DNS Issue

laurenettaieb91 · September 8, 2024, 9:57pm

Hi Mikrotik users,
I have an issue with my CCR1036.
I have configured the DNS configuration to make the routeur a cache server with:

Static DNS: My NAS on the LAN who manages local addresses
OpenDNS Servers
Dynamic servers (uplink routers)

I have set the router address in the DHCP configuration of the LAN.

It works but after a couple of min, the requests are either generating a timeout or the responses are seriously delayed.
I checked the logs and couldn’t find any error.

Any help is welcome.
Thanks

vingjfg · September 9, 2024, 5:12am

Hi there. What version are you running?

Can you send an export of your dns config?

When you have the issue, how many entries are in the dns cache?

laurenettaieb91 · September 9, 2024, 12:01pm

Sure,
I’m running v7.15 of the firmware on a CCR1036-8G-2S+.
My DNS records are as follows:
My Local DNS server on the LAN (SYNOLOGY NAS DNS Server)

then public DNS servers:
208.67.220.220
208.67.220.222
208.67.222.220

Dynamic Servers:
The 2 ISP access router addresses (FTTH & 5G)
VRF : main
Max UDP packet size: 4096
Query Server time out: 2000
Query total time out: 10000

When I refer to the local DNS server in the DHCP configuration, everything works smooth but obviously the router cache isn’t used…

I look to have less than 300 records in the Draft.

Thanks
Laurent

laurenettaieb91 · September 10, 2024, 5:54pm

i found the issue I guess.
When using other DNS servers than:
208.67.220.220
208.67.220.222
208.67.222.220

it works well.
Not sure why

laurenettaieb91 · September 10, 2024, 10:20pm

was optimistic. still very slow in resolving names…

MTNick · September 11, 2024, 1:26pm

Greetings. Do you have allow remote requests enabled?

You can also export your config so it can be looked at, delete or mask any important info from it:
/export file=anyname

/ip dns
set allow-remote-requests=yes servers=76.76.2.2,76.76.10.2,1.1.1.2,1.1.1.1

laurenettaieb91 · September 12, 2024, 10:21pm

Here we are.
I have moved the DNS to my local DNS server (192.168.0.28) atmo as the router cache is not working the way it should be

2024-09-13 00:11:41 by RouterOS 7.15

software id = NM5S-Y70D

model = CCR1036-8G-2S+

serial number = xxxxx

/ip pool

add address=192.168.0.0/24
dns-server=192.168.0.28 domain=familletaieb.fr gateway=192.168.0.1
netmask=24
/ip dns
set allow-remote-requests=yes cache-size=40960KiB servers=
192.168.0.28,80.67.169.12,80.67.169.40
/ip dns adlist
add ssl-verify=no url=
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

"Mail Attacker"
/ip firewall filter

add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp
to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp
to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment="Block DNS Requests from WAN"
dst-port=53 in-interface-list=WAN log=yes log-prefix=
"Prerouting Drop DNS Requests from the WAN" protocol=udp
src-address-list=!Trusted_IP

MTNick · September 13, 2024, 1:32am

Greetings. That’s no where close to the config requested. If your goal is to have the Mikrotik handle the DNS requests, below is a firewall config that’ll work. And it’ll redirect any requests back to the Mikrotik. Also a better implementation to block any unauthorized DNS requests coming in on port 53 using Raw.

In the Mikrotik dhcp server, make sure your dns-server is specified. I’ve included this as well below.

Either copy what is below or edit your config/firewall as close as possible to it, including the order that they’re in.

Edit: Forgot about the dhcp-client. If you’re using a dhcp client for ISP, on like ether1, make sure “use peer dns” is unticked (off)

/ip dhcp-client
add interface=ether1 use-peer-dns=no 

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1

/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.220.222,208.67.222.220

/ip firewall address-list
add address=208.67.220.220 comment="Allowed DNS Servers" list=allowed_DNS
add address=208.67.220.222 list=allowed_DNS
add address=208.67.222.220 list=allowed_DNS

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid-input
add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept all coming from LAN" in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all else" log-prefix=DROP-else
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=forward comment="defconf: internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="defconf: port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop all else" log=yes log-prefix=DROP-else

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN 
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
add action=redirect chain=dstnat comment="Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 in-interface-list=LAN log-prefix=redirect_DNS protocol=udp to-ports=53

/ip firewall raw
add action=drop chain=prerouting comment="drop non-legit DNS requests" dst-port=53 in-interface-list=WAN log-prefix=RAW-DROP-DNS-tcp protocol=tcp src-address-list=!allowed_DNS
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN log-prefix=RAW-DROP-DNS-udp protocol=udp src-address-list=!allowed_DNS

laurenettaieb91 · September 13, 2024, 9:50pm

Thanks MTNick,
I’ll try the config and let the forum knows if that works in my env.

Best
Laurent

laurenttaieb · April 25, 2025, 8:16pm

Hi MTNick, this is working well but can you please explain the raw rules, are they built to drop any packet coming from non certified DNS servers ?
Many thanks for your help, your proposed configuration worked perfectly well.
Laurent

MTNick · April 26, 2025, 1:09am

Hi laurenttaieb. The raw rules above blocks DNS requests coming from the WAN “to” the router, preventing any outside access to the Mikrotik DNS server. The rules are needed due to ticking (allowing) this “allow-remote-requests=yes” in DNS setting.

If you want to only permit specific DNS addresses “through” the router coming from the WAN, you’ll need 2 additional rules. The rules below assume you have the DNS server addresses in the address list named “allowed_DNS”

/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN protocol=tcp src-address-list=!allowed_DNS src-port=53
add action=drop chain=prerouting in-interface-list=WAN protocol=udp src-address-list=!allowed_DNS src-port=53

mkx · April 26, 2025, 6:52am

Rules by @MTNick do the job just fine.

Just beware of raw rules performance: while raw rules appear as a economical solution (raw rules are evaluated before connection tracking machinery does the job … which is a single most expensive feature run by firewall), but raw rules are evaluated for every single packet entering firewall engine. So if DNS packet count is not large compared to total traffic, “usual” firewall filter rules are actually more economical.

Raw rules are preferred while router is under a sort of (D)DoS attack where share of malicious packets is large and it’s beneficial to drop those as doon as possible.