DNS Remote requests on VLAN interfaces

RouterOS General
1

Hello,
I would ask why DHCP server configured on VLAN interface when DNS Server is configured as this VLAN interface gateway not work?
e.g. I have VLAN subnet 172.16.10.0/24 with dns-server configured as 172.16.10.1 (vlan gateway), I have in in IP-> DNS entry with google 8.8.8.8, 8.8.4.4 dns and allowed DNS remote request - now all my clients getting correct IP VLAN subnet addressess but they not have internet access.
When I change dns-server for LAN gateway (physical interface ether1) then internet works OK.

Is any problem with dns remote request for vlan interfaces?

MY ROS 6.32.3

Router OS - VLAN - DNS traffic
2

Make sure no firewall filter rule is preventing connections to DNS server.

If that’s not the case please post a configuration export , that will make possible to spot any issues with your setup.

3

I have Dual WAN setup (WAN7 & WAN8) with firewall at the end with statement:

chain=input action=drop log=no log-prefix=""

so I could not use something like that:

chain=input action=accept protocol=udp in-interface=!ether8 dst-port=53 log=no log-prefix="" 
      chain=input action=accept protocol=udp in-interface=!ether7 dst-port=53  log=no log-prefix=""

because then DSN requests from public side are still open to mikrotik (first rule open ether7, and second opens ether8)

So I have configured address list with my VLAN subnets:

list=Unifi address=172.16.10.0/24 dynamic=no

and then firewall entry for allow DNS request from these VLAN subnets:

chain=input action=accept protocol=udp src-address-list=Unifi dst-port=53 log=no log-prefix=""

but after that Vlan users don’t have internet access, but when change in DHCP pool dns servers from 172.16.10.1 to google 8.8.8.8 internet access works.

please help with that

4

Your input chain might be easier like this:

  1. action=accept connection-state=established,related
  2. action=drop in-interface=wan1
  3. action=drop in-interface=wan2
  4. action=accept

This would block DNS remote-requests from the wan interfaces.

Obviously this is a bit of an over-simplified chain - in reality, you’d probably want to expand rule 4 into a list of specific services allowed from the LAN (e.g. dns, dhcp, ping, winbox from admin network, etc) and then make the last rule be drop…

If you wanted your router to be pingable / trace-route-able from the Internet, then you’d want to allow ICMP before the drop rules for wan1, wan2…
(blocking pings doesn’t really enhance security anymore)

5

yes, I have already many firewall input access rules already configured like icmp, ipsec, gre, nat-t, remote winbox access,
so is better for me I thing to allow what I need, and for the end block everything else.

I discovered on other mikrotik when the configuration is the same but only with one WAN, then with this config:

chain=input action=accept protocol=udp in-interface=!ether8 dst-port=53 log=no log-prefix=""

then DNS address as VLAN gateway works without problem.

But with my setup with source address list this not work, weird…

6

yes exactly without the rule accepting traffic of established connections the replies from 8.8.8.8 to the dns requests your clients do are dropped

beware of allow forward and input established and related connections traffic

7

but I have on top of my firewall:

 chain=input action=accept connection-state=established,related log=no log-prefix=""
8

To get DNS requests working where DNS address is address of the VLAN interface, I had to add the VLAN interfaces to the LAN address list. Otherwise the default firewall rule for LAN requests blocks forwarding of the DNS request to the local DNS server.

9

Alternatively, add firewall rule:

add action=accept chain=input comment="Accept all input from vlans" in-interface=all-vlan

In front of default rule:

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN