DNS Server

Hi,
I have a Mikrotik 951G-2HnD and i tried to configure a DNS server without any success. I configure the Router in this mode

/ip dns export 
# apr/26/2016 12:08:08 by RouterOS 6.35
# software id = AZRA-8PYU
#
/ip dns
set allow-remote-requests=yes servers=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router
add address=192.168.88.10 name=zabbix.mydomain.net

When I try to access “zabbix.mydomain.net” from LAN works very good. When i try to access from outside nothing happen.
Can somebody help me with DNS config ?
Thank you

Hi,

Try to add remote DNS servers in
/ip dns
set allow-remote-requests=yes servers=8.8.8.8

@blajah: Maybe he’s using pppoe or DHCP with Use Peer DNS ticked and that’s why its DNS cache works, as those DNS are added to the DNS cache server parameters dynamically. though I 'd swear I have seen routers working with their own ip as the dns server for the cache, as if it were capable of directly querying root name servers… couldn’t research anything that time.

@mangusta86: Do what blajah said, server= setting is for the DNS server your router will be sending queries to. You can set any static DNS entries, the cache will always use them instead of querying the nameservers for those domains even your dns cache server not being potestative for those domains.

What do you mean with “from outside”? Are you connecting via VPN to the router?

Or do you want the 951 to be the DNS server for mydomain.net for everyone on Internet?

@ blajah
I set the server with 8.8.8.8 . Same issue.

In my home i have 2 internet connection .
ISP1 : DHCP with unique public IP (Mikrotik router). This Router make a LAN with a physical machine that runs a XenServer with 4 VPS. Each VPS host an Ubuntu linux. On one VPS i run a website.

ISP2 : DHCP with unique public IP (Huawei router) .

I want to access from outside Mikrotik router the VPS that host the site . I use cloudfare for DNS now a subdomain point to my IP that is public and static (Always have same IP). . When I run nslook on subdomain.mydomain.net i saw my unique IP. The VPS dont respond to any request that was made from “Internet” (not from mikrotik lan).

Sounds like you need to forward some ports to VPS.

@Sob
I think i have to forward port 80 to my vps.
I have another question. The DNS will know what IP have my vps or i have to put firewall rules for the DNS.. I read on the internet DNS use port 53.
I will try to forward the port in short time.

It works like this:

You go to wherever you manage DNS for your domain (and that’s not your router) and set some hostname/subdomain to point to your router’s public IP address. Clients will get this address from public DNS and connect to it. When the request comes to your router, it will forward it according to your newly added rule to proper internal address. Nobody else will ever know about this internal address.

Also what you already did with DNS on your router is only for your own use. Only machines from your internal network might ask your router to resolve hostnames for them. And even they will do it only if you tell them to use your router as resolver. And for that to work, you have to set some real resolver in servers=, like suggested 8.8.8.8, because all other queries will be forwarded there. Nobody else will ever ask your router to resolve this hostname for them.

@Sob
Thank you for your answer but i have same issue.
I assure my subdomain point to mikrotik ip. (I checked with Nslookup from windows and i compare both IPs).

I have few questions :

• I have to set a firewall rule for allowing DNS request from outside the network of is enough the tick on “allow remote requests” ?
• I have to restart the router to take effect the changes?

My current configuration is

DNS Server :

/ip dns static
add address=192.168.88.1 name=router
add address=192.168.88.10 name=zabbix.mydomain.net

Firewall nat

add action=dst-nat chain=dstnat dst-address=0.0.0.0 dst-port=80 in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.88.10 to-ports=80

Hi,
Have you masked your public ip with 0.0.0.0( in example above) or this address is really in dst-nat rule?

Try without IP
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 log=yes protocol=tcp to-addresses=192.168.88.10 to-ports=80

Also, consider changing webfig port to some other port ( if you already didn’t done that).

It depends on your current firewall rules. If you have some that block all not specifically allowed stuff, then you have to add a new one and allow it. If not, then just tick the checkbox and… I’m not sure what you think will happen.

No.

Seriously, what exactly are you trying to do? If your desired hostname points to your public address, you’re done (except if you really have dst-address=0.0.0.0 in your port forward rule, see blajah’s post). Opening your router’s DNS cache to whole world won’t accomplish anything (anything good I mean).

I removed 0.0.0.0 IP and nothing change.

Can you guys take a look at my thread i just posted , maybe you can help thanks

I’m asking the same

Have you changed a webfig port?

It sounds like you’re trying to use your Mikrotik as a public DNS server for your home network’s hostnames. This is a very very very very very (repeat for at least 48 hours of saying very very) - and then repeat again for another two weeks or so - … very very .. VERY bad idea.

Mikrotik is NOT a DNS server, and it WILL get hijacked as a DDoS point in future DNS amplification attacks. There are threads on these forums almost every day where people post “why is DNS making all of my bandwidth get used and CPU = 100%?” - because they allow requests from the outside world.

If you want to host a subdomain for your home network, then do it with a real DNS server - either hosted somewhere on the Internet, or on a local DNS server, and forward port 53 to that server, and for God’s sake make sure that server refuses requests for any hostname that is not your home network’s subdomain. Otherwise, expect to be back here in a few weeks asking why DNS traffic is clogging up all of your bandwidth.

Just to be sure, you do have your own properly registered domain (so nothing you just made up) and there is some real external DNS server configured to have an A record pointing to your router’s public address, right? And that address is really a public one. It would be easiest if you told us the hostname, but if you don’t want to do that for some privacy reasons, tell us at least first two digits of your public address to verify.

Thank you for your answers guys.
@ZeroByte.
Yes. I want to make my mikrotik router as a DNS server but you convince me is a very very bad idea. I will make a DNS server on linux. I thought I can make a proper DNS server with Mikrotik and have good firewall rules.

@Sob

Just to be sure, you do have your own properly registered domain (so nothing you just made up) and there is some real external DNS server configured to have an A record pointing to your router’s public address, right?

Right! My own domain point to cloudfare. CloudFare point to my mikrotik router. My mikrotik IP is 89.39.X.X. I am sure it is a public domain because I have a VPN tunnel that work and i can connect remotely to Mikrotik router.
I am new to mikrotik routers and I have only basics skills about networking.
In the near future I will buy another mikrotik router ( http://routerboard.com/RB3011UiAS-RM ) and make the MTCNA course .

This NAT rule should work:

/ip firewall nat
add chain=dstnat dst-address=89.39.X.X protocol=tcp dst-port=80 \
    action=dst-nat to-addresses=192.168.88.10

Even if you won’t be able to connect to your server, you should see increasing packet counter for this rule. Then you might also need this rule to allow forwarded packets actually pass through router:

/ip firewall filter
add chain=forward connection-nat-state=dstnat

Regarding DNS server, RouterOS only works as resolver/cache. It can’t be used as authoritative DNS server (the kind that’s used to publish DNS records of your domain for whole world).