DNS forwarder to AdGuard

nbctcp · November 17, 2021, 6:43am

MIKROTIK 7.1rc6 192.168.88.1
ADGUARD 192.168.88.250
PC 192.168.88.101

Mikrotik DNS Forwarder is AdGuard
/ip dns set allow-remote-requests=yes servers=192.168.88.250
AdGuard doing DoH to Cloudflare

PROBLEMS:

if my pc dns is AdGuard, I can bypass isp sensor perfectly
if my pc dns is mikrotik, it will use ISP dns, eventhough I already set my mikrotik dns forwarder to AdGuard

Anyone know where my problem is
tq

UPDATE1:
-tried to modify netwatch to change dhcp server dns server insted of mikrotik dns server forwarder
http://forum.mikrotik.com/t/dns-failover/127148/1

vecernik87 · November 17, 2021, 7:05am

Very likely your router gets dynamic DNS from your ISP.

****Check your

/ip dns print

status. If you see dynamic servers - that is the reason.

****If you found your dynamic DNS servers, you can disable this by setting

use-peer-dns=no

in your

/ip dhcp-client

setting.

erlinden · November 17, 2021, 7:07am

So you want both clients and the MT use the local AdGuard server?

For clients use /ip dhcp network to configure the DNS server. Makes no sense (to me) to use the MT as DNS server in between.
For MT use the forwarder (that you already configured) AND make sure that on the DHCP client (assuming you use that for your WAN interface) the Use Peer DNS is deactivated.

nbctcp · November 17, 2021, 7:10am

dns peer in dns server already disabled
/ip/dhcp-client> /ip dns/print
servers: 192.168.88.250
dynamic-servers:
reason I use mikrotik as dns server so that I can use netwatch in case adguard server down it will change dns server forwarder to isp dns

Hominidae · November 17, 2021, 8:50am

…get rid of the ISP-DNS alltogether…as said, disable in DHCP-client to ISP and in MT DNS settings.

In MT Router, for DHCP-Server to your local clients set DNS-Servers as A: Adguard-IP (…88.250) and B: MT-IP (…88.1)
In MT DNS, set forwarded DNS to the same list (well, the plain IP based ones) as configured in Adguard.
In any case, enable forward drop rule for DNS traffic from clients/to outside/WAN (except adguard IP) not directed towards adguard or MT
In MT set port forwarding Rule to forward all DNS traffic to Adguard-IP
In netwatch enable/disable said port forwarding rule for DNS traffic (udp:53) from clients to adguard when up/down.

This way, when adguard down, you will still get DNS from your chosen upstream DNS, and “only” loose adblock/save-search features until adguard IP is up again.
When Adguard up, client requests to MT router (client has two DNS options to choose from, as delivered per DHCP) will be forwarded to Adguard