DNS remote requests + firewall

Hi Guys,

I am trying to get DNS Cache with remote requests allowed working but so far no luck,
I have the RB750 setup with PCC and some forwarding rules, but I can seem to get it working

these are the only relvant snipets, the rest of my mangle, firewall and nat is standard stuff.

/ip firewall filter
add action=accept chain=input comment="Std established" connection-state=established disabled=no
add action=accept chain=input comment="Std related" connection-state=related disabled=no
add action=drop chain=input comment="Std invalid" connection-state=invalid disabled=no
add action=accept chain=input comment="Allow DNS & NTP" disabled=no dst-port=53,123 in-interface=Local protocol=udp
add action=accept chain=input comment="Allow DNS" disabled=no dst-port=53 in-interface=Local protocol=tcp

Those are the top rules I have in the filter, I have nothing in the mangle or nat for DNS but loads of other mangle rules.

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=208.67.222.222

If I nslookup and change the server to the router all queries are return as cannot be found.

Cheers

Do your PCC rules match the incoming DNS requests? Try to exempt them by adding rules earlier in the chain that match udp/53 traffic to the router IP, and set an action of ‘accept’ to bypass the policy routing for those packets.

Hey Fewi,

I tried that but still can’t get it to work,

here are all my rules

/ip firewall filter
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=drop chain=input connection-state=invalid disabled=no
add action=log chain=input disabled=yes dst-port=53,123 in-interface=Local log-prefix="" protocol=udp
add action=accept chain=input disabled=no dst-port=53,123 in-interface=Local protocol=udp
add action=log chain=input disabled=yes dst-port=53 in-interface=Local log-prefix="" protocol=tcp
add action=accept chain=input disabled=no dst-port=53 in-interface=Local protocol=tcp
add action=accept chain=input disabled=no in-interface=Local src-address-list=admin_hosts
add action=accept chain=prerouting disabled=no in-interface=Local src-address-list=internal
add action=log chain=input disabled=yes log-prefix=""
add action=drop chain=input disabled=no
add action=log chain=forward disabled=no dst-port=25 log-prefix=smtp_ out-interface=!Local protocol=tcp src-address=!10.10.0.250
add action=drop chain=forward disabled=no dst-port=25 out-interface=!Local protocol=tcp src-address=!10.10.0.250
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=forward connection-state=related disabled=no
add action=drop chain=forward connection-state=invalid disabled=no
add action=accept chain=forward disabled=no in-interface=Local
add action=accept chain=forward disabled=no dst-address=10.10.0.250 dst-port=21,22,25,80,110,143,443,8080 protocol=tcp
add action=accept chain=forward disabled=no dst-address=10.10.0.232 dst-port=3389 protocol=tcp
add action=accept chain=forward disabled=no dst-address=10.10.0.245 dst-port=80 protocol=tcp
add action=accept chain=forward disabled=no dst-address=10.10.0.246 dst-port=80 protocol=tcp
add action=accept chain=forward disabled=no dst-address=10.10.0.247 dst-port=80,14534 protocol=tcp
add action=accept chain=forward disabled=no dst-address=10.10.0.247 dst-port=8767 protocol=udp
add action=drop chain=forward disabled=no

/ip firewall mangle
add action=accept chain=prerouting disabled=no dst-address=10.10.0.1 dst-port=53 in-interface=Local protocol=udp
add action=accept chain=prerouting disabled=no dst-address=10.10.0.1 dst-port=53 in-interface=Local protocol=tcp
add action=accept chain=prerouting disabled=no dst-address=192.168.10.0/24 in-interface=Local src-address-list=admin_hosts
add action=accept chain=prerouting disabled=no dst-address-list=public-ips in-interface=Local src-address-list=Internal
add action=accept chain=prerouting disabled=no dst-address-list=internal in-interface=Local
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address=41.134.46.114 dst-port=21,25,80,110,143,443,8080 in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address=41.x.x.115 dst-port=443 in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address=41.x.x.118 dst-port=80,14534 in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address=41.x.x.118 dst-port=8767 in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address=41.0.40.2 dst-port=21,25,80,110,143,443,8080 in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address=41.0.40.3 dst-port=80,443 in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address=41.0.40.4 dst-port=80 in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address=41.x.x.5 dst-port=443 in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address=196.2.16.216 dst-port=25 in-interface=Local new-connection-mark=WAN1_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-address=41.0.7.123 dst-port=25 in-interface=Local new-connection-mark=WAN2_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-port=443 in-interface=Local new-connection-mark=WAN1_conn passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-port=443 in-interface=Local new-connection-mark=WAN1_conn passthrough=yes protocol=udp
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-port=80 in-interface=Local new-connection-mark=WAN1_conn passthrough=yes protocol=tcp src-address=10.10.0.247
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-port=443 in-interface=Local new-connection-mark=WAN2_conn passthrough=yes protocol=tcp src-address=10.10.0.247
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-port=81 in-interface=Local new-connection-mark=WAN3_conn passthrough=yes protocol=tcp src-address=10.10.0.247
add action=mark-connection chain=prerouting connection-state=new disabled=no dst-port=3084 in-interface=Local new-connection-mark=WAN2_conn passthrough=yes protocol=udp src-address=10.10.2.10
add action=mark-connection chain=input disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=Local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=Local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no dst-address-type=!local in-interface=Local new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn disabled=no in-interface=Local new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn disabled=no in-interface=Local new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn disabled=no in-interface=Local new-routing-mark=to_WAN3 passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat disabled=no dst-address-list=hairpin-hosts out-interface=Local src-address-list=internal
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.114 dst-port=21,25,80,110,143,443,8080 protocol=tcp to-addresses=10.10.0.250
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.115 dst-port=443 protocol=tcp to-addresses=10.10.0.232 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.118 dst-port=80,14534 protocol=tcp to-addresses=10.10.0.247
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.118 dst-port=8767 protocol=udp to-addresses=10.10.0.247
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.2 dst-port=21,25,80,110,143,443,8080 protocol=tcp to-addresses=10.10.0.250
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.3 dst-port=80 protocol=tcp to-addresses=10.10.0.246
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.3 dst-port=443 protocol=tcp to-addresses=10.10.0.250 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.4 dst-port=80 protocol=tcp to-addresses=10.10.0.245
add action=dst-nat chain=dstnat disabled=no dst-address=41.x.x.5 dst-port=443 protocol=tcp to-addresses=10.10.0.232 to-ports=3389
add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=masquerade chain=srcnat disabled=no out-interface=WAN2
add action=masquerade chain=srcnat disabled=no out-interface=WAN3

This is the result of the dns query

>nslookup
Default Server:  resolver1.opendns.com
Address:  208.67.222.222

> server 10.10.0.1
Default Server:  [10.10.0.1]
Address:  10.10.0.1

> www.google.com
Server:  [10.10.0.1]
Address:  10.10.0.1

*** [10.10.0.1] can't find www.google.com: Server failed

BUMP… Any more help pls guys, I’m stuck here

Can the router itself successfully resolve names?
What happens when you run the below?

:put [:resolve www.google.com]

The firewall filter and mangle rules look good, I don’t see an issue there. Can you post the output of “/ip address print detail”, “/ip route print detail”, “/ip dns export”, and also “/ip dns cache print” after you’ve run the resolve command from above?

:put [:resolve www.google.com]
failure: dns server failure

/ip address print detail

 0   address=10.10.0.1/24 network=10.10.0.0 interface=Local actual-interface=Local
 1   address=41.x.x.114/29 network=41.x.x.112 interface=WAN1 actual-interface=WAN1

 2   address=41.x.x.115/29 network=41.x.x.112 interface=WAN1 actual-interface=WAN1

 3   address=41.x.x.116/29 network=41.x.x.112 interface=WAN1 actual-interface=WAN1

 4   address=41.x.x.117/29 network=41.x.x.112 interface=WAN1 actual-interface=WAN1

 5   address=41.x.x.118/29 network=41.x.x.112 interface=WAN1 actual-interface=WAN1

 6   address=41.x.x.2/29 network=41.x.x.0 interface=WAN2 actual-interface=WAN2

 7   address=41.x.x.3/29 network=41.x.x.0 interface=WAN2 actual-interface=WAN2

 8   address=41.x.x.4/29 network=41.x.x.0 interface=WAN2 actual-interface=WAN2

 9   address=41.x.x.5/29 network=41.x.x.0 interface=WAN2 actual-interface=WAN2

10   address=41.x.x.6/29 network=41.x.x.0 interface=WAN2 actual-interface=WAN2

11   address=192.168.10.2/24 network=192.168.10.0 interface=WAN3 actual-interface=WAN3

/ip route print detail ( the missing routes are for the reset of our subents dirtributed via RIP)

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

 0 A S  dst-address=0.0.0.0/0 gateway=10.1.1.1 gateway-status=10.1.1.1 recursive via 41.x.x.113 WAN1 distance=1 scope=30 target-scope=10 routing-mark=to_WAN1

 1   S  dst-address=0.0.0.0/0 gateway=10.2.2.2 gateway-status=10.2.2.2 recursive via 41.x.x.1 WAN2 distance=2 scope=30 target-scope=10 routing-mark=to_WAN1

 2   S  dst-address=0.0.0.0/0 gateway=10.3.3.3 gateway-status=10.3.3.3 recursive via 192.168.10.1 WAN3 distance=3 scope=30 target-scope=10 routing-mark=to_WAN1

 3 A S  dst-address=0.0.0.0/0 gateway=10.2.2.2 gateway-status=10.2.2.2 recursive via 41.x.x.1 WAN2 distance=1 scope=30 target-scope=10 routing-mark=to_WAN2

 4   S  dst-address=0.0.0.0/0 gateway=10.3.3.3 gateway-status=10.3.3.3 recursive via 192.168.10.1 WAN3 distance=2 scope=30 target-scope=10 routing-mark=to_WAN2

 5   S  dst-address=0.0.0.0/0 gateway=10.1.1.1 gateway-status=10.1.1.1 recursive via 41.x.x.113 WAN1 distance=3 scope=30 target-scope=10 routing-mark=to_WAN2

 6 A S  dst-address=0.0.0.0/0 gateway=10.3.3.3 gateway-status=10.3.3.3 recursive via 192.168.10.1 WAN3 distance=1 scope=30 target-scope=10 routing-mark=to_WAN3

 7   S  dst-address=0.0.0.0/0 gateway=10.1.1.1 gateway-status=10.1.1.1 recursive via 41.x.x.113 WAN1 distance=2 scope=30 target-scope=10 routing-mark=to_WAN3

 8   S  dst-address=0.0.0.0/0 gateway=10.2.2.2 gateway-status=10.2.2.2 recursive via 41.x.x.1 WAN2 distance=3 scope=30 target-scope=10 routing-mark=to_WAN3

 9 A S  dst-address=10.1.1.1/32 gateway=67.195.160.76 gateway-status=67.195.160.76 recursive via 41.x.x.113 WAN1 check-gateway=ping distance=1 scope=10 target-scope=10

10   S  dst-address=10.1.1.1/32 gateway=196.2.63.110 gateway-status=196.2.63.110 recursive via 41.x.x.113 WAN1 check-gateway=ping distance=1 scope=10 target-scope=10

11 A S  dst-address=10.2.2.2/32 gateway=74.125.230.146 gateway-status=74.125.230.146 recursive via 41.x.x.1 WAN2 check-gateway=ping distance=1 scope=10 target-scope=10

12   S  dst-address=10.2.2.2/32 gateway=41.1.224.101 gateway-status=41.1.224.101 recursive via 41.x.x.1 WAN2 check-gateway=ping distance=1 scope=10 target-scope=10

13 A S  dst-address=10.3.3.3/32 gateway=41.203.21.137 gateway-status=41.203.21.137 recursive via 192.168.10.1 WAN3 check-gateway=ping distance=1 scope=10 target-scope=10

14   S  dst-address=10.3.3.3/32 gateway=152.111.193.28 gateway-status=152.111.193.28 recursive via 192.168.10.1 WAN3 check-gateway=ping distance=1 scope=10 target-scope=10

15 ADC  dst-address=10.10.0.0/24 pref-src=10.10.0.1 gateway=Local gateway-status=Local reachable distance=0 scope=10

77 ADC  dst-address=41.x.x.0/29 pref-src=41.x.x.2 gateway=WAN2 gateway-status=WAN2 reachable distance=0 scope=10

78 A S  ;;; VodaCom
        dst-address=41.1.224.101/32 gateway=41.x.x.1 gateway-status=41.x.x.1 reachable WAN2 distance=1 scope=10 target-scope=10

79 ADC  dst-address=41.x.x.112/29 pref-src=41.x.x.114 gateway=WAN1 gateway-status=WAN1 reachable distance=0 scope=10

80 A S  ;;; MyADSL
        dst-address=41.203.21.137/32 gateway=192.168.10.1 gateway-status=192.168.10.1 reachable WAN3 distance=1 scope=10 target-scope=10

81 A S  ;;; Yahoo
        dst-address=67.195.160.76/32 gateway=41.x.x.113 gateway-status=41.x.x.113 reachable WAN1 distance=1 scope=10 target-scope=10

82 A S  ;;; Google
        dst-address=74.125.230.146/32 gateway=41.x.x.1 gateway-status=41.x.x.1 reachable WAN2 distance=1 scope=10 target-scope=10

83 A S  ;;; News24
        dst-address=152.111.193.28/32 gateway=192.168.10.1 gateway-status=192.168.10.1 reachable WAN3 distance=1 scope=10 target-scope=10

84 ADC  dst-address=192.168.10.0/24 pref-src=192.168.10.2 gateway=WAN3 gateway-status=WAN3 reachable distance=0 scope=10

85 A S  ;;; MWeb
        dst-address=196.2.63.110/32 gateway=41.x.x.113 gateway-status=41.x.x.113 reachable WAN1 distance=1 scope=10 target-scope=10

/ip dns export

set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=8.8.8.8,208.67.220.200

/ip dns cache print

Flags: S - static
 #   NAME                                                                          ADDRESS                                                                                                         TTL

The problem isn’t with the router as a DNS server, it’s with the router as a DNS client. The router can’t resolve any DNS names itself when acting as a client, so it can’t resolve them for clients when acting as a server.

I don’t see why it can’t resolve names, though. Can you ping 8.8.8.8 from the router? Do you have general connectivity to networks not directly connected to the router for traffic sourced from the router itself?

Why do you have all these recursive routes?

The Recirsive routes are for failover, the router is configured with PCC, we have 3 WAN (ISP) connections and then the LAN.

All clients on the LAN side can resolved DNS using external DNS Servers, just not when using the router as a DNS server.
All other aspects of the newtork and connectivity are fine, it’s just the DNS Server part that is not, Fortunatly for now we
have another upstream router between the LAN interface and the clients and here I have configured dstnat and forwarding all
DNS traffic destined to the ROUTER to the external DNS.

Ok I think I have found sometinhg, the rotuer it’s self has no default route, so if I add a route of
0.0.0.0/0 to WAN1

It all works, but how do I add it so that it so will failover with a failed route.
Mangle rules only seem to apply to traffic not originating from the router is slef, like our dns traffic.

[admin@MikroTik] > ping 8.8.8.8
HOST                                    SIZE  TTL TIME  STATUS                                                             
                                                        no route to host                                                   
                                                        no route to host                                                   
                                                        no route to host                                                   
                                                        no route to host                                                   
                                                        no route to host

Ok Fewi,

Thanks for putting me on the right track, I have now fixedthe issue, basically I was marking all traffic in the mangle table with a routing mark.
and the only routes I had was routes with routing marks, I now looks like the router it’s self doesn’t do through the mangle table and thus
not marking the traffic with a routing mark. after adding the following is all seems to be 100% and fail over will work too.

Thanks for your time.

 9 A S  dst-address=0.0.0.0/0 gateway=10.1.1.1 gateway-status=10.1.1.1 recursive via 41.x.x.113 WAN1 distance=1 scope=30 target-scope=10 

10   S  dst-address=0.0.0.0/0 gateway=10.2.2.2 gateway-status=10.2.2.2 recursive via 41.x.x.1 WAN2 distance=2 scope=30 target-scope=10 

11   S  dst-address=0.0.0.0/0 gateway=10.3.3.3 gateway-status=10.3.3.3 recursive via 192.168.10.1 WAN3 distance=3 scope=30 target-scope=10

Add two (or more routes) with increasing distances. If the lowest distance route fails due to interface down the next highest one will be picked up. Edit: I see you already did that! Glad it’s working now.

Your mangling is in prerouting - so yes, it doesn’t apply to router generated traffic, which is in the output chain and will never be seen in the prerouting chain.