How do you get RouterOS to ignore IPv6-supplied DNS

gfunkdave · June 27, 2024, 4:14pm

I have a RB5009 running 7.15.1. My ISP (AT&T US) uses router advertisements to advertise a DNS server that shows up in the “Dynamic Servers” field of the DNS settings. There doesn’t seem to be a way to prevent this.

I have set use-peer-dns=no on all the interfaces under /ipv6/dhcp-client. I have also set advertise-dns=no on all interfaces under /ipv6/nd. There doesn’t seem to be a way to make the router ignore this DNS server.

This is a problem for a couple reasons: first, my NextDNS resolvers aren’t always used which can allow ads and the like to be resolved. Second, AT&T has a very annoying practice of hijacking DNS queries that result in a NXDOMAIN and forwarding you to a page with ads and “suggested links”. I have turned off that “feature” on their website but it still does it.

For a while I had it working by setting an IPv6 NAT rule to NAT all traffic outbound on the WAN port to NextDNS instead, but it stopped working and I don’t know why.

Can anyone help me get rid of this dynamic DNS server? I submitted a ticket to Mikrotik months ago but they just said essentially “we might do something about it”.

pe1chl · June 27, 2024, 4:29pm

How does your router obtain the IPv6 address and routes from your ISP?
Note that not everyone will be familiar with the procedures your ISP uses.
When you don’t know the technical details, at least show us the output of “/ipv6 export”.

Amm0 · June 27, 2024, 4:41pm

Hmm. On the RB1100, using AT&T Fiber, I don’t show any dynamic addresses in /ip/dns if IPv6 DHCP has it disabled (and if IPv6 DNS is “use peer DNS” checked, AT&T DNS gets added a dynamic, uncheck it get removed). At least in 7.16beta.

gfunkdave · June 27, 2024, 4:42pm

It’s all SLAAC. There is a bit of a hack because I have two VLANs but AT&T will only give you a /64. But they will give you as many /64s as you ask for, so I use two vrrf interfaces to ask for separate /64s.

/ipv6 address
add address=fddc::100 advertise=no interface=wireguard1
add address=::1 from-pool=lan-ipv6 interface=vlan-lan
add address=::1 from-pool=guest-ipv6 interface=vlan-guest
/ipv6 dhcp-client
add add-default-route=yes interface=vrrp1 pool-name=lan-ipv6 request=prefix \
    use-interface-duid=yes use-peer-dns=no
add add-default-route=yes interface=vrrp2 pool-name=guest-ipv6 request=prefix \
    use-interface-duid=yes use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input disabled=yes dst-port=22 protocol=tcp
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept origin Guest VLAN" \
    in-interface-list=guest
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall nat
add action=masquerade chain=srcnat comment=\
    "NAT masquerade for Wireguard IPv6" src-address=fddc::/64
add action=dst-nat chain=output comment="workaround for AT&T IPv6 DNS" \
    dst-address=2600:1700:7c50:3790::1/128 dst-port=53 out-interface-list=WAN \
    protocol=udp to-address=2a07:a8c0::f3:8be7/128
add action=dst-nat chain=output dst-address=2600:1700:7c50:3790::1/128 \
    dst-port=53 out-interface-list=WAN protocol=tcp to-address=\
    2a07:a8c0::f3:8be7/128
/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=vlan-lan ra-interval=\
    10s-30s ra-lifetime=5m
add advertise-dns=no interface=vlan-guest ra-interval=10s-30s ra-lifetime=5m
/ipv6 nd prefix default
set preferred-lifetime=30m valid-lifetime=12h
/ipv6 settings
set accept-router-advertisements=yes

gfunkdave · June 27, 2024, 4:56pm

This is what I have whenever IPv6 is enabled:

[david@RoutyMcRouterson] > /ip/dns print
                      servers: 45.90.28.118,45.90.30.118
              dynamic-servers: 2600:1700:7c50:3790::1

That IPv6 address is the AT&T modem’s LAN IPv6 address. I have it in IP passthrough mode, but as we all know it just NATs everything to the router.

pe1chl · June 27, 2024, 7:48pm

That does not sound very convenient… can’t you enable DHCPv6 and request a prefix with that?
If so you can disable SLAAC (DHCPv6 has the option to receive the DNS servers or not)

Kentzo · June 28, 2024, 2:41am

IIRC at the moment RouterOS doesn’t let you administratively override how it uses received Router Advertisements. Please contact Mikrotik support and make a feature request at https://help.mikrotik.com/servicedesk/servicedesk

gfunkdave · June 28, 2024, 4:20pm

I did. They closed the ticket and said “we’ll think about it”.

I am actually not sure how to do that. I confess IPv6 is a bit of an enigma to me. I’m actually not sure what differentiates SLAAC and DHCPv6 in RouterOs. It seems I am using the “dhcp client” already. What needs to change?

/ipv6 dhcp-client
add add-default-route=yes interface=vrrp1 pool-name=lan-ipv6 request=prefix \
    use-interface-duid=yes use-peer-dns=no
add add-default-route=yes interface=vrrp2 pool-name=guest-ipv6 request=prefix \
    use-interface-duid=yes use-peer-dns=no

yuripg1 · June 28, 2024, 4:43pm

Thought experiment: what if you add a firewall rule that drops the Router Advertisements (ICMPv6, type 134, code 0) from the WAN entirely, instead relying on the DHCPv6 Client option to “Add Default Route”?

I know that ideally the default route should come from the Router Advertisement, and that the “Add Default Route” is but a fallback resource for working with ISPs with broken or no Router Advertisements at all, but this way I think there is a chance of having the IPv6 working without the DNS servers from the ISP.

gfunkdave · June 28, 2024, 5:16pm

You are a genius. I couldn’t get it to work by creating a firewall rule but in /ipv6/settings I just set accept-router-advertisements=no and the errant DNS server disappeared. IPv6 connectivity seems unaffected.

Separately, I did get my NAT rule working again. For some reason it had stopped. I re-created it and it once again started natting traffic to the NextDNS server. Must be a bug.

Ownercz · June 2, 2025, 10:42am

Thank you yuripg1, it was the exact option that I needed to get rid of the dynamic IPv6 DNS entries.

niksr · December 24, 2025, 6:35pm

Same problem here. Router OS 7.20. Cannot get rid of advertised upstream DNS server.
IPv6 is disabled.
accept-router-advertisements=no
IPv6 filter on the bridge1

Still obtaining it. Insane.
The only solution is to disable IPv6 on PC.

UPDATE: it WAS a problem on a Mikrotik but then it’s turned out to be a Windows 11 problem or Wi-Fi adapter problem. Advertised DNS server has been cached and linked to the Wi-Fi network. None of known cache flush command or deleting Wi-Fi profile helped. Re-installing adapter helped. Perhaps it was cached on the adapter level.