Dns Failing over VPN Tunnel

is anyone having issues with dns over a tunnel? doesn’t matter if its pptp/l2tp or sstp

i have 2 mikrotiks, 1 at 5.26 and 1 at 6.7

randomly certain names will not resolve.

i will clear cach on the mikrotik on the far side, remove the dns server. imediately re add it and then the name will resolve

and it will work fine for some time usually an hour or so before it will randomly start not working again?

i opened a ticket, but they are beating around the bush?

am i the only one using dns servers on both sides?

http://54.235.103.137/dns.mp4 this is a video of it actually happening

bump. i can’t believe i am the only one having this problem.

i have seen this across 3 different routers and all the way back to 5.25

Maybe provide them with pcap files, it does seem odd that the entry is unknown, and you clear the cache and it comes back as unknown…
The second time (after clearing the cache, but before readding the same DNS server), did it even make a request, the pcap will show…

littlebill, you should use the nslookup command with an argument explicitly telling it to make the query to the IP address of the Mikrotik device you had the Winbox shown. This will avoid the usage of the local Windows cache and will provide a more precise demonstration of the problem.

Use:
ipconfig /flushdns

Or:

Querying Directly from Another Name Server

To query another name server directly, use the server or lserver commands to switch to that name server. The lserver command uses the local server to get the address of the server to switch to, while the server command uses the current default server to get the address.

Example:
C:> nslookup

Default Server: nameserver1.domain.com
Address: 10.0.0.1

server 10.0.0.2

Default Server: nameserver2.domain.com
Address: 10.0.0.2

please provide the command which you are speaking of

there are 2 routers connected over the sstp

10.0.1.1
and 10.21.0.1

both are dns servers

the test was run for a 10.21.0.x client

it does not list the 10.0.1.1 in its dns listing. only the 10.21.0.1 server

i don’t understand how a windows cache has anything to do with it, when i am only messing with the 10.21.0.1 server

clients on both sides of the tunnel work flawless, only when it has to hit one of the mikrotik dns servers

please provide the steps and i will recreate

i will do this test, but this is still broke. the clients should not need the other dns server in its listing.

considering all dns will resolve for a certain amount of time


it appears clearing the dns cache on the 10 .21.0.x server fixes the problem. i was going to record, but it cleared up.

it takes a bit of time before i will be able to test again

here ya go gents.

good luck explaining this one

http://54.235.103.137/dns2.avi

Just watched your videos. In short- your Mikrotik devices behave as expected (i.e. absolutely correctly).

Long answer:
You have three parent DNS servers specified on your Mikrotik device: two dynamic ones (you’re probably getting them from your ISP via DHCP, PPPoE, or similar) and the single static one that you specify explicitly (10.0.1.1). The host name you’re querying is only known to your static DNS parent (i.e. 10.0.1.1), where it is configured as a static DNS entry. I’m almost sure the dynamic servers does not know anything about mom.lb. What Mikrotik DNS server does is it forwards the request to one of the parent DNS servers. It’s quite likely your mom.lb request is forwarded to one of your dynamic parents, which return NXDOMAIN causing your Mikrotik device to cache that entry as unknown for some time.

Hope that help to understand what’s going on. Stop blaming Mikrotik, what it does in your situation is absolutely correct.

so what exactly should i be doing then to correct this??? your fast with the remarks, not seeing any resolution steps


considering support did not indicate anything you said. nor do i see documentation anywhere that mikrotik does round robin on dns resolve

not to mention i can do this for an hour and it NEVER gets it back, simply removing and readding allows EVERYTHING to resolve.

The easiest solution would be to remove dynamic parent DNS servers from your configuration altogether. A more elaborate solution will involve setting up an external DNS server like BIND, since Mikrotik DNS server is very simple and does not allow configuring different forwarders for different zones.

It’s not necessarily round-robin. It might be random or anything.

im starting to see what your talking about. apparently even if it doesn’t resolve a name, it stops, even if others are listed.

this seems massively stupid

so how does it determine which dns server it asks first?

apparently i need what are called forwarders. i don’t see mikrotik supporting this

if i remove the dynamic servers, how does it resolve anything on the internet?

i did what you said but i am completely confused on how its working


so why does the internet work then if my local dns server doesn’t resolve google?

what makes it try the other dns servers?

It does not. If one forwarder timeouts or fails in some other way, RouterOS will ask another one. However if the forwarder returns NXDOMAIN (non-existent domain, which is not a failure, bat rather a negative answer) it won’t (and should not) ask any other forwarder.

Your first Mikrotik forwards DNS requests to the 10.0.1.1, which in turn may still be capable of resolving google and others for you (by forwarding your requests to its own forwarders).

so mikrotik needs to add dns forwarder capability to its dns server then, ok

i finally have a better understanding. i don’t know why support didn’t tell me this 5 minutes into opening a ticket


Thank you!

If you think about it that is what you doing when you add a dns server to “/ip dns”. Your forwarding any dns requests that the mikrotik does not have in its local cache (assuming you have “Allow Remote Requests” checked and your firewall allows input on udp port 53).

So what you need to do is create a(some) local authoritative dns server(s) something like Bind, PowerDNS, NSD… (I think windows server has authoritative DNS but…).

In your new local authoritative dns server(s) add the domains that you want to host locally, also add those public DNS servers that you were getting from dhcp as forwarders in your authoritative DNS servers.

Then in the mikrotik in “/ip dns” add JUST your local authoritative dns servers. Also make sure “Use Peer DNS” is NOT checked on all dhcp-clients.

That way any requests going to the mikrotik that it does not already have in its cache will go to your local authoritative DNS. If that DNS query is in you local zone(s) it will answer back. If that query does not exist in your local zone(s) the authoritative server will forward to its forwarders until it gets a response eventually getting the correct lookup back to your mikrotik to cache locally until the ttl of that lookup expires(or the mikrotik cache fills to full capacity).

The trick is to realize that mikrotik’s DNS is simply a caching DNS server and any DNS servers you add in “/ip dns” are your forwarders.

The REAL trick is to understand that if a domain does not exist on whatever random dns server mikrotik decides to pick, that it will not check other ones, even though it will work for about an hour.lol

that being said, windows dns server will do what is needed, but mikrotik technically only forwarders once, using windows it works perfect as long as there are different zones.

Mikrotik will use the DNS server that responds the fastest. It will periodically check to see how fast the servers in “/ip dns” are responding and use the fastest one.

Its not really random but it is kinda hidden functionality.