My RB acts as DNS server for my LAN
It has few static entries like
/ip dns static
add address=192.168.1.100 name=myhost.mydomain
Name is resolvable by local machines but NOT by wifi-connected iPhones (that say DNS server is RB address)
Why is this ? Another Apple complication ? Any workaround ?
Weird. I’ve used a bunch of Apple devices and they work fine with the stub DNS resolver on MikroTik.
dump /export hide sensitive
It is becoming more and more common to have “DNS rebind protection” that is filtering DNS replies to queries outside your LAN domain but returning a LAN or loopback address.
I don’t know if Apple implements that in their devices. There are routers that implement it in their DNS resolvers. Of course in that case not for static entries, but e.g. when your LAN range is 192.168.88.0/24 and you would query a name like “server.example.com” via the resolver in the router, and the external DNS replies with “IN A 192.168.88.10” that reply would be dropped. For good reasons, as such setups can be used to attack your internal network.
However, RouterOS does not have this feature.
But, it could be that Apple has it in their software as well. Maybe it works when your DNS server sets the proper local domain (in this case mydomain) and so the devices, when doing their DHCP request, know that the local domain is mydomain and then expect names like myhost.mydomain to be in the local network.
Another issue, which affects Google devices, is that sometimes even when you have configured a local DNS server they still access other DNS servers (in that case 8.8.8.8 and 8.8.4.4) for some queries. You can subvert that by setting a dst-nat for DNS queries to other addresses than your router, and redirecting them to your router.
But that still isn’t sufficient because now devices are switching to DoT and, even worse, DoH. Once that is more common, it will be no longer possible to use local static DNS entries.
It is advised to register “mydomain” (I presume this is just a placeholder) in Internet DNS and put the values on an Internet-hosted DNS server instead of in your router. However, that still does not solve the “DNS rebind protection” issue.
Make a nat rule to capture quires to port 53 and send it to your router
Make a nat rule to capture packets sent to any of the well known DNS and send it back to your router via an address list.
Do you happen to use the .local domain for your static entries? I saw someone mentioned in another thread that Apple only uses mDNS (but not “regular” DNS) to resolve names ending in .local.
Is there a special DNS configured for ad-protection or something?
I could imagine, Apple does here their own thing…
If you are using the current version of IOS for your iPhone there is a Privacy setting that you must turn off so that your static address gets accepted.
The Apple setting is called Private Address … turn that off … then on your iPhone turn off wireless and then turn it back on and your static assigned address will work.
Use a private network address on iPhone
When I understand that correctly (it has the wellknown void of any technical information so that technicians cannot check what the manufacturer
recommends to the end-users who must not be scared by technical details) this is about IPv6 privacy extensions. Has nothing to do with the question
the original poster asked. But maybe with enough persistence information can be found about “rebind protection” and “enforced DoH/DoT” I discussed
before.
I just love a good mystery!
trust mozerd to solve this!
he has to read labels first..
Good catch !
My fault in not being specific (thinking .local was a private domain like any “fantasy” one , it is used for different purposes/environment instead)