Is it viable to use Layer7 filtering to selectively route DNS requests to different servers?
I want to use a MikroTik router in an organization as the DNS server. This organization runs Active Directory with only a single Domain/DNS server and relies on it for certain internal resources
However if the server has a hiccup, PC’s all lose internet access as DNS is not available
I can’t make the MikroTik the DNS server because it isn’t part of the Active Directory domain, so certain internal resources won’t work
However maybe I can use the MikroTik as a DNS relay, since DNS requests are not encrypted. So could Layer7 inspect the DNS requests, if there’s any request for an internal resource (containing their domain name) then send it to the AD Server internally (and masquerade so the reply comes back correctly). Anything else just do a normal forward lookup to Google/Cloudflare
Windows clients are sticky with their DNS selection
If I put i.e. the AD server as the first DNS server, and google/cloudflare as an alternative server, then if the AD server is unreachable yes it will fail over to google/cloudflare, but it will not fail back. The client PC will stick to that alternate server until it becomes unreachable and then it will retry. So this doesn’t solve the problem it just makes it worse because PC’s will periodically not have access to internal resources even if the server is up
What i’m not sure of is if I need to adjust the regex syntax to be broader or more specific. So far it works fine
I’ve tested pinging various domain devices and I can see packets matching and responses work
Also tried leaving and rejoining the domain, signing in with new user accounts etc, all working
Your regexp can have tons of false positives, it will basically match any packet containing “testdomain” anywhere. For start, when you have dots in name, they are not dots in packets, but it’s a number containing length of following part, e.g. <10>testdomain<5>local<0>, and last one is null byte, but L7 in RouterOS can’t match null bytes. And the whole thing can be somewhere in the middle of packet.
Regexp for static DNS records is easier, because there you have real dots and it works only with the name, so you can also match beginning (^) and end ($) of it.
You should put at least two DNS servers on Your AD. No one should run one with a single DNS. Doesn’t have to be a big machine. Just use something small, promote it to secondary AD and off You go.
This isn’t even best practice: it is almost mandatory, by Microsoft directives. No one should run an AD domain with a single domain controller.
I hear you, and we’re trying to get that to happen. For now the Mikrotik will suffice
at the same time however, the reality is the vast majority of smaller businesses do only run a single AD and DNS server without issue. And the reality is with virtualisation and image backups it’s not the end of the world, its relatively easy to spin up compared to bare metal. I know what you are saying and in an ideal world with unlimited budgets multiple servers is the way to go. I even agree that it can run on low spec hardware but many of these businesses just don’t see it that way
At the same time it’s not the only single point of failure. Most businesses only have 1 internet connection, 1 router, the minimum number of switches at each location etc. Plenty of other things that ‘could’ go wrong