I have a RB2011 at a remote office that has an IPSEC connection back to a Smoothwall in the main office. That IPSEC connection works fine and we can pass traffic. The issue comes with DNS resolution for the remote site to access devices in the main office. (DNS in the main office is provided by Windows servers in an AD environment.) If I set the MikroTik’s DHCP Server to hand out the two internal DNS servers (192.168.1.1 and 192.168.1.2) as the primary and secondary DNS servers and then set 8.8.8.8 as the tertiary DNS server, I don’t always get DNS resolution for internal devices to work properly. I put the 8.8.8.8 in there so that they could continue to get internet access if the internal VPN went down.
Here are some things that I have determined:
With 8.8.8.8 in the DNS list, Torch shows NetBIOS traffic when I try to ping by DNS name. If I take the 8.8.8.8 out, Torch shows the DNS traffic when trying the same ping.
If I remove 8.8.8.8 from the DNS list, I can resolve internal devices.
One thing to add is that the internal domain is a .net and is not a .local or .lan.
Is there a special way to setup DNS to be used over the VPN back to an AD server? Is there a way to set this up so that I can leave the 8.8.8.8 in the DNS list?
Setup a DNS resolver on a remote office LAN server, instructing it to use the AD DNS for any query towards the .net domain, and recurse the root DNS servers for anything else. Say this DNS runs at 192.168.1.3
and
Setup a Local DNS server on main remote office router, which uses 192.168.1.3 as sole DNS server.
All resolvers are expected to be equal and their order does not matter, so you can’t mix public and internal ones with extra data. If you do, the result is exactly what you see. If router asks 8.8.8.8 for your internal domain, the answer will be “sorry, it doesn’t exist” and router won’t ask elsewhere.
One way is to use only internal servers, but the obvious downside is that if they go down, you’re without internet (well, not really, but you won’t enjoy it much without DNS).
Better solution is to use public servers by default and only add exceptions for internals domains to be send to internal server. Unfortunately, RouterOS still does not offer proper way to do it, but you can use the old L7 hack. It has some problems too, but it’s mostly usable.
Conditional forwarding is an option on traditional DNS servers (BIND, MS DNS). It allows you to forward requests for a particular domain to a particular DNS server.
Say your domain is ds.superfunhappytime.com and the DNS servers over the VPN for that domain are at IP addresses 10.1.254.254 and 10.1.254.253. For any other query you want to use the Internet via Google DNS at 8.8.8.8.
For BIND this would look something like this:
zone "ds.superfunhappytime.com" {
type forward;
forwarders { 10.1.254.253; 10.1.254.254; };
};
options {
forwarders { 8.8.8.8; };
};
You’d then tell the machines to use this BIND server as their resolver and disable the DNS resolver service on the MikroTik.
Additionally, you’d likely want to configure other standard BIND options to ensure you have a secure and safe BIND resolver but this would be the bare minimum number of options. This could be done on say a Raspberry Pi, an old desktop machine or one of those micro PCs (NUCs).
I do too, but I sincerely hope to get rid of it one day, i.e. to see a proper support for forwarders in RouterOS. It’s not like it would require major changes, all the basic framework is there already. I have big hopes for the unicorn.
