Hello,
I have configured IPSec VPN tunnels between our main office and 5 branch offices on MikroTik CCR1009-7G-1C-1S+ devices. In main site we have Windows Server Active Directory domain controller which is also configured as DNS server for branch offices. All branches should use DNS from main office as primary server. Communication from/to main office and branch office is established, ICMP ping is working on both sides, we can open SMB shares located in main site, move files from branch to main office and back. The only problem are DNS requests. All requests from branch office (any branch office) are timed out, clients in branch offices are not seeing DNS server from main office at all. What can be the problem?
In the absence of any description of the network topology at the the HQ, it’s nothing but guessing: if it’s not a firewall rule blocking DNS queries coming in via WAN without an exception for these that come in via WAN but transported using bare IPsec, the next most likely thing to me is routing at the DNS server itself, which doesn’t have the CCR as its default gateway.
Running /tool sniffer quick port=53 ip-address=some.BO.host.ip at the CCR at HQ is your best starting point. It should show you whether the DNS queries arrive from the BO, where are they sent if they do, and whether any responses ever come back from the server. If you use bare IPsec rather than IPsec-encrypted point-to-point tunnels between virtual interfaces, you won’t see whether the responses were sent back to the BO this way, but you may use firewall mangle rules to count or log them.