DNS proxy issue

RouterOS General
1

Problem with ROS 6.6 but it started in 6.5 with DNS, basically caused slow browsing and random page timeouts.

We started getting timeouts on some websites and general Internet slowdown. It seemed to get progressively worse.
We restart main router and all is fine for sometimes a day, sometimes an hour.

We narrowed it down to, it seems Mikrotik DNS proxy, but I did not go into depths as I have a network that was slow/down so we made some changes as workaround. I still have a case that is not behaving as expected unless I’m missing something.
The DNS proxy used here (10.1.1.100) was a MT but changed to Linux Named/Bind server since, but results are same.
The domain being looked up is a split-horizon domain set up on the server.

SXT:

[admin@] /ip dns> pr
                servers: 10.1.1.100
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 512
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 266KiB

PC:

Ethernet adapter Local Area Connection:

   IPv4 Address. . . . . . . . . . . : 192.168.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.1 <-SXT

If I do a lookup from PC directly to the Named server hosted domain, it works, but proxy via SXT does not.
However most other domains/hosts work, for some reason some requests are ignored.

Directly from PC to server:

C:\Users\User>nslookup www.true.co.za 10.1.1.100
Server:  UnKnown
Address:  10.1.1.100

Name:    true.co.za
Address:  72.9.231.106
Aliases:  www.true.co.za

From PC via SXT pointing to server:

C:\Users\User>nslookup > www.true.co.za > 192.168.0.1
Server: UnKnown
Address: 192.168.0.1

*** UnKnown can’t find > www.true.co.za> : Non-existent domain

Also trying to ping hostname on SXT:

[admin@Ekkas] > /ping www.true.co.za
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: name does not exist

What is strange is how this seemingly started to creep in and got worse to the point where ±50% of clients experienced some browsing issues.
Anyone experienced something like this or have some pointers for me to look at?
No filter/mangle/nat on the SXT apart from masquerade. No other rules on hops between SXT and 10.1.1.100 (DNS server).

Regards

2

I tried to file a bug about this DNS issue but the bug tracker captcha does not work: http://s.natalian.org/2014-01-28/1390875761_1364x748.png

[admin@MikroTik] /ip dns> print
                servers: 8.8.4.4,8.8.8.8
        dynamic-servers: 165.21.83.88,165.21.100.88
  allow-remote-requests: yes
    max-udp-packet-size: 4096
   query-server-timeout: 2s
    query-total-timeout: 10s
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 187KiB

When I test any of 8.8.4.4,8.8.8.8,165.21.83.88,165.21.100.88 via dig, e.g.

dig foobar4.dabase.com @8.8.8.8

It’s good and fast.

However the MikroTik DNS proxy is buggered. http://ix.io/a9O

Wrong initial results and slow. Absolute disaster.

3

It seems to me that the RouterBoard is unable to reach the specified DNS server. Strange if the PC behind it can reach it.

4

We are experiencing this exact same issue.

5

Just faced the same issue, after some investigation it appears that RouterOS was working ok, but had been exposed to a DNS attack described here http://dnsamplificationattacks.blogspot.ru/2014/03/domain-ahuyehueinfo.html

The router was under a heavy DDoS - thousands of ahuyehue.info records in cache, constantly updating at data rate ~3mbps!

The problem was that after switching to PPPoE I had not configured firewall rule to block “input” traffic from ppp… By default, mikrotik blocks only traffic from eth/sfp ISP interfaces, not ppp.

6

Ah… that makes sense. I need to firewall these ports ASAP.

x220:~$ sudo nmap 121.7.219.77
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-17 16:54 SGT
Nmap scan report for bb121-7-219-77.singnet.com.sg (121.7.219.77)
Host is up (0.015s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
2000/tcp open  cisco-sccp
Nmap done: 1 IP address (1 host up) scanned in 4.25 seconds

Is there a guide to doing this is WebFIG I wonder? Surprised this is not the default, to block all incoming ports.

7

The default firewall is dropping any new connection from WAN (default WAN is ether1).

8

Oh, are you saying perhaps that my connection to the fiber modem is off the wrong port maybe? Hmmm.

IIUC my internet connection goes out upon ether1-gateway which looks the same as vlan1.

9

if you are on VLAN, the firewall interface should be the VLAN interface, not the physical interface. You can change this on each rule in IP>Firewall>Filter

10

Exactly the same issue by me. DNS resolving is incredible slow from last friday (14.3.2014)
When I use Mikrotik DNS cache, it is slow, but when I change DNS on my PC to IP of my ISP, it is working ok.