Inorder to use ROS’ DNS cache feature, All my devices are using ROS as their DNS server .
And I am living in China, our DNS service has been poisoned.
Inorder to visit some website such as facebook, I need to force ROS to request DNS service through a VPN gateway.
I’ve tried several ways,but it doesn’t work.
Anyboy know how to do this?
Hi , use this script and see what happens
/ip firewall nat add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=YOUR VPN DNS IP to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat dst-port=53 protocol=tcp to-addresses=YOUR VPN DNS IP to-ports=53
don’t forget reboot your router after this configurations , also you can remove all connection from firewall connection tracking and let them to established again
You could create static routes to the actual DNS servers’ IP addresses.
For example, suppose you’re using DNS server 8.8.8.8 and the VPN server’s address (inside-tunnel address) is 10.20.30.40-
Create a static route dst=8.8.8.8/32 gateway=10.20.30.40
This will force DNS traffic to cross the VPN.
If you’re doing policy routing, then you’ll need to make sure that this route applies to whatever policy matches the output chain of the mangle table.
sorry,it doesn’t work.
you may not understand what i am talking about.
if my computer obtain 8.8.8.8 as its DNS directly, everything gose well.
it is proved that the routing table has been set correctly
but when my computer obtain ros’ local address as its DNS address.(Inorder to use dns cache features to fast dns requests).
my computer will send DNS request to ROS, then ROS sends request to 8.8.8.8.
In this situation routing table doesn’t work.
How do you figure that?
If you set a route to 8.8.8.8 which goes through the VPN, then that’s going to make the Mikrotik’s own queries to 8.8.8.8 be directed through the VPN.
I used to think like you, but it really doesn’t work. My key configruation is as blew.
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether4-master-local name=default
/ip dhcp-server network add address=192.168.0.0/24 comment=“default configuration” dns-server=192.168.0.1 gateway=192.168.0.1 netmask= 24
/ip dns set allow-remote-requests=yes cache-size=4096KiB servers=8.8.8.8,8.8.4.4
/ip firewall address-list add address=all chinese ip addresses list=novpn
/ip firewall mangle add action=mark-routing chain=prerouting comment=vpn dst-address-list=!novpn new-routing-mark=vpn
/ip route add distance=1 gateway=pptp-out1 routing-mark=vpn
if
/ip dhcp-server network add address=192.168.0.0/24 comment=“default configuration” dns-server=192.168.0.1 gateway=192.168.0.1 netmask= 24
DNS requests are sent to ROS, then ROS sends to 8.8.8.8 through without vpn gateway
if
/ip dhcp-server network add address=192.168.0.0/24 comment=“default configuration” dns-server=8.8.8.8 gateway=192.168.0.1 netmask= 24
DNS requests are sent to 8.8.8.8 directly with vpn gateway
The behavior you state (dhcp assigns 8.8.8.8 directly works, while proxied via Mikrotik doesn’t work) is expected for your configuration.
You’re using policy routing to govern the choice of gateways.
Flow THROUGH the router is affected by your policy, but traffic FROM the router (i.e. the proxied DNS request) is not following the policy… this is because the second type of traffic doesn’t flow through the same chains in the mangle table. (it uses different chains in the filter table, too)
This won’t match packets from the Mikrotik itself, which is passed to the Output chain, not the Prerouting chain.
Refer to the packet flow diagram
Note that local output enters the IP routing block at point K: [Routing Decision] → [|Output|] …
[| Output |] = Bridge Decision > Raw Out > Connection Tracking > Mangle Output > Filter Output > Routing Adjustment
Mangle prerouting matches packets as they ingress the router through some interface - i.e. from outside the router only.
So to fix your problem, duplicate the prerouting mangle rule (the one I quoted) into the “output” chain of the mangle table and you should get what you want.
Or do it the easy way (what I stated in my previous response):
/ip route add distance=1 dst=8.8.8.8/32 gateway=pptp-out1
/ip route add distance=1 dst=8.8.4.4/32 gateway=pptp-out1
(i.e. ALWAYS route that way, don’t worry about mangle)
You could have done this entire solution using only static routes because you don’t need to use policy routing when the only decision in the policy is based on the destination address - that’s how routing works already…
Simply set default GW to be pptp interface, set /32 route to pptp server via normal gateway interface, set static routes to all Chinese IPs via normal gateway. This method will perform faster than using the mangle table performs, by the way.
Perhaps you didn’t want hundreds of routes in your routing table.
sorry ,it is my fault. the configruation i worte is the one I am using.
but mangle output chain or just wirte a static routing rule, both of them I have already had a try .
unfortunately , they also didn’t works
er~~~~~upup
When you put the policy routing statements also into the output chain, did you clear DNS cache before re-testing? (On both the mikrotik and the computer)
Try
/ip route rule add dst-address=8.8.8.8/32 table=vpn
/ip route rule add dst-address=8.8.4.4/32 table=vpn
or
/ip firewall mangle add action=mark-routing chain=output dst-address=8.8.8.8 new-routing-mark=vpn passthrough=no
/ip firewall mangle add action=mark-routing chain=output dst-address=8.8.4.4 new-routing-mark=vpn passthrough=no
You can use Tools/Traceroute to checkout result