dst-nat outside dns requests

Hellbound · January 4, 2007, 7:29pm

hi guys
I’m trying to figure out how to setup routeros to dst-nat for dns request from internet side to my webserver which has its dns server. and allow my local user to acquire dns result from the mikrotik itself.

so I added this rule in dst-nat but it doesn’t work and it capture zero frame.

add chain=dstnat src-address=!10.1.1.0/24 dst-address=60.52.138.14 \
    protocol=tcp dst-port=53 action=dst-nat to-addresses=10.1.1.7 to-ports=53 \
    comment="outside dns access" disabled=no

how to make it work?

yancho · January 4, 2007, 8:22pm

Change protocol to UDP

Hellbound · January 4, 2007, 8:37pm

ooooops

my bad..

thanks a lot for prompt reply

janisk · January 5, 2007, 10:01am

i thought that both tcp and udp has to be forwarded.

yancho · January 5, 2007, 10:59am

janisk, yep you are right, but mainly it’s UDP traffic.

The DNS assumes that messages will be transmitted as datagrams or in a
byte stream carried by a virtual circuit. While virtual circuits can be
used for any DNS activity, datagrams are preferred for queries due to
their lower overhead and better performance. Zone refresh activities
must use virtual circuits because of the need for reliable transfer. [ http://www.ietf.org/rfc/rfc1035.txt ]