IP DNS QUESTION

anav · March 12, 2025, 5:23pm

What is the practical difference between

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 dns-server=10.44.44.1,1.1.1.1
/ip dns
set allow-remote-requests=yes
AND
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 dns-server=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.44.44.1,1.1.1.1
AND
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 dns-server=no-server
/ip dns
set servers=10.44.44.1,1.1.1.1
AND
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 dns-server=no-server
/ip dns static
add address=10.44.44.1 type=A
add address=1.1.1.1 type=A

raelcx · March 12, 2025, 5:59pm

The DHCP server will advertise 10.44.44.1 and 1.1.1.1 as DNS servers to the clients. Clients will use the advertised IPs to try and resolve domain names directly. No cache will be saved in the router.
The DHCP server will advertise 192.168.88.1 (itself) as a DNS server to the clients. Clients will use the router’s IP to try and resolve domain names. The router itself will receive the DNS request, and if it does not have the answer in its cache, it will forward the request to its DNS servers, which are 10.44.44.1 and 1.1.1.1. Then, it will save the response in its cache and send the reply to the client that made the request.
Since dns-server=“”, the DHCP server will advertise the DNS servers from ip dns servers=10.44.44.1,1.1.1.1. Clients will use the advertised IPs to try and resolve domain names directly. No cache will be saved in the router.
I’m not sure, but I think it will not work. In this case, no DNS server will be advertised to clients, so they will not be able to resolve domain names.

I personally use the second approach. My router has the following DNS servers configured: 1.1.1.1, 1.0.0.1, 8.8.8.8, 8.8.4.4, and 9.9.9.9.
All devices connected to my network receive the router’s IP from the DHCP server as DNS server, which in my case is 10.0.0.1. If the request is already in my router’s cache, the response to the client is instant. If it is not in the cache, my router requests the response from one of the configured DNS servers, saves it in its cache, and then sends it to the client.

anav · March 12, 2025, 6:19pm

Thanks for the reply, very clear!

Two questions:
What dependency do any of the working options 1-3 have on the users being able to reach the router services on port 53?

How does the router know if a DNS address is not available?

raelcx · March 13, 2025, 2:29pm

Im not sure what are you asking, what you mean (english is not my main language).
I think that, for example, if the router try to query a dns request to 10.44.44.1 and it times out, it try to query another dns request to the next dns server 1.1.1.1 and so on. That is just an assumption. Idk if this is really how it works.

anav · March 13, 2025, 2:33pm

So the users in the scenarios 1,2,3 do not have to have access to the input chain at all for DNS ???

raelcx · March 13, 2025, 2:42pm

In scenario 1 and 3, clients dont need to have any input permission in firewall, because they will not make any request to the router regarding port 53 dns.
In scenario 2, if you have a firewall in place, you will have to allow the clients ip range / interface to send inputs to the router on port 53 UDP, so the router can get and answer the dns requests.

This is an example of an “accept” rule in one of the routers i manage:

Any ip that is not present in the “rede-geral-doutoragora” list cannot make dns requests to the router.

anav · March 13, 2025, 5:09pm

Super, much thanks.

rextended · March 13, 2025, 5:37pm

Are you making the same mistake as beginners?
Ask directly what you need.

In case 1) set allow-remote-requests=yes is completely useless,
and the input port from the LAN must not be opened (which by DEFAULT is only allowed from the LAN)

In case 2) just leave the DEFAULT rules and the LAN devices MUST query port 53 on input.

In case 3) as in case 1) (except that it was not put needlessly allow-remote-requests=yes)

In case 4)… but what did you ask of some artificial deficiency?

In all cases, there is a high probability that DNS is completely ignored and the devices use their factory DNS,
such as 8.8.8.8, 8.8.4.4 and other Chinese ones that I don’t remember the IP now, or that they use DoT and DoH.
completely ignoring what is provided by the DHCP Server.

In my networks everything is blocked except the Router DNS. So the devices are forced to use what I tell them, and not what the f–k they want.

rextended · March 13, 2025, 5:44pm

anav · March 13, 2025, 6:20pm

Understood, I didnt realize that if I had static entries they would be ignored if I set gw dhcp dns-server to none.
It is not clear to me HOW static entries are then advertised to devices:???

In other words what is the difference between
dns-server=no-server
/ip dns
set servers=10.44.44.1,1.1.1.1

AND
dns-server=no-server
/ip dns
set allow-remote-requests servers=10.44.44.1,1.1.1.1

AND
dns-server=no-server
/ip dns static
add address=10.44.44.1 type=A
add address=1.1.1.1 type=A

Why does the first one work, no advertisement by gateway DNS to the users and with dynamic servers in IP DNS works but in the third case case Static Servers dont. And does the second case mirror the first case except allow the router to cache results??

+++++++++++++++++++++++++++++++++++++++

Secondly, my concern was to apply knowledge of a simple case of one subnet with two choices local internet or wireguard internet and ensuring that while on wireguard internet NO DNS leakage occurred through local WAN. Also the scenario requested a manual switch of one choice to the other.
So I settled on:

/routing table
add fib name=useWG

/routing rules { order of rules is important }
add action=lookup-only-in-table src-address=192.168.88.0/24 dst-address=192.168.88.0 table=main comment=“ensures local traffic not affected”
add action=lookup-only-in-table src-address=192.168.88.0/24 table=useWG

/ip route
add dst-address 0.0.0.0/0 gateway=isp-gateway-ip routing-table=main
add dst-address=0.0.0.0/0 gateway=wg0 routing-table=useWG
add check-gateway=ping dst-address=10.10.30.1 gateway=wgO routing-table=main { informs router as to the availability of WG server IP }

/routing table
add fib name=useWG

/routing rules { order of rules is important }
add action=lookup-only-in-table src-address=192.168.88.0/24 dst-address=192.168.88.0 table=main comment=“ensures local traffic not affected”
add action=lookup-only-in-table src-address=192.168.88.0/24 table=useWG[/i]

+++++++++++++++++++++++++++++++

To manually select users go from wireguard to local WAN for internet ( assumes wg is working fine), simpley DISABLE WIREGUARD INTERFACE.
To manually select users go from local WAN to wireguard for internet simply ENABLE WIREGUARD INTERFACE.

Besides that to ensure DNS does not leak ADD two rules
/ip firewall nat
add chain=dstnat action=dst-nat src=address=192.168.88.0/24 dst-port=53 protocol=udp to-address=wireguard-provided-DNS-IP
add chain=dstnat action=dst-nat src=address=192.168.88.0/24 dst-port=53 protocol=tcp to-address=wireguard-provided-DNS-IP

Note: If the wireguard-provided-dns-ip is not within the wireguard subnet, then an additional route would be required.
add dst-address=wireguard-provided–dns- ip gateway=wg0 routing-table=main

So in addition to enabling and disabling the interface, when selecting WG for the LAN one has to also enable the two dstnat rule and vice versa

Happy you asked??