Okay, so it’s clear that DNS in RouterOS is something I need to read-up more about. In another post, I was asking about NextDNS DoH which I’ve got working fine on the private network in the lab on the 192.168.88.0/24 network. DHCP is configured to supply 192.168.88.1 as the DNS server address which is the IP of the bridge. Works a treat.
So I then looked at the public network on VLAN 1 with IP 10.0.0.0/24 network. I normally configure this network to resolve DNS server to 1.1.1.1 & 8.8.8.8. But that won’t be using NextDNS so I first change it to 10.0.0.1 and DNS stopped working. My reports no internet. I tried changing it to 192.168.88.1 on public DHCP server but that didn’t work either. I’m guessing this is a firewall issue between the VLAN and the LAN which I could resolve.
But… I wondered where in RouterOS is it defined that the DNS server is on 192.168.88.1 on the main LAN? I assume the DNS server is listening on port 53 on that IP address. I can’t find anywhere that defines this. I know I could reprogram to put the bridge/gateway on 192.168.88.254 if I so wanted and DNS will then switch to that IP.
I think I’m missing something!
PS. Title of this post is probably wrong as a I don’t know the right terms.
On an allied question, can you not configure multiple DNS servers? I’m thinking one for the private LAN and the other for the public VLAN. Each would have different DoH NextDNS configurations and therefore different default blocking.
Appreciate that and until I started looking at DNS sink holing and DNS over HTTPS, that’s what I did. The main LAN used the DNS server on the MT router and the public network went straight to Cloud Flare’s 1.1.1.1.
I think that NextDNS give you two unique DNS server IPs per account/configuration but I can’t quite believe that as it’s a very expensive use of static IP addresses. It looks like they have a class B subnet. 45.90.0.0/16 but 32,766 customers just using one configuration would fill that up.
DNS over HTTPS uses a URL to define the upstream DNS server so is effectively unlimited, e.g. https://dns.nextdns.io/uniqueidentifier. But at the moment, DoH has be either configured on the local DNS server (where DoH URL can be defined) or manually on each client - either by hand or using a utility like the NextDNS client.
A useful addition to RouterOS DNS server would be to enhance the functionality behind this dialog to allow you to specify different DoH servers to different subnets, e.g.
BTW - any changes in this area in OS v7? I’m still with v6 as my space is small businesses and we’re typically on the lower-end kit wise so haven’t rushed to v7.
In ROS v7 DNS server has a few nasty bugs. But no, you still can’t run multiple DNS servers. And I wouldn’t hold my breath waiting this to happen.
Your use case is not exactly mainstream … so I guess not many routers can do what you want. I’d go with two external DNS servers and the use some mechanism to direct select clients to either of them (either DHCP server setup or DST-NAT or both). I’d skip using ROS DNS server due to bugs and missing functionality. So either run two small computers (raspberry PI would do) or two containers (quite probabky that’s possible on some of better routerboards).
DNS sink holing (and DoH) is becoming increasingly common - it was recently included in two security audits for my larger clients. So being able to have different block lists for internal and guest networks will become more common.
However, with the move to WFH, the scope of this requirement is now wider and becomes more of client issue than the office router. In terms of security, the office is often the edge case and focus is much more on client security for wherever one may be working.
With NextDNS, it can be solved with the dedicated DNS IP addresses per configuration. So yes, maybe an edge case but RouterOS is packed full of edge cases so why not this one as well?
No, it’s not. ROS provides a very versatile UI to linux kernel functions. That versatility allows admins to cover many edge cases.
However, when it comes to services (such as DNS server or DHCP server or hotspot server), ROS is pretty poorly equipped to cover even most mainstream cases, let alone edge cases. And judging on development pace we’ve seen in last few years this isn’t gonna improve soon.
I can understand that average home owner doesn’t want to have number of specialized boxes and having one box doing all is clearly a benefit. But MT is not the right choice for most of those “average home owners” anyway (explicitly due to the versatility which means steep learning curve and often frustration of inexperienced admins). For those home owners who want “to live on edge” and understand associated complexity, it should not be a problem to add some 3rd party service to core of LAN (either dedicated servers or containers). And ditto for small businesses or similar installations.
