns
set servers=192.168.8.2

when we try, to check if dns works, following thing happens:

put [:resolve mail.mgmt.lan]
failure: dns server failure

so the dns server doesn’t reply or is just not reachable for dns requests.

check, if we can ping the dns-server by it’s ip via our management vrf:

ping 192.168.8.2 count=1 vrf=mgmt
Columns: SEQ, HOST, SIZE, TTL, TIME
SEQ  HOST         SIZE  TTL  TIME 
  0  192.168.8.2    56   64  575us

without vrf it’s not reachable, as it should be, because that’s the reason why you make a management vrf (the production gateway doesn’t know anything about the isolated management network):

tool traceroute 192.168.8.2 count=3
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
#  ADDRESS        LOSS  SENT  LAST     AVG  BEST  WORST  STD-DEV
1  47.11.8.1    0%       1  0.4ms    0.4  0.4   0.4          0
2                 100%     1  timeout

when you use a public reachable dns server, dns suddenly works, but unfortunate only for ‘public’ addresses:

/ip dns
set servers=192.168.8.2,192.168.8.3
put [:resolve mt.lv]
159.148.147.205

so clearly dns ALWAYS goes via ‘default’ main vrf and i found no solution how to force it to go via the mgmt vrf (dns server fields don’t accept @mgmt suffix).

2

Just use main as mgmt.

3

using the vrf ‘main’ doesn’t solve the problem. it’s just the wrong way in terms of isolated in-band management.

fact is, that dns is currently not vrf aware, so mikrotik vrf is not usable in real datacenter setups following common best-practice designs.

that’s how competitors do it:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/xe-16/dns-xe-16-book/vrf-aware_dns.html

i hope mikrotik will implement this last missing vrf part, too.

4

Hi,

I have this same problem, and unfortunately it means that my CHR instances cannot refresh their licenses.

Any updates to solving this? I am running 7.14.2

5

There are some changes to that in 7.15 beta:
http://forum.mikrotik.com/t/v7-15beta-testing-is-released/174120/1

What’s new in 7.15beta4 (2024-Mar-04 08:04):
*) dns - added VRF support (CLI only);

but at the moment I have not seen any related docs/tutorials/explanation on how to use this new feature.

It seems also that there is a bug introduced in 7.14.x that has been fixed in the 7.15 beta:

What’s new in 7.15beta6 (2024-Mar-08 08:23):
*) vrf - fixed VRF interfaces being moved to main table after reboot (introduced in v7.14);