Force Google DNS Usage

swits1109 · November 12, 2019, 5:33pm

Hello,

There are various posts which show how to intercept all DNS queries and redirect them, such as this- http://forum.mikrotik.com/t/force-users-to-use-specific-dns-server/129788/1

But, none of these codes seem to work. I have my DHCP server set to serve 8.8.8.8 as the DNS server, but I want to also add a rule to Mikrotik to intercept any non-8.8.8.8 queries and redirect them to 8.8.8.8. Does anyone have code for this?

Thanks

xvo · November 12, 2019, 5:54pm

It is not clear from the description, do you want to:

Redirect all dns queries to the router and use 8.8.8.8 as an upstream dns for it.
Redirect all dns queries to 8.8.8.8 and also use 8.8.8.8 for the router itself too?

swits1109 · November 12, 2019, 5:59pm

Redirect all dns queries to 8.8.8.8 and also use 8.8.8.8 for the router itself too?

xvo · November 12, 2019, 6:20pm

The it will be something like this:

/ip firewall nat
add chain=dstnat action=dst-nat dst-address=!8.8.8.8 to-addresses=8.8.8.8 protocol=tcp dst-port=53 in-interface=***YOUR_LAN_BRIDGE***
add chain=dstnat action=dst-nat dst-address=!8.8.8.8 to-addresses=8.8.8.8 protocol=udp dst-port=53 in-interface=***YOUR_LAN_BRIDGE***

The dst-address=!8.8.8.8 part is not really needed, it will work the same way without it, so I added it mainly to make the picture more clear.

Then specify 8.8.8.8 for the router itself in IP → DNS.

anav · November 12, 2019, 6:22pm

Sounds like some destination nat rules are in order…
add action=redirect chain=dstnat comment=
“Force Users to Router for DNS - TCP” dst-port=53 protocol=tcp
src-address-list=“whatever networks or interfaces or IPs you have identified in source address list”
add action=redirect chain=dstnat comment=
“Force Users to Router for DNS - UDP” dst-port=53 protocol=udp
src-address-list=“whatever networks or interfaces or IPs you have identified in source address list”

anav · November 12, 2019, 6:25pm

Hmm a little slow and a little different but I am using redirect rules, but believe both approaches should work..
In my case for each of the networks under DHCP server i would put the LANIP of the network for DNS.
for example
/ip dhcp-server network
dns-server=192.168.1.1 for that network
192.168.2.1 for another
192.168.3.1 for another etc…

In that regard you are clearly stating each subnet should use the router DNS setting.
In the router DNS setting state 8.8.8.8 (although I prefer cloudfare 1.1.1.1 or 1.0.0.1) and

there are two pieces I am not sure of.
(1) Allow or not to allow remote requests? Answer is YES, this allows the ROuter to act as a DNS server.

(2) Requirement for input rules?
What I am not sure about is whether one needs to allow users to access port 53 on the input chain for the above setup???
I believe the answer is yes… FOr all services that the router provides, one has to allow access to that service.

add action=accept chain=input comment=“Allow LAN DNS queries-UDP” dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP” dst-port=
53 in-interface-list=LAN protocol=tcp

Lastly, one needs one of two things on the input chain to close off this DNS.
a. a last rule in the input chain that says DROP ALL ELSE
b. if you dont use a, then you will need two INPUT chain rules blocking DNS from the WAN side
c. forget b and implement a, LOL.
d. For 20 million rupees, C is the right answer.