Hide upstream DNS name server from clients

derolf · April 17, 2024, 8:07am

Running

scutil --dns

on my Mac shows:

resolver #1
  nameserver[0] : 192.168.178.1
  nameserver[1] : 1.1.1.1
  if_index : 15 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

So my HEX is disclosing its upstream DNS name server. Is it possible to hide that from the clients and let only the HEX resolve all DNS?

Config:

[admin@MikroTik] /ip/dns> export 
# 2024-04-17 10:06:46 by RouterOS 7.14.2
# software id = WX80-GBN0
#
# model = RB750Gr3
# serial number = HFK09EZD06Y
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.178.1 comment=defconf name=router.lan

CGGXANNX · April 17, 2024, 8:13am

You can explicitly specify the list of DNS servers (in this case, just 192.168.178.1) that the DHCP clients will use in the corresponding /ip dhcp-server network entry.

ips · April 17, 2024, 8:14am

That’s strange. What is the configuration of the DHCP server?

vingjfg · April 17, 2024, 8:16am

Can you check that this DNS is not configured as an option in your DHCP?

> /ip/dhcp-server/network/export
...
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 netmask=24

derolf · April 17, 2024, 8:37am

[admin@MikroTik] > /ip/dhcp-server/network/export 
...
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf dns-server=192.168.178.1 gateway=0.0.0.0 netmask=24
add address=192.168.178.0/24 gateway=192.168.178.1 netmask=24
[admin@MikroTik] >

CGGXANNX · April 17, 2024, 8:39am

You should remove the 1st entry with 0.0.0.0/24 and add dns-server=192.168.178.1 to the 2nd entry (in WinBox just enter that address in the DNS textbox).

vingjfg · April 17, 2024, 8:41am

Interesting. Let me fire up my old mac to see what scutil says.

vingjfg · April 17, 2024, 8:54am

Nope, I only see the local DNS resolver and not its upstream.

resolver #1
  nameserver[0] : 192.168.2.1
  if_index : 4 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

Can you check on your Mac in the network settings, advanced settings, whether 1.1.1.1 was added manually?

derolf · April 17, 2024, 9:09am

This fixed it.

BTW. It was not only my Mac, but other devices got 1.1.1.1 as well, which resulted in LAN lookup failures.