Dns is not case sensitive, so whether client asks for MikroTik.com, mikrotik.com, MiKrOtIk.CoM, or any other combination, it’s the same thing. But if I remember correctly, all other servers kept the same case in answer, so there was RFC draft that this could be used to make queries more unique, to prevent blind cache poisoning, where attacker sends huge number of spoofed answers and hopes to guess the right id and port of answer expected by resolver. If you could add different letter case to this, it would make it even more unlikely for attacker to succeed. I think it never made it to standard, but someone took it as good idea anyway. So I’d say that the behaviour of ROSv6 is somewhere between right and wrong. Not really wrong, but different from what everyone else was doing.
If extra-pedantic is a word… see RFC 4343 in Section 4. Apparently V6 DNS’s approach is called “Name Compression” and allowed.
That is awesome… Nice link!
Greetings Anav,
These two rules below, in the “A.” option above, do they also require the “to-ports=53” as well?
/ip nat
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp
Negative, to ports is implied to be the same as dstports if not entered. To-Ports is this really used when doing port translation.
What is important is such sweeping rules in-interface-list=LAN is to ensure you exclude the pI LAN address or any other subnets not being subjegated to PI.
/ip nat
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp src-address-list=!Excluded
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp src-address-list=!Excluded
/ip firewall address list
add address=IP-Pi-device list=Excluded
add address=lanSUBNET list=Excluded.
These devices require access to normal DNS services. Dont want PI device to be in a loop LOL.
Caution that I have seen RECENTLY folks using these rules and not putting a SOURCE part of the rule. (in interface lan)
IF you dont then anyone on the internet will start using your pi server!!
I note the original link at the top of the thread showed this dangerous config and its from an old no longer available site.
Greetings Anav,
Thanks for the quick reply. I have a Pi-Hole server as well, not using it though. Found it caused more issues than what it’s worth (things not working due to ad-blocker detected) over the last few years, so decided to remove it. I’ve been following you quite a bit on this forum. Take what you, SOB & rextended post as gold lol. I enabled logging on the force DNS rules. Logging reveals 8.8.8.8:53 is being used but that’s not what’s allowed in my lists or in DNS servers. I’m not sure if it’s working properly. Can you take a quick look? Below is my config (apologies if you want me to create a new post).
From the log: dstnat: in:Lan Bridge out:(unknown 0), connection-state:new src-mac d8:0f:99:42:bd:73, proto UDP, 192.168.201.77:57703->8.8.8.8:53, len 62
ROS 7.13 using the Apprentice FW located here: https://forum.mikrotik.com/viewtopic.php?t=180838
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2,185.228.168.9
/ip firewall address-list
add address=my.LAN.block comment="Admin - Devices" list=\
admin
add address=my.LAN.block comment="Admin - Wireguard" list=admin
add address=my.LAN.block comment=SyncServer list=SyncServer
add address=my.LAN.block comment="Current Network" list=\
expected-address-from-LAN
add address=224.0.0.0/4 comment=Multicast list=expected-address-from-LAN
add address=255.255.255.255 comment=Local list=expected-address-from-LAN
add address=my.LAN.block comment="Wireguard Network" list=\
expected-address-from-LAN
add address=1.1.1.1 comment="Allowed DNS Servers - Cloudflare" list=\
allowed_DNS
add address=1.0.0.1 list=allowed_DNS
add address=1.1.1.2 list=allowed_DNS
add address=1.0.0.2 list=allowed_DNS
add address=1.1.1.3 list=allowed_DNS
add address=1.0.0.3 list=allowed_DNS
add address=185.228.168.9 comment="Allowed DNS Servers - Cleanbrowsing" list=\
allowed_DNS
add address=10.0.0.0/8 comment="Denied Addresses" list=\
unexpected-src-address-hitting-ISP
add address=127.0.0.0/8 list=unexpected-src-address-hitting-ISP
add address=169.254.0.0/16 list=unexpected-src-address-hitting-ISP
add address=172.16.0.0/12 list=unexpected-src-address-hitting-ISP
add address=192.0.0.0/24 list=unexpected-src-address-hitting-ISP
add address=192.0.2.0/24 list=unexpected-src-address-hitting-ISP
add address=192.88.99.0/24 list=unexpected-src-address-hitting-ISP
add address=192.168.0.0/16 list=unexpected-src-address-hitting-ISP
add address=198.18.0.0/15 list=unexpected-src-address-hitting-ISP
add address=198.51.100.0/24 list=unexpected-src-address-hitting-ISP
add address=203.0.113.0/24 list=unexpected-src-address-hitting-ISP
add address=233.252.0.0/24 list=unexpected-src-address-hitting-ISP
add address=240.0.0.0/5 list=unexpected-src-address-hitting-ISP
add address=248.0.0.0/6 list=unexpected-src-address-hitting-ISP
add address=252.0.0.0/7 list=unexpected-src-address-hitting-ISP
add address=254.0.0.0/8 list=unexpected-src-address-hitting-ISP
add address=MY-WAN-IP list=unexpected-src-address-hitting-ISP
add address=MY-WAN-IP list=expected-dst-address-to-my-ISP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback" \
dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=LAN \
src-address-list=admin
add action=accept chain=input comment="allow LAN DNS queries-TCP" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow LAN DNS/NTP queries-UDP" \
dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="allow WireGuard" dst-port=23231 log=\
yes protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat log=yes
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=dst-nat chain=dstnat comment=\
"SyncServer - LetsEncrypt Cert Renew (enable during renewal only)" \
disabled=yes dst-address-list=expected-dst-address-to-my-ISP \
dst-address-type=local dst-port=80 log=yes protocol=tcp to-addresses=\
server.IP to-ports=80
add action=src-nat chain=srcnat comment=\
"LAN masquerade & also hide LAN addresses" out-interface-list=WAN \
src-address-list=expected-address-from-LAN to-addresses=MY-WAN-IP
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address-list=\
expected-address-from-LAN out-interface-list=LAN protocol=tcp \
src-address-list=expected-address-from-LAN
add action=redirect chain=dstnat comment=\
"Redirect DNS to Mikrotik DNS Server - TCP" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat comment=\
"Redirect DNS to Mikrotik DNS Server - UDP" dst-port=53 \
in-interface-list=LAN log=yes protocol=udp
add action=dst-nat chain=dstnat comment="SyncServer - HTTPS" \
dst-address-list=expected-dst-address-to-my-ISP dst-port=port log=yes \
protocol=tcp to-addresses=Server.IP to-ports=port
add action=dst-nat chain=dstnat comment="SyncServer - OpenVPN" \
dst-address-list=expected-dst-address-to-my-ISP dst-address-type=local \
dst-port=port log=yes protocol=tcp to-addresses=Server.IP \
to-ports=port
/ip firewall raw
add action=drop chain=prerouting comment="ISP - AT&T Fiber - ether1 - drop all\
\_internet traffic (enable for testing only)" disabled=yes in-interface=\
ether1
add action=drop chain=prerouting comment=\
"drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
src-address-list=unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment=\
"drop non-legit dst-addresses hitting WAN side" dst-address-list=\
!expected-dst-address-to-my-ISP in-interface-list=WAN
add action=drop chain=prerouting comment=\
"drop non-legit traffic coming from LAN" in-interface-list=LAN \
src-address-list=!expected-address-from-LAN
add action=accept chain=prerouting comment="allowed DNS" src-address-list=\
allowed_DNS
add action=accept chain=output dst-address-list=allowed_DNS
add action=add-src-to-address-list address-list=\
expected-dst-address-to-my-ISP address-list-timeout=none-static chain=\
output comment="get ISP dhcp-client IP address & add to expected-dst-addre\
ss-to-my-ISP list" out-interface-list=WAN src-address-type=local
add action=add-src-to-address-list address-list=\
unexpected-src-address-hitting-ISP address-list-timeout=none-static \
chain=output comment="get ISP dhcp-client IP address & add to unexpected-s\
rc-address-hitting-ISP list" out-interface-list=WAN src-address-type=\
local
Well will focus on DNS related rules…
In general the Device acting as DNS server has to have access to the internet to get DNS itself.
EVEn a DOH servers needs some unencrypted DNS access to make the initial connection to an encrypted DOH server.
So in general, one has to look at
DNS servers in DHCP Network Server
IP DNS rules
and DSTNAT RULES
and even forward chain rules to ensure users are allowed to go to the DNS server etc..
So looking at it quickly
you use redirect so that any DST NAT attempts by users will go through the router. Okay
You allow access to DNS router services in input chain… Okay
You allow access to external servers and 1.1.1.1 and 1.0.0.2 are okay and not the problem Okay
You allow access to external server 185.228.168.9 is also okay as it looks to be another DNS service…
So quickly I see nothing untoward… What happens when a user uses google in a browser search or google mail or something like that, perhaps eventually a google resolver down the line gets involved ???
Thanks for looking over it. Appreciate the assistance! When I change my DNS on my laptop to 8.8.8.8, go to https://1.1.1.1/help, it verifies that I am using Cloudflare resolvers. So it does work as intended. I didn’t think to try that before posting.
Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) No
Using DNS over WARP No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center ORD
Turning the firewall rule off, it is no longer using Cloudflare but Google instead. The rule definitely works:
Debug Information
Connected to 1.1.1.1 No
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) No
Using DNS over WARP No
AS Name Google
AS Number 15169
Cloudflare Data Center ORD
It is not clear what firewall rule you are talking about??
Greetings Anav,
This one, specifically the udp:
/ip nat
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=udp
Ah okay, I think of that as NAT RULE, as opposed to a MANGLE rule as opposed to filter rules (forward and input chain).
All other IP firewall. LOL.
I am building up to an ultimate question of how to get Adguard Home via raspberry pi to work with my Mikrotik network. I tried pointing the DNS entries in IP-DHCP-Server-Network to my raspberry pi which has Adguard Home running (and which says the upstream DNS I entered is correct and accessible). I tried adding the redirect rules in this post, etc, and it just isn’t working yet.
So, starting with baby steps I read this post and tried to see whether my current redirect rules in NAT do anything. Apparently not, since when they are activated I can still set Firefox on my laptop to use Cloudflare and it will go to Cloudflare despite my NAT redirect rules which I understood would force everything that goes through the MT router to use my /ip/dns settings…which are currently DOH Control-D…
/ip/firewall nat print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; Fix the NTP client by changing its source port 123 with something higher (mikrotik forum 794718)
chain=srcnat action=masquerade to-ports=12400-12440 protocol=udp src-port=123 log=no log-prefix=""
1 chain=srcnat action=masquerade src-address-list=not_in_internet out-interface-list=WAN ipsec-policy=out,none
2 chain=dstnat action=redirect to-ports=53 protocol=udp in-interface-list=!WAN dst-port=53
3 chain=dstnat action=redirect to-ports=53 protocol=tcp in-interface-list=!WAN dst-port=53 log=no log-prefix="
/ip/dhcp-server network print
Columns: ADDRESS, GATEWAY, DNS-SERVER
# ADDRESS GATEWAY DNS-SERVER
0 10.10.10.0/24 10.10.10.1 10.10.99.1
1 10.10.20.0/24 10.10.20.1 10.10.99.1
2 10.10.30.0/24 10.10.30.1 10.10.99.1
3 10.10.99.0/24 10.10.99.1 10.10.99.1
/ip/dns print
servers:
dynamic-servers: 2606:4700:4700::1111,2001:4860:4860::8888
use-doh-server: https://dns.controld.com/xxxxxxxxxx
verify-doh-cert: yes
doh-max-server-connections: 8
doh-max-concurrent-queries: 75
doh-timeout: 5s
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 50
max-concurrent-tcp-sessions: 10
cache-size: 20480KiB
cache-max-ttl: 1d
address-list-extra-time: 0s
vrf: main
mdns-repeat-ifaces: VLAN-10-Main,VLAN-20-Guest,VLAN-30-IoT,VLAN-99-Mgmt
cache-used: 613KiB
I can’t get the dynamic servers to go away - but I’m positive they’re coming from my WAN2, not my WAN1 where all internet activity is going until a failover event. The static entries I have in ip/dns are nextdns ip addresses as I’ve been testing back and forth between Control-D and NextDNS. I am now trying to play with Adguard Home since I got the raspberry pi…
Please let me know if there’s anything obvious about my setup that is preventing the redirect rules from forcing my laptop to use Control-D, rather than the Cloudflare setting I tested in the browser settings.
Thanks!
I finally got the Adguard Home via raspberry pi connected to one of my VLANs to work. Only issue that I still have is that I can set my Firefox browser on my laptop to use a different DNS and when I run DNSLeakTest.com it shows up as that Firefox DNS - not the upstream DNS from the Adguard Home.