Internal DNS server

sphairos · March 17, 2022, 2:55am

Hi ,

I have configured a local DNS server (192.168.88.7) with bind and I see the requests coming when they are done locally, but not from the outside, eventhough I have made the two udp/tcp firewall rules. The aim is to serve external DNS requests. I have a domain xxx.yyy with NS servers configured on my public IP address.

What else should I configure for this to work?

# mar/18/2022 08:29:45 by RouterOS 6.48.6
# software id = VSTX-MV85
#
# model = RBD52G-5HacD2HnD
# serial number = C6140C2E3ACE
/interface bridge
add admin-mac=48:8F:5A:6C:FD:60 auto-mac=no name=bridge
add name=bridge_jcc
/interface ethernet
set [ find default-name=ether4 ] comment="SMC switch old network"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
    mode=dynamic-keys supplicant-identity=my::NET
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" \
    group-key-update=1h mode=dynamic-keys name=<myname> supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=akguest \
    supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap eap-methods="" \
    group-ciphers=tkip,aes-ccm mode=dynamic-keys name=kids \
    supplicant-identity="" unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" \
    mode=dynamic-keys name=akdom supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" \
    group-ciphers=tkip,aes-ccm management-protection=allowed mode=\
    dynamic-keys name=CANLBOX-URM supplicant-identity="" unicast-ciphers=\
    tkip,aes-ccm
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" \
    mode=dynamic-keys name="Cabinet Bowen" supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes eap-methods="" \
    mode=dynamic-keys name=jccjuju supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n basic-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps channel-width=20/40mhz-Ce country=france \
    disabled=no distance=indoors frequency=auto mode=ap-bridge rate-set=\
    configured security-profile=<myname> ssid=<myname> station-roaming=enabled \
    tx-power=30 tx-power-mode=all-rates-fixed wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=\
    ap-bridge security-profile=<myname> ssid=<myname> station-roaming=enabled \
    wireless-protocol=802.11 wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:69 master-interface=\
    wlan1 multicast-buffering=disabled name=CANLBOX-URM1 security-profile=\
    CANLBOX-URM ssid=CANLBOX-URM wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6A master-interface=\
    wlan2 multicast-buffering=disabled name=CANLBOX-URM2 security-profile=\
    CANLBOX-URM ssid=CANLBOX-URM wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6D master-interface=\
    wlan2 multicast-buffering=disabled name="Cabinet Bowen 2" \
    security-profile="Cabinet Bowen" ssid="Cabinet Bowen" wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6C \
    master-interface=wlan1 multicast-buffering=disabled name="Cabinet Bowen1" \
    security-profile="Cabinet Bowen" ssid="Cabinet Bowen" wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:68 \
    master-interface=wlan1 multicast-buffering=disabled name=akdom1 \
    security-profile=akdom ssid=akdom wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6B master-interface=\
    wlan2 multicast-buffering=disabled name=akdom2 security-profile=akdom \
    ssid=akdom wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:64 master-interface=\
    wlan1 multicast-buffering=disabled name=akguest1 security-profile=akguest \
    ssid=akguest station-roaming=enabled wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:65 master-interface=\
    wlan2 multicast-buffering=disabled name=akguest2 security-profile=akguest \
    ssid=akguest station-roaming=enabled wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:66 master-interface=\
    wlan1 multicast-buffering=disabled name=akkids1 security-profile=kids \
    ssid=akkids station-roaming=enabled wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:67 master-interface=\
    wlan2 multicast-buffering=disabled name=akkids2 security-profile=kids \
    ssid=akkids station-roaming=enabled wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6E \
    master-interface=wlan1 multicast-buffering=disabled name=jccjuju1 \
    security-profile=jccjuju ssid=jccjuju wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add keepalive-frames=disabled mac-address=4A:8F:5A:6C:FD:6F master-interface=\
    wlan2 multicast-buffering=disabled name=jccjuju2 security-profile=jccjuju \
    ssid=jccjuju wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=dhcp_jcc ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=6h name=dhcp
add address-pool=dhcp_jcc disabled=no interface=bridge_jcc lease-time=6h10m \
    name=dhcp_jcc
/ppp profile
add change-tcp-mss=yes name=mls on-up=onup
/interface pppoe-client
add add-default-route=yes allow=pap disabled=no interface=ether1 \
    keepalive-timeout=60 name=FTTH profile=mls service-name=MLS use-peer-dns=\
    yes user=clavien417150@mls.nc
/queue tree
add max-limit=1G name=Download parent=bridge
add max-limit=300M name=Upload parent=FTTH
/queue type
add kind=pcq name=DSL-DL pcq-classifier=dst-address
add kind=pcq name=DSL-UL pcq-classifier=src-address
/queue tree
add name=queue1 packet-mark=lan-pqt,lan6-pqt parent=Download queue=DSL-DL
add name=queue2 packet-mark=lan-pqt,lan6-pqt parent=Upload queue=DSL-UL
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=user policy="read,write,web,sensitive,!local,!telnet,!ssh,!ftp,!reboo\
    t,!policy,!test,!winbox,!password,!sniff,!api,!romon,!dude,!tikapp" skin=\
    user
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether4
add bridge=bridge interface=akguest1
add bridge=bridge interface=akguest2
add bridge=bridge interface=akkids1
add bridge=bridge interface=akkids2
add bridge=bridge interface=akdom1
add bridge=bridge interface=CANLBOX-URM1
add bridge=bridge interface=ether5
add bridge=bridge interface="Cabinet Bowen1"
add bridge=bridge interface="Cabinet Bowen 2"
add bridge=bridge_jcc interface=jccjuju1
add bridge=bridge_jcc interface=jccjuju2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=FTTH list=WAN
add interface=bridge_jcc list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.1.254/24 interface=bridge_jcc network=192.168.1.0
add address=10.8.0.0/24 interface=bridge network=10.8.0.0
/ip arp
add address=192.168.88.235 interface=bridge mac-address=B8:27:EB:04:86:FB
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.88.3 client-id=1:dc:a6:32:64:63:5a comment=akrp4knife \
    mac-address=DC:A6:32:64:63:5A server=dhcp
add address=192.168.88.250 client-id=1:0:1:6c:d6:3d:4 comment=PC-<myname>-FIX \
    mac-address=00:01:6C:D6:3D:04 server=dhcp
add address=192.168.88.128 client-id=1:2c:59:e5:bc:6:21 comment=\
    PC-<myname>-PORTABLE mac-address=2C:59:E5:BC:06:21 server=dhcp
add address=192.168.88.130 client-id=\
    ff:eb:1d:85:e1:0:1:0:1:28:ab:c3:3a:b8:27:eb:1d:85:e1 comment=akvpn \
    mac-address=B8:27:EB:1D:85:E1 server=dhcp
/ip dhcp-server network
add address=10.6.0.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    next-server=192.168.88.1 ntp-server=192.168.88.1 wins-server=192.168.88.1
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
add address=192.168.88.0/24 dns-server=192.168.88.1,192.168.88.7 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.7
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.88.8 name=aksalt
add address=192.168.88.4 name=akncnc
add address=192.168.88.18 name=aksub
add address=192.168.88.5 name=akngx
add address=192.168.88.121 name=akconverter
add address=192.168.88.148 name=osmcliving
add address=192.168.88.5 name=cloud.<myname>.nc
add address=192.168.88.5 name=muz.<myname>.nc
add address=192.168.88.5 name=webmail.<myname>.nc
add address=192.168.88.2 name=mail.<myname>.nc
add address=192.168.88.5 name=cam.<myname>.nc
add address=192.168.88.5 name=camlive.<myname>.nc
add address=192.168.88.114 name=aknas
add address=192.168.88.117 name=akrp4knife
add address=192.168.1.1 name=akvpnjcc
add address=192.168.88.5 name=git.<myname>.nc
add address=192.168.88.5 name=git.tag.nc
add address=192.168.88.6 name=akweb
add address=192.168.88.5 name=site.tag.nc
add address=192.168.88.5 name=url.tag.nc
add address=192.168.88.7 name=akdns
/ip firewall address-list
add address=192.168.88.0/24 list=LAN
add address=202.22.224.14 comment="MLS Firewall" list=support
add address=202.22.224.7 comment="Dude server" list=support
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=224.0.0.0/3 list=bogons
add address=100.64.0.0/10 list=bogons
add address=0.0.0.0/8 list=bogons
add address=172.16.0.0/12 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.168.0.0/16 list=bogons
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=10.8.0.0/24 list=LAN
add address=202.22.229.166 list=support
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="accept from support" src-address-list=\
    support
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN log=yes
add action=accept chain=input comment="Accept local connection CAPsMAN" \
    dst-address=127.0.0.1
add action=drop chain=forward comment="drop bogons" dst-address-list=bogons \
    log=yes out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
    log=yes
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Winbox on WAN" dst-port=8291 \
    in-interface=ether1 protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=lan-cnx \
    passthrough=yes src-address-list=LAN
add action=mark-packet chain=forward connection-mark=lan-cnx new-packet-mark=\
    lan-pqt passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment="akngx 443" dst-address=\
    118.179.232.213 dst-port=443 protocol=tcp to-addresses=192.168.88.5 \
    to-ports=443
add action=dst-nat chain=dstnat comment="akngx 80" dst-address=\
    118.179.232.213 dst-port=80 port="" protocol=tcp to-addresses=\
    192.168.88.5 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=118.179.232.213 \
    dst-port=22 protocol=tcp to-addresses=192.168.88.6 to-ports=22
add action=dst-nat chain=dstnat dst-address=118.179.232.213 dst-port=53 log=\
    yes protocol=udp to-addresses=192.168.88.7 to-ports=53
add action=dst-nat chain=dstnat dst-address=118.179.232.213 dst-port=53 \
    protocol=tcp to-addresses=192.168.88.7 to-ports=53
add action=redirect chain=dstnat comment="Proxy DNS" dst-port=53 \
    in-interface-list=all log-prefix="DNS -->" protocol=udp
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24 port=4444
set ssh address=192.168.88.0/24,202.22.229.166/32
set api address=202.22.224.14/32,2407:4a00:0:f00d::cafe/128 disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ipv6 address
# address pool error: pool not found: Poolv6 (4)
add advertise=no from-pool=Poolv6 interface=ether1
# address pool error: pool not found: Poolv6 (4)
add from-pool=Poolv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=FTTH pool-name=Poolv6 request=prefix
/ipv6 firewall address-list
add address=2407:4a00:0:f00d::cafe/128 comment="serveur MLS" list=support
add address=2407:4a00:0:173::/64 comment="SAV MLS" list=support
add address=2407:4a00:0:171::/64 comment="RD MLS" list=support
add address=2407:4a00::224:232:7/128 comment="Serveur Dude" list=support
add address=::/128 comment="unspecified address" list=bad_ipv6
add address=::1/128 comment=lo list=bad_ipv6
add address=fec0::/10 comment=site-local list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=ipv4-mapped list=bad_ipv6
add address=::/96 comment="ipv4 compat" list=bad_ipv6
add address=100::/64 comment="discard only" list=bad_ipv6
add address=2001:db8::/32 comment=documentation list=bad_ipv6
add address=2001:10::/28 comment=ORCHID list=bad_ipv6
add address=3ffe::/16 comment=6bone list=bad_ipv6
add address=::224.0.0.0/100 comment=other list=bad_ipv6
add address=::127.0.0.0/104 comment=other list=bad_ipv6
add address=::/104 comment=other list=bad_ipv6
add address=::255.0.0.0/104 comment=other list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="accept from support" src-address-list=\
    support
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="From support" src-address-list=support
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=accept chain=input comment="accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="rfc4890 drop hop-limit=1" hop-limit=\
    equal:1 protocol=icmpv6
add action=accept chain=forward comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="accept HIP" protocol=139
add action=accept chain=forward comment="accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment=\
    "accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall mangle
add action=mark-connection chain=forward in-interface-list=LAN \
    new-connection-mark=lan6_cnx passthrough=yes
add action=mark-packet chain=forward connection-mark=lan6_cnx \
    new-packet-mark=lan6-pqt passthrough=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no mtu=1480
/system clock
set time-zone-autodetect=no
/system clock manual
set time-zone=+11:00
/system identity
set name=clavien417150@mls.nc
/system logging
add topics=wireless
add prefix=FW--> topics=firewall
add prefix=DNS--> topics=dns
/system ntp client
set enabled=yes primary-ntp=202.22.224.18
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system scheduler
add interval=1d name=upgrade_os on-event=upgrade_os policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/29/2018 start-time=03:00:00
add interval=1d name=upgrade_rb on-event=upgrade_rb policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/01/2020 start-time=03:20:00
/system script
add dont-require-permissions=no name=onup owner=*sys policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    delay 20s\r\
    \n:local uptime [/system resource get uptime];\r\
    \n:local macadd [/interface get [find default-name=ether1] mac-address];\r\
    \n:local ver [/system resource get version];\r\
    \n:local name [/interface pppoe-client get number=0 user];\r\
    \n:local wan [/interface pppoe-client get number=0 name];\r\
    \n:local model [/system routerboard get model];\r\
    \n:local gw [/ip route get [find gateway=\$wan distance=0] dst-address];\r\
    \n:local dhcp [/ipv6 dhcp-client get number=0 status];\r\
    \n:if (\$dhcp =\"bound\") do={\r\
    \n:set \$ip6 [/ipv6 pool get [find name=Poolv6] prefix];\r\
    \n} else={\r\
    \n:set \$ip6 \"nov6\";}\r\
    \n/system identity set name=\$name;\r\
    \n:set \$str \"rtrName=\$name&rtrMac=\$macadd&rtrUptime=\$uptime&rtrVersio\
    n=\$ver&rtrModel=\$model&rtrGW=\$gw&rtr6=\$ip6\";\r\
    \n:put \$str;\r\
    \n:do {\r\
    \n:put \"Checking-in\";\r\
    \n/tool fetch mode=https url=https://mtk.mls.nc/clientsmtkX.php keep-resul\
    t=yes dst-path=resultat.txt http-method=post http-data=\$str ;\r\
    \n} on-error={ log warning \"Greeter: Send to server Failed!\" }"
add dont-require-permissions=no name=upgrade_os owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/system\
    \_package update\r\
    \ncheck-for-updates once\r\
    \n:delay 3s;\r\
    \n:if ( [get status] = \"New version is available\") do={ install }"
add dont-require-permissions=no name=upgrade_rb owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/system\
    \_routerboard \r\
    \n:if ([get current-firmware] < [get upgrade-firmware]) do={ \r\
    \n:log info \"Updating firmware\"; \r\
    \nupgrade; \r\
    \n/system reboot;\r\
    \n} else={ \r\
    \n:log info \"No update.\" }"
add dont-require-permissions=yes name=enable_rule_mi_box owner=<myname> policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall filter add chain=forward src-address=192.168.88.124 action=dro\
    p comment=\"mibox\"\r\
    \n/ip firewall filter add chain=forward src-address=192.168.88.126 action=\
    drop comment=\"mibox\"\r\
    \n"
add dont-require-permissions=no name=disable_rule_mi_box owner=<myname> policy=\
    read,write,policy source=\
    "/ip firewall filter remove [find comment=\"mibox\"]"
/tool graphing interface
add allow-address=192.168.88.0/24 interface=FTTH
add allow-address=192.168.88.0/24 interface=ether1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Sob · March 17, 2022, 3:04am

That dstnat rule with action=redirect catches all DNS UDP packets before they can get to further dstnat rule. You can fix it if you change order of rules.

sphairos · March 17, 2022, 3:14am

ok I have placed this rule at the bottom at the end, but still no requests incoming.

WeWiNet · March 17, 2022, 9:13am

Its hard to read you config as you did not post it as “code”.
also next time hide-sensitive info like user name.

I guess the problem is the firewall, you have no rule allowing NEW connections on the input chain from outside (which is in theory good!).
But DNS request from outside to the internal DNS server do go into INPUT.
If you want to allow DNS requests from outside (what is I understood you want to do), you must allow DNS requests from WAN.
But make sure it is only allowing port 53, and nothing else…

Maybe this solves the problem.

Sob · March 17, 2022, 1:40pm

Nope, they don’t go in input. If dstnat sends them to another internal machine, they go in forward. And I don’t see anything blocking that. Maybe it’s possible that ISP blocks incoming port 53 to fight with open resolvers. Most people don’t run DNS servers, so they wouldn’t mind. Use either Tools->Torch or logging rules in prerouting, then try some online port tester and see if there are any incoming packets to port 53. Or just check counters on existing dstnat rules.

anav · March 17, 2022, 2:33pm

I thought it was a security risk to let external access to ones DNS???

mkx · March 17, 2022, 2:52pm

Indeed it is if you don’t know what you’re doing

anav · March 17, 2022, 3:02pm

Hence why I dont do it…

Sob · March 17, 2022, 4:44pm

@anav: There’s difference between DNS resolvers and authoritative DNS servers. Resolver is what you as client use (e.g. the one in RouterOS), it tells you e.g. that forum.mikrotik.com has address 159.148.147.239. It’s not good idea to give access to those to whole world, because it can be abused. But resolvers need to get this info from somewhere, and that’s authoritative servers. If you’d have your own domain anavisgreat.tld, you’d need authoritative DNS server where you’d publish that www.anavisgreat.tld can be found at 1.2.3.4. You’d probably use someone else’s server, but you could also run your own. And access to this kind of DNS servers has to be public.

anav · March 17, 2022, 10:57pm

If I was to run an authoritative public DNS server on my network you can be sure I would have
a. an ISP business account with high security or
b. an edge router device as the first stop with all kinds of expensive services LOL.

Hence, I will never run a public DNS server unless Sindy says I have to, to support important work he is doing.

sphairos · March 18, 2022, 12:14am

Ok thanks for the advice I change to code and removed usernames.

I have added these FW rules without success :

chain=input action=accept protocol=tcp in-interface=FTTH dst-port=53 log=yes log-prefix="DNS-->" 
chain=input action=accept protocol=udp in-interface=FTTH dst-port=53 log=yes log-prefix="DNS-->"

“FTTH” is my public IP

rextended · March 18, 2022, 12:16am

LOCAL dns server is on forward chain, the INPUT chain is used only to reach the RouterBOARD.

rextended · March 18, 2022, 12:21am

All rules must be placed first on each sections:

/ip firewall filter
add action=accept chain=forward dst-address=<PUBLIC-ADDRESS> dst-port=53 \
    in-interface=<IN-INTERFACE> log=yes log-prefix="DNS TCP FWD" protocol=tcp
add action=accept chain=forward dst-address=<PUBLIC-ADDRESS> dst-port=53 \
    in-interface=<IN-INTERFACE> log=yes log-prefix="DNS UDP FWD" protocol=udp

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=<PUBLIC-ADDRESS> dst-port=53 \
    in-interface=<IN-INTERFACE> log=yes log-prefix="DNS TCP DST-NAT" protocol=tcp to-addresses=192.168.88.7
add action=dst-nat chain=dstnat dst-address=<PUBLIC-ADDRESS> dst-port=53 \
    in-interface=<IN-INTERFACE> log=yes log-prefix="DNS UDP DST-NAT" protocol=udp to-addresses=192.168.88.7