dns in mikrotik dosnt work

config · November 28, 2015, 9:14pm

hi
i have internet by satlite 2 way , becuse in my town dosnt have adsl .
i have rb 1100
i setup mikrotik with hotspot
i try every rules in wiki and this forum to force users to use opendns
with webproxy and without
like these rules

/ip firewall nat
add chain=dstnat protocol=tcp protocol=53 action=dst-nat to-addresses=208.67.222.123
add chain=dstnat protocol=udp protocol=53 action=dst-nat to-addresses=208.67.222.123

or this

/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect to-ports=53

or by webproxy

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
0.0.0.0

/ip firewall nat
 add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp \
 to-ports=8080

and many rules

i setup dns in mikrotik with enable allow remote requests

what is wrong

pls i need to use opendns becuse i have childs and dns satlite open every thing

pukkita · November 30, 2015, 1:28pm

config:

hi
i have internet by satlite 2 way , becuse in my town dosnt have adsl .
i have rb 1100
i setup mikrotik with hotspot
i try every rules in wiki and this forum to force users to use opendns
with webproxy and without
like these rules
/ip firewall nat
add chain=dstnat protocol=tcp protocol=53 action=dst-nat to-addresses=208.67.222.123
add chain=dstnat protocol=udp protocol=53 action=dst-nat to-addresses=208.67.222.123

Remove those two.

Leave this (adding your router local IP to the negated dst-address) outgoing DNS requests will be redirected to your mikrotik DNS cache, and WWW requests to local proxy cache :

/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect to-ports=53 dst-address=!your.router.local.ip

>

Make sure on IP > DNS you have 208.67.222.123 in servers.

There's no need to use the web proxy, as DNS will be already restricting which domains resolve or not. Also you'll face problems using the proxy as most websites (youtube, facebook, google) use HTTPS nowadays.

Just by using the opendns server (and making sure you set the proper policy on opendns) you'll be restricting which domains resolve or not. By forcing all outgoing DNS queries to go to your cache, you "close the circle".

IntrusDave · December 1, 2015, 7:14am

/ip dns
set allow-remote-requests=yes servers=208.67.220.123,208.67.222.123

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=!192.168.80.0/24 dst-port=53 in-interface=lan1 protocol=tcp to-addresses=192.168.80.1 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.80.0/24 dst-port=53 in-interface=lan1 protocol=udp to-addresses=192.168.80.1 to-ports=53

config · December 1, 2015, 12:04pm

thank u for replay IntrusDave & pukkita

1my ip router 192.168.1.1

my ip wan 192.168.1.10

my ip 10.0.0.1

is that right

/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect to-ports=53 dst-address=!10.0.0.1

and this

/ip dns
set allow-remote-requests=yes servers=208.67.220.123,208.67.222.123

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=!192.168.1.0/24 dst-port=53 in-interface=lan1 protocol=tcp to-addresses=192.168.1.10 to-ports=53
add action=dst-nat chain=dstnat dst-address=!192.168.1.0/24 dst-port=53 in-interface=lan1 protocol=udp to-addresses=192.168.1.10 to-ports=53

pukkita · December 1, 2015, 4:27pm

Assuming 10.0.0.1 is your LAN (internal) IP:

/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect to-ports=53 dst-address=!10.0.0.1 in-interface=YORULANINTERFACE

You have to specify in-interface, otherwise you’ll catch also the outgoing DNS queries your cache will do.

/ip dns
set allow-remote-requests=yes servers=208.67.220.123,208.67.222.123

It's all needed.

config · December 1, 2015, 8:31pm

this is configuration about my rb

pls see below if something wrong ,

/ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          10.201.5.17               1
 1 ADC  10.0.0.0/8         10.0.0.1        out                       0
 2 ADC  10.201.5.0/24      10.201.5.20     in                        0

address

 /ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                           
 0   10.201.5.20/24     10.201.5.0      in                                                                                                                                  
 1   10.0.0.1/8         10.0.0.0        out

ip dns

 /ip dns> print
                servers: 208.67.220.123,208.67.222.123
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 4096
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 35KiB

ip firewall nat

/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X  ;;; place hotspot rules here
      chain=unused-hs-chain action=passthrough log=no log-prefix="" 

 1    ;;; masquerade hotspot network
      chain=srcnat action=masquerade src-address=10.0.0.0/8 log=no log-prefix="" 

 2    chain=dstnat action=redirect to-ports=53 protocol=udp dst-address=!10.0.0.1 in-interface=out dst-port=53 log=no log-prefix=""

ip dhcp network

/ip dhcp-server network> print
 # ADDRESS            GATEWAY         DNS-SERVER      WINS-SERVER     DOMAIN                                                                                                
 0 ;;; hotspot network
   10.0.0.0/8         10.0.0.1

also i insert image from my nat , you can see packets and byets its zero .