DNS FWD entry not working as expected

infabo · April 20, 2023, 7:41am

When I set a static DNS entry:

name="example.com" type=A address=10.10.10.10 ttl=1d match-subdomain=yes

Then I verify:

:put [:resolve domain-name=test.example.com]`
10.10.10.10

All good.

But when I use a FWD-entry, because I want some other nameserver to handle a specific domain, it does not work:

name="example.com" type=FWD forward-to=10.23.45.10 ttl=1d match-subdomain=yes

It returns:

:put [:resolve domain-name=foo.example.com]
failure: dns name does not exist

But to verify, when I use resolve with explicit server param it resolves perfectly.

 :put [:resolve domain-name=foo.example.com server=10.23.45.10]
10.23.45.16

Is this a ROS bug or does FWD just not work how I would assume it works?
ROS: 7.8

rextended · April 20, 2023, 9:04am

Did you just forget to mention that you use DoH?

infabo · April 20, 2023, 9:13am

Yes, I did not mention that. I have configured a DoH server.

rextended · April 20, 2023, 9:30am

Didn’t you wonder how I knew that without a doubt?
I also assume you have NOT read the online help.
If you read the help, you’d instantly understand how I knew you were using DoH…

On synthesis, your FWD point to one DNS without certificate issued by one global CA, and, if you use the DoH, the FWD field make no sense.

infabo · April 20, 2023, 10:05am

Sry, just found that. DNS - RouterOS - MikroTik Documentation

DoH is not compatible with FWD-type static entries, in order to utilize FWD entries, DoH must not be configured.

I also assume you have NOT read the online help.

I do read the online help. But sometimes important infos are “hidden” in long sentences and I oversee that. I somehow struggle with the Confluence style too…

rextended · April 20, 2023, 11:25am

But there is someone who has read it and gives you a hand

anav · April 20, 2023, 4:23pm

And he only has one eye!!

infabo · April 20, 2023, 7:20pm

all the more amazing!

own3r1138 · April 20, 2023, 7:52pm

The Eye of Barad-dûr

rextended · April 20, 2023, 8:37pm

Just some history

Avatar 2014-2020

Avatar 2021

Avatar from 2022-02-24

Avatar for 2023-02-24

Avatar for 1st April 2023

Actual Avatar

Is there a similarity to the second?

mkx · April 20, 2023, 8:50pm

So … in the last two years you made a transition from right to left?

And only that … your hair became grey? Is that how old you are?

rextended · April 20, 2023, 8:53pm

The last is the old Windows XP user login picture icon, with a surprise if is zoomed (like the original…)

CosmosNetwork · April 21, 2023, 8:27am

You can use dns over wireguard instead of doh. For example cloudflare warp with their dns servers.