Hi all,
I have automatically created hotspot using the wizzard in winbox. As I can see in the firewall rules, the dynamic rules which are being generated by the hotspot system intercept DNS requests. I dont want this behavior - is there any way to change this? I really only want to intercept http/https traffic.
Thanks.
Add an accept action for DNS in the pre-hotspot chain that is jumped to before interception of DNS traffic. That’s probably best to only do for authenticated Hotspot traffic (hotspot=auth). You may lose some of the functionality that way.
is this behavior documented somewhere?
i was under the impression that all rules which amend the behavior of the traffic are visible as firewall rules - I really don’t like the idea of hotspot intercepting the dns traffic without me being able to at least recognize in the configuration
so - to summ this up, the hotspot function will allways intercepr traffic by default - even if I allow the DNS server in the walled garden?!
marcel
The nature of the hotspot operation requires some dns intercepts, but only local stuff. If you are having challenges with the dns, insure you have this set:
/ip dns
set allow-remote-requests=yes
If you want to see the hotspot rules in the “/ip firewall filter” and “/ip firewall nat” sections, try using
print dynamic
If would be interesting to know which part of the Hotspot system actually needs to intercept DNS communication, since if the DNS server is in walled-garden as fully allowed host hotspot users can’t get the hostname resolved without /ip dns being properly set-up. That led me to the conclusion that DNS traffic is being intercepted on the first place. ICMP and all other protocols reach dns server form users, but not the DNS requests, which is rather confusing 
m.
I know part of it is for local dns resolution. You can override the external dns servers with an entry in
/ip dns static
The OS checks here first, then the external dns servers.