Description:
Conditional DNS forwarding does not work. Queries for the forwarded domain are never sent to the configured forwarder DNS server. The feature appears completely non-functional regardless of configuration.
Configuration:
Forwarder entry:
/ip dns forwarders print detail
name="comfortuin.internal" dns-servers=192.168.3.207
The DNS server at 192.168.3.207 is reachable from the router:
Querying the MikroTik directly returns NXDOMAIN for the forwarded domain
Running tcpdump on the forwarder DNS server (192.168.3.207) shows zero incoming packets from the MikroTik when the domain is queried
The DNS cache shows no entry for the forwarded domain after querying
Even a test forwarder for a public domain (e.g. google.com) produces no traffic to the forwarder server
No firewall rules blocking outbound DNS traffic (output chain is unrestricted)
No NAT rules redirecting DNS traffic
Reproduction steps:
Configure a conditional DNS forwarder: /ip dns forwarders add name="example.internal" dns-servers=<reachable-ip>
Flush DNS cache: /ip dns cache flush
Query the domain: nslookup host.example.internal <mikrotik-ip>
Result: NXDOMAIN
Confirm on the forwarder server using tcpdump that no DNS query was received
Workaround:
Running dnsmasq on a LAN host and pointing the MikroTik's primary DNS server to that host works correctly. The forwarder never sends traffic regardless of configuration.
Expected behavior:
Queries for comfortuin.internal should be forwarded to 192.168.3.207. Tcpdump on that server should show incoming DNS queries from 192.168.3.1.
Actual behavior:
No queries are sent to the forwarder server. The MikroTik returns NXDOMAIN for all forwarded domains.
Has anyone else experienced this? Is this a known issue in 7.22.1?
example says that /ip dns forwarders just set the pool ofDNSes to be used in the round robin style.
Configure/add a static DNS FWD entry:
/ip dns static add forward-to=example.internal name=mikrotik.com type=FWD
Now each time when a router will receive request to resolve mikrotik.com, request using round-robin algorithm will be forwarded to 192.168.3.207 or other DNS servers in the "example.internal" pool of servers.
Ont he other hand AFAIR you have to use regular expression in the static forward rule as the above line adds forwarding just for microtik.com, not for all subdomains of *.mikrotik.com
@aaaajeeee
No ... you just set the pool of forwarders (DNS servers you want to do the service) that is named "comfortuin.internal" - you can use any name for that - with one entry 192.168.3.207 .... it's like setting a pool of addresses for DHCP server without setting rest of DHCP server.
Do not mix these two concepts: the name of the forwarder(s) pool and the name of domain you want redirect resolveing process for. They could be the same just for convenience but I would add eg. "_fwd_dns_pool" to the name of pool
/ip dns forwarders add name="comfortuin.internal_fwd_dns_pool" dns-servers=192.168.3.207
Next you have to inform DNS what domain (in your situation it is the domain you used as the name of forwarders pool) you want to be resolved by already set forwarders pool by pointing it.
/ip dns static add forward-to=comfortuin.internal_fwd_dns_pool name=comfortuin.internal type=FWD
You are probably right that "match subdomain" ads "the magic" to the pure domain name so my solution just wastes resolver's time. I not tested it ... it was just proof of concept.
That is a misunderstanding that I have run into myself as well. At first, you define a forwarder and then you define static entries that specify what is being forwarded to!
/ip dns forwarders
add name="my internal dns server" dns-servers=192.168.3.207
/ip dns static
add forward-to="my internal dns server" match-subdomain=yes \
name=comfortuin.internal type=FWD
