I need script to add dynamic dns servers to address list

grusu · November 15, 2025, 11:44am

Hi,

I need script to add dynamic dns servers received via pppoe connection from isp to address list to configure a rule in the firewall. The addresses are not normally used on the internet. They are now 100.100.1.1;100.100.0.1 but they can change over time. I normally block such addresses from the internet.

I tried with:

{
:local dynamicservers [/ip/dns/get dynamic-servers]
:put $dynamicservers
:ip firewall/address-list/add list=dns_dynamic_servers address=$dynamicservers
}

but answer are

100.100.1.1;100.100.0.1
failure: 100.100.1.1;100.100.0.1 is not a valid dns name

Thanks',

Geo

jaclaz · November 15, 2025, 2:08pm

It seems like the command /ip firewall/address-list/add list needs any of:

a DNS name
a single IP address, including netmask
a range of addresses (and in this case the netmask is automatically calculated)

So likely you will need to split the resulting string, and run the /ip firewall/address-list/add list twice, possibly adding /32 at the end of each submitted address if not added automatically by Ros.

grusu · November 15, 2025, 2:20pm

I have progressed a little.

{
:local DynamicServers [/ip/dns/get dynamic-servers]
:local FirstIP [:pick $DynamicServers 0 [:find $DynamicServers ";"]]
:local SeparatorPos [:find $DynamicServers ";"]
:local StartPosition ($SeparatorPos + 1)
:local SecondIP [:pick $DynamicServers $StartPosition]
:put $FirstIP
:put $SecondIP
:ip firewall/address-list/add list=dns-dynamic-servers address=$FirstIP
:ip firewall/address-list/add list=dns-dynamic-servers address=$SecondIP
}

Or:

{
:local DynamicServers [/ip/dns/get dynamic-servers]
:local StringArray [:toarray $DynamicServers]
:local FirstIP [:pick $StringArray 0]
:local SecondIP [:pick $StringArray 1]
:ip firewall/address-list/add list=dns-dynamic-servers address=$FirstIP
:ip firewall/address-list/add list=dns-dynamic-servers address=$SecondIP
}

grusu · November 15, 2025, 3:30pm

Some improvements:

#DynamicDNS Add To Address List

    :local ListName "dns-dynamic-servers"
    :local EntryComment "Adresa adaugata automat"
    :local DynamicServers [/ip/dns/get dynamic-servers]
    :local StringArray [:toarray $DynamicServers]
    :local FirstIP [:pick $StringArray 0]
    :local SecondIP [:pick $StringArray 1]
    :local ExistingEntry [/ip firewall address-list find address=$FirstIP list=$ListName]
    if ([:len $ExistingEntry] = 0) do={
    /ip firewall address-list add address=$FirstIP list=$ListName comment=$EntryComment
} else={}
    :local ExistingEntry [/ip firewall address-list find address=$SecondIP list=$ListName]
    if ([:len $ExistingEntry] = 0) do={
    /ip firewall address-list add address=$SecondIP list=$ListName comment=$EntryComment
} else={}

Thanks @jaclaz , tanks AI!

optio · November 15, 2025, 3:53pm

Don’t trust AI much regarding ROS scripting, this is possible to achieve in much simpler way:

:local listName "dns-dynamic-servers"
:local listComment "Adresa adaugata automat"
:local dynamicServers [/ip/dns/get dynamic-servers]

/ip/firewall/address-list
remove [find list=$listName] 
:foreach ip in=$dynamicServers do={
  add list=$listName address=$ip comment=$listComment
}

also cleanup of existing entries in list is added in script with remove [find list=$listName] so that list only contains current DNS IP’s, because in case when changed, list will contain old unused too.

grusu · November 15, 2025, 5:13pm

{
#DynamicDNS Add To Address List v1.2

    :local ListName "dns-dynamic-servers"
    :local EntryComment "Adresa adaugata automat"
    :local DynamicServers [/ip/dns/get dynamic-servers]
    /ip/firewall/address-list remove [find list=$ListName] 
    :foreach ip in=$DynamicServers do={
    /ip/firewall/address-list add list=$ListName address=$ip comment=$EntryComment
}
}

optio · November 15, 2025, 7:53pm

If you plan to perform this script in some regular manner (scheduler/event) here is more optimal (and more complicated) script which will apply only differences between DNS IP’s array and address list to avoid execive flash write and config change update log spam:

:local listName "dns-dynamic-servers"
:local listComment "Adresa adaugata automat"
:local dynamicServers [/ip/dns/get dynamic-servers]

/ip/firewall/address-list
remove [find list=$listName address=[
  :local hasAddress do={
    :foreach ip in=$1 do={
      :if ($ip = $2) do={ :return true }
    }
    :return false
  }
  :if (![$hasAddress $dynamicServers $address]) do={ :return $address }
]]
:foreach ip in=$dynamicServers do={
  :if ([:len [find list=$listName address=$ip]] = 0) do={
    add list=$listName address=$ip comment=$listComment
  }
}

Amm0 · November 15, 2025, 9:06pm

It's unfortunate that the on-up script for PPP (and DHCP client) do not seem to have DNS servers, otherwise you could hook the DNS servers from the source, rather than indirectly via /ip/dns.

Execute script on user login-event. These are available variables that are accessible for the event script:

user

local-address

remote-address

caller-id

called-id

interface
from PPP AAA - RouterOS - MikroTik Documentation in docs

rextended · November 16, 2025, 10:36am

The IP addresses 100.64.0.0/10 are used by your (and other) ISPs to operate internally (=no available on internet) the network.
Blocking them is a really bad idea if are used from your ISP for provide services.
(But is bad idea at the start to use 100.64.0.0/10 for customers services, does the ISP know what they are doing?)

Simply, instead of wasting time with scripts, issue this command and the problem is solved:

/ip firewall address-list add list=dns-dynamic-servers address=100.64.0.0/10

Or even more simply, on pppoe client disable "Use Peer DNS", and on DNS menu put your preferred DNS...

jaclaz · November 16, 2025, 11:00am

Only to clarify, the network 100.64.0.0/10 includes addresses in the range 100.64.0.1 - 100.127.255.254 and are part of the bogons list, described usually as "Carrier-grade NAT" or "IPv4 shared address space":
https://en.wikipedia.org/wiki/IPv4_shared_address_space

RaresC95 · November 16, 2025, 12:21pm

Hi/Salut!

I don’t understand why you filter 100.64/10 in the first place. The ISP(DIGI?) is allocating those addreses for residential costumers, it’s an address range used only in the AS and filtering it will break connectivity from those clients to you. Also, depending on how you filter those source addresses, it may not impact DNS services to 100.100.1.1/100.100.0.1 since the connection is established from your LAN and it should be allowed.

You should only filter ingress connections from “bogons”, except 100.64/10 that is actually legitimate traffic in this ISP.

grusu · November 16, 2025, 12:52pm

Yes, Digi allocates such addresses to customers, although when you sign the contract they promise a public external address, it's true, dynamically allocated. Many times customers can no longer access their equipment on the local network because the router's external address is no longer public. It is resolved with a written complaint that if you talk to someone from front end support, they either pretend not to understand the problem, or they don't have the necessary competence. Written complaints probably go directly to the technical department.

RaresC95 · November 16, 2025, 1:08pm

I am from the tehnical department of DIGI.

If you are a residential costumer, DIGI has no contractual obligation to give you a public /32 IPv4 address.

Now the only services that have public and static IPv4 addreses are the ones for business costumers.

You should read the updated forms.

P.M me for more details regarding this issues because this is an off-topic discussion.

optio · November 16, 2025, 1:39pm

@grusu if with this blocking of ISP provided DNS servers is purpose to prevent DNS leaks, you can simply block standard DNS port (UDP and TCP 53) using firewall rules (forward to WAN out. interface) and use DoH or allow forward DNS port only for manually set DNS IP if standard DNS is used. Depends on configuration and which DNS clients are using.

DuctView · November 16, 2025, 4:36pm

Really? Really? I am not a business customer. I have a static IPv4 AND it is a contractual obligation. I am sure there are business users out there on CGNAT too, with no public /32 address. This is not a question for the technical department, it is a straightforward question of contract. If OP has a contract for a public IPv4 /32, that is what he is entitled to.

RaresC95 · November 16, 2025, 4:43pm

I think I was misunderstood. I am actually working for the OP’s ISP When I was talking about contractual obligations I was reffering only to those of the ISP I am working which is the ISP the OP is using

I work for DIGI, the ISP in cause that actually has no contractual obligation to offer public IP addreses. I am not talking about other ISPs. OP has a residential non-business contract that does guarantee a public /32 IPv4.

I corrected the initial message to be more clear that I was reffering to OP’s ISP.

DuctView · November 16, 2025, 5:48pm

Oh, that makes more sense