DNS server fails to fetch addressess for every website after changing to a Mikrotik Router

Aemyl · November 17, 2025, 8:26am

Honestly I’m just a beginner working alongside my uncle, we updated our router to CCR2116-12G-4S+ with 7.19.4 software version, our DHCP and Firewall is managed by our Linux server, which is a Debian 2.6.32-openvz-042stab145.3-amd64 x86_x64, I have no clue how to fix that problem, setting the dns server on work PC’s to 8.8.8.8 and alternate to 8.8.4.4 solves the problem on the client end, but without it the traffic tries to go to 127.0.0.1:53 and fails

erlinden · November 17, 2025, 8:54am

Could you share the output of:

/ip export

Together with ipconfig /all or ifconfig from a client

Aemyl · November 17, 2025, 8:55am

Aemyl · November 17, 2025, 9:00am

2025-11-17 09:53:58 by RouterOS 7.19.4

model = CCR2116-12G-4S+

/ip pool
add name=pool51 ranges=192.168.51.101-192.168.51.200
add name=pool99 ranges=192.168.99.101-192.168.99.200
/ip dhcp-server
add address-pool=pool51 interface=vlan51 name=server51
add address-pool=pool99 interface=vlan99 name=server99
/ip address
add address=192.168.22.191/24 comment=LAN interface=vlan22 network=192.168.22.0
add address=192.168.51.1/24 comment= Cameras interface=vlan51 network=
192.168.51.0
add address= [REDACTED] comment= [ISP] interface=ether12 network=
[ISP's IP]
add address=192.168.99.1/24 comment=Admin interface=vlan99 network=192.168.99.0
add address=192.168.88.2/24 interface=sfp-sfpplus3 network=192.168.88.0
/ip dhcp-server network
add address=192.168.51.0/24 dns-server=8.8.8.8 gateway=192.168.51.1
add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8888 protocol=tcp to-addresses=
192.168.51.2 to-ports=80
add action=masquerade chain=srcnat src-address=192.168.99.0/24
add action=masquerade chain=srcnat src-address=192.168.51.2
add action=dst-nat chain=dstnat dst-port=8292 protocol=tcp to-addresses=
192.168.88.3 to-ports=8291
add action=dst-nat chain=dstnat comment="Another switch" dst-port=8297 protocol=
tcp to-addresses=192.168.88.7 to-ports=8291
add action=dst-nat chain=dstnat comment="Other switch" dst-port=8391 protocol=
tcp to-addresses=192.168.88.1 to-ports=8291
add action=masquerade chain=srcnat
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway= [ISP's IP] routing-table=main
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

CGGXANNX · November 17, 2025, 9:07am

If that's the case, then the DHCP server settings on the MikroTik CCR2116-12G-4S+ have nothing to do with the problem. Verify what your Linux machine's DHCP server is putting out as DNS server and correct the issue on that Debian server.

Aemyl · November 17, 2025, 9:09am

Well the issues started after replacing the old router to the mikrotik, i thought that it might be the problem

erlinden · November 17, 2025, 9:15am

AFAIK your router is missing its DNS config, there is no /ip dns and your WAN interface doesn't have this information as well.

Please remove serial number.

Aemyl · November 17, 2025, 9:31am

Thanks, I’ll see what i can do about this

lurker888 · November 17, 2025, 10:23am

Your problem seems to be that you have two dhcp servers. That’s incorrect.

You can have your existing Debian openvz be the dhcp, assuming you are otherwise satisfied with it. (A proper Debian offers way more administrative choices, so if you’re comfortable relying on it for dhcp/dns, I would suggest you keep doing so.) In this case however, remove or disable the dhcp server(s) on the Mikrotik. (As you have vlans, it’s fine to have the Debian serve as the dhcp on some of them and have the MT handle the others.)

If you want to use your new MT as the dhcp server, you’re free to do so. You will of course have to shut down the dhcp server on your Debian. In this case you can still advertise your Debian as the DNS server. Or you can advertise 8.8.8.8, etc. Or you can advertise the Mikrotik itself, in which case you’ll have to enable /ip dns allow-remote-requests.

In any case, configure proper dns servers on your Mikrotik in /ip dns servers. This is nice for it to be able to upgrade its software and other things, even if it’s not the dns server for your network.

pe1chl · November 18, 2025, 8:59am

Not a good idea to suggest that to beginners who do not understand configuration yet, and are operating the router without firewall! They would likely tick the “allow remote requests” feature and cause trouble for themselves.

lurker888 · November 18, 2025, 3:15pm

Fair enough. Running without at least the default firewall exposes you to many nasty things. I didn't really pay attention to the export and, yep, OP doesn't seem to have any firewall configured.

Though configuring proper DNS resolution doesn't specifically hurt. Exposing the DNS server obviously does...

As an aside: I get MT's stance about the ccrs being higher powered and that they're not intended for hobby use, but maybe they should rethink not shipping a default fw. If enough people get hurt (no doubt through their own foolishness) I anticipate some loud backlash eventually, just like around the botnet stuff... And in these cases being right doesn't really seem to matter.

jaclaz · November 18, 2025, 3:39pm

At first sight the posted configuration is very unlike the default one that is shipped with SOHO devices, the CCR series are intended for installers/network professionals and have not a (complete) default configuration.

On the other hand the posted configuration appears like being (or intended to be) integrated into a not-so-simple network.

These entries:

/ip address
...
add address= [REDACTED] comment= [ISP] interface=ether12 network=
[ISP's IP]

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway= [ISP's IP] routing-table=main
suppress-hw-offload=no

makes me believe that for some reasons the CCR has direct internet access, and if this is true, running it without a firewall is not safe.

The usual recommendation (for non Mikrotik experts having to deal with Mikrotik devices) is to start from a default configuration of the firewall, see Rule #8 of the Mikrotik Club:

Aemyl · November 19, 2025, 7:36am

We do have a firewall operating on the debian linux server, it worked well with the previous router, sadly i need 2 dhcp servers, and i don’t know how to overcome this issue, the linux server has all the legacy stuff on it while we add new stuff onto the mikrotiks that we have

jaclaz · November 19, 2025, 10:00am

But if you don't go through the firewall on the server to connect to the internet, the Mikrotik and all devices connected to it are exposed.

Unless you aliased as "[ISP's IP]" the Linux server with the firewall, that is.

But of course , your network, your rules.

pe1chl · November 19, 2025, 10:21am

In a DHCP server you can set a delay before it replies. In MikroTik that is the “delay-threshold” setting.

By setting a delay like 2 seconds in one of the servers and not in the other, you can determine which server will have priority, the other one will only come into play when the first one is down.

When the clients already have leases, you will have to release those manually or else they will usually come back to their original DHCP server (e.g. in Windows use “ipconfig /release”)