DNS Keep 'Losing' Track

I have RB850Gx2, Router OS v6.30.4 installed with this configuration

port 1 - WAN
port 2 & 3 - to Switch for LAN
port 4 - to Internal Server
port 5 - to Wifi Router

203.142.xxx is my ISP DNS, while 192.168.1.5-10 is my Internal server work for domain controller and intranet thingy.
All PC and other device can communicate through internal network just fine.
Wifi Router is set as bridge and controlled by DHCP on port 5 mikrotik. It’s work fine, can connect internal and browse internet.

Client PC is set with static IP, but somehow it behave erratic with unpredict behaviour when try to browse internet.
Sometimes it’s connect, sometimes it don’t and showed DNS error. The strange bit is, it doesnt have the same behaviour through all the PC.
PC with Windows XP is work fine, while PC with Windows 7 and 8, behave erratic and often lost connection because it can’t solved DNS.
WAN is obviously connect and DNS working fine because all wifi device can connect to internet, ping internet domain on terminal also confirmed this, it’s connected and can solve DNS.

Reboot Mikrotik Router solve this problem.
But, after a while.. 15 minutes or so. The problem comeback with PC on windows 7/8, some affected, some not.
It seems random about who get affected, different client everytime. Sometimes the problem gone for a while, then comeback unexpetedly.

I try add DHCP Server for LAN on PC Network and add DNS Server to that. But it doesn’t solve the problem, still same result.

Originally, this problem is on my old RB450G.
It work fine previously and this problem just recently came (perhaps because previously it have majority of Windows XP installed, but now majority is Windows 7/8?)
But because it already served for several years, I assumed maybe there’s something wrong with the device and replace it with the newer RB850Gx2.
Turns out the problem still exist.

Can someone point me what’s wrong in the configuration and what to do to solve this?

Is your Firewall OK? Are you using PPPoE?

Firewall in filter rule is blank. This is the NAT setting

ether1 - WAN is using public static IP provided by my ISP with fibre optic connection.
Please note that the router can ping and solved DNS just fine, so is with other device/laptop connected through wifi.
I also can connect directly from outside via public IP address

In that case it is clear… your DNS resolver is being swamped by abusers from internet.
You really need to put in firewall rules that block new input from your internet interface, as a present by default.

The 203.142.82.222 is public DNS owned by my ISP and used not only by me, but several/dozens of other network who using services from that ISP. I don’t have control over that.

And also, like i said above. If it being swamped by abusers from internet, how come users with wifi connection (smartphone, laptop), and PC with Windows XP dont have the same problem?
If it’s abused and down, all connection from my internal network to internet should suffer the same thing isn’t?
I really don’t get it? So what is your proposed solution?

Read the many other threads of users with DNS problems.

I do that already for few days, and try to tinkering based on that. But seems can’t find working solution for my specific problem.
The much of the posted problem is either totally work, or totally not. While what i have is just some part of it and intermittent. Thats why I’m posting this.
Sorry if i’m lack of knowledge on this, that’s why i’m seeking for advice and hopefully someone can point me and fill me.
But it seems that maybe my ‘basic’ problem didnt interest you? Anyway, I’m thank you for your responses

First, you should do what pe1chl suggests and block incoming dns requests from internet, even though I don’t see any clear proof that it’s the main problem. In any case, if you have public ip adress, enabled remote dns requests and no filters, someone either is or soon will be misusing it. It would be best to block everything by default and only allow what you need. But you can use this as a quick hotfix:

/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1-gateway log-prefix="" protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1-gateway log-prefix="" protocol=tcp

Another thing, you have suspiciously high number of dns servers. Nothing wrong with that alone. But if those 192.168.1.x serve some internal domain, then you can’t mix them with public ones. It’s because they are all equal, if one does not know the answer, it sends back “I don’t know” and client does not try to ask another. So if you had e.g. mycompany.lan and question for that went to 8.8.8.8, it won’t know the answer and client won’t be able to resolve it. Or the other way around, if 192.168.1.x servers only answered questions for mycompany.lan (which is possible configuration) and question for mikrotik.com came to them, client will also fail to resolve it.

Thanks. I applied this now, will see how it perform tomorrow and report it.
IIRC, i already try something like this and it doesn't solve the problem, thats one of the reason i drop the filter, so i can simplify what cause it while tracking the problem.
But i'll do as you and pe1chl suggest.

Whoa... i never know this. So second DNS or alternate DNS is 'no good' because client does not try to ask the second and so on DNS listed?
So what's the purpose of having the ability to add several DNS? When the second and so on DNS listed is used? Only if it's can't contact the first?
Yes, 192.168.1x is serve internal domain.
In this case, If the public DNS is listed first, it should resolve DNS good assuming it's not down right?

Thanks for your explanation, appreciate it.

What makes me really confuse is, i dont have problem with that configuration previously, and all PC with windows XP dont have this problem

Multiple resolvers are just for redundancy. If one goes down, you have a backup. But it’s assumed that all can get the same data.

To clarify it a little and fix my mistakes:

• The answer for unknown domain is not “I don’t know”, it’s “it doesn’t exist”. It’s a definitive answer and there’s no point asking another server.
• You’ll get this answer from public server, when you ask about internal domain, because it has no way of knowing about it.
• If you ask internal server about public domain and it’s not configured to forward these requests, it will either refuse the question or tell you where else you should ask. And to be honest, I’m not sure how clients react to this, it’s scenario which is not supposed to happen, because you should not give such server to clients (you can use internal server, but it must be able to also resolve public domains). I’d expect them to try another server, but perhaps some might not do that. It could explain differences between Windows versions. But it’s just a guess, I’d have to try it.
• The order of servers does not matter, systems may choose any of available ones at any time.

My internal server is set to use forwarding for external site, maybe the different OS what cause the different result? I don’t know for sure either.
Anyway.. UPDATE
I already applied the filter rule suggested. Made the router as DNS Server and add DNS static to that for my internal domain.
Problem still exist.

What exact config do you have now? To be sure that I’m not imagining something different.

[@MikroTik] > ip dns print
                servers: 192.168.1.1,203.142.82.222,203.142.84.222,192.168.x.x,
                         8.8.8.8
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 512
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 4096KiB
          cache-max-ttl: 1w
             cache-used: 161KiB

[@MikroTik] > ip dns static print
Flags: D - dynamic, X - disabled, R - regexp 
 #     NAME          ADDRESS                                         TTL         
 0     router        192.168.1.1                                     1d          
 1     localdomain   192.168.1.x                                     1d          

[@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X  ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-pref
 1 X  ;;; default configuration
      chain=input action=accept connection-state=established 
      log-prefix="" 
 2 X  ;;; default configuration
      chain=input action=accept connection-state=related log=
 3 X  ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log
 4    chain=input action=drop protocol=udp in-interface=ether
      dst-port=53 log=no log-prefix="" 
 5    chain=input action=drop protocol=tcp in-interface=ether
      dst-port=53 log=no log-prefix="" 


[@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; WAN
      chain=srcnat action=masquerade to-addresses=0.0.0.0 src-address=192.168.1.0/24 
      out-interface=ether1-gateway log=no log-prefix="" 
 1    ;;; LAN
      chain=srcnat action=masquerade src-address=10.10.10.0/24 
      out-interface=ether1-gateway log=no log-prefix="" 
 2    ;;; Remote
      chain=dstnat action=dst-nat to-addresses=192.168.x.x to-ports=80 protocol=tcp 
      dst-address=182.253.xxx.xxx dst-port=1000 log=no log-prefix="" 
 3    ;;; proxy dns
      chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53 log=no 
      log-prefix="" 
 4    chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53 log=no 
      log-prefix=""

DNS and Firewall config.
Anything else needed?

What do clients have as dns servers? Your router? That would not really fix anything, because your router still has mix of servers where not all of them are able to resolve everything.

You have:

• Your ISP’s servers 203.142.82.222 and 203.142.84.222, but they don’t know about your internal domain.
• Your servers 192.168.1.5 and 192.168.1.10 for your internal domain.

I’d do this:
Assuming your internal servers can be configured to answer non-local queries and forward them somewhere else, configure them to forward such queries to your ISP’s servers. On router, remove all current servers and add only 192.168.1.5 and 192.168.1.10. Then give to your clients dns (only this and nothing else):
a) 192.168.1.5 and 192.168.1.10
b) 192.168.1.1 (your router’s internal address)

It does not really matter which option you choose. Since you have two internal servers, there’s no single point of failure, so clients can get these two directly and there’s no need to involve router (option a). Dns settings on router would be only for router’s own use. Advantage of option b is that you won’t ever need to touch any client’s settings if you change dns servers.

I set it up with option a) previously. Yes it’s can answer non-local queries and forward it.
But the downside is when the load on server is high, sometimes it goes unanswered and timeout.
We’re small-medium company, the server is not a dedicated DNS Server, and acting several role.
Also, sometimes its kinda have weird result, can resolve DNS but still can’t connect, like this one below. That’s why i said it seems keep ‘losing’ track.

Now I’m trying to set it with option
c) 192.168.1.1 (can handle local query with added of DNS static) and alternate DNS of my ISP DNS if it’s unresponsive.

I’m not sure which one is optimal, maybe need to collect more sample. But few PC already shown that sometimes it’s given timeout to DNS query.

DNS is very light on resources, so I wouldn’t expect it to fail with high server load. But even if it happened, you have two servers. Both failing at the same time seems unlikely to me.

I’m not sure what you mean by this.

There’s also another option:

d) Set your router to have ISP’s DNS servers (only those two). Then give 192.168.1.1 (router’s address) to clients as the only DNS server. And to access internal domains, use the old L7 hack to forward such queries to your internal server. The good part is that state of your internal servers won’t affect resolution of public domains in any way. Downside is that you can choose only one internal server to handle queries for internal domain, so you won’t have any backup there.