IPv4 only network DNS issues with mobile devices

Gomo · July 24, 2021, 4:01pm

Hello all!

I’m new to this community and MikroTik products in general. I’ve decided to go with a “RB4011iGS+5HacQ2HnD-IN” since my IPS router started annoying me.
To keep this short as possible, I have a public static IPv4 address and a IPv4 /24 home network where all my devices are connected. MikroTik router has one DHCP server defined (pretty basic setup) which is handing out IPs to all the devices. As for the DNS, I have 2x Raspberry Pi’s (for redundancy purposes) with Pihole running on them. Pihole is set-up to use Cloudflare as a DNS.

This is all working very well, except for the smartphones .. they seem to be bypassing the Pihole and I get no ad blocking on them. I believe that this is due to the mobile devices assigning themselves an IPv6 address (via SLAAC) and using AAAA DNS → they get no IPv6 DNS server info from the router since it’s a IPv4 network. And then the default DNS (from what I saw via torch, 8.8.8.8) is used for queries.

Pihole DNS settings

Primary Pihole and secondary Pihole

Does anyone know a good & clean way to solve this problem? I wouldn’t want to enable IPv6 on the router & Piholes just to filter AAAA DNS queries. And as previously stated, from what I noticed only mobile devices are causing these “problems”.

Thanks in advance!

biomesh · July 24, 2021, 5:46pm

To prove your theory, disable mobile data on the phone to see what happens.

You should really post your export so everyone can see the whole config.

Gomo · July 24, 2021, 6:10pm

Aren’t the torch results enough? It clearly shows queries towards google DNS inside of the local network. Why would mobile data traffic show on the router??

biomesh · July 24, 2021, 6:24pm

Devices don’t have to use DHCP assigned DNS - Chromecast devices for instance only use 8.8.8.8.

You mentioned slaac assigned by the mobile connection.

I was following your assumption and trying to verify the the source.

If you want better answers with out a lot of guessing, post your export (with hide-sensitive=yes).

Gomo · July 24, 2021, 9:58pm

Noone said it was “assigned by the mobile connection”, the smartphone uses slaac to assign itself an IPv6 in the local network. This is not the case just with my phone (huawei p40 pro), the same behaviour was observed with 3 others as well (2x Huawei & 1x Xiaomi). Iphone 11 for example does not do that.

/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
/ip dns
set servers=192.168.100.2,192.168.100.3

biomesh · July 24, 2021, 10:09pm

I don’t know why the phones would do this(have not seen this on phones at least). You are best off using a dst nat rule that redirects port 53 traffic to your pi hole servers. I use a rule like this to point to my local resolvers that then use doh.

Gomo · July 24, 2021, 11:33pm

Following did the trick:

/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.100.2 protocol=udp src-address=!192.168.100.2 dst-address=!192.168.100.2 dst-port=53 in-interface=bridge
/ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address=192.168.100.0/24 dst-address=192.168.100.2 dst-port=53

Just not sure how to make this solution redundant .. since I use 2x Piholes and now everything is being sent to the x.x.x.2 Pihole, and the x.x.x.3 is just sitting pretty.
If the Pihole Nr.1 (192.168.100.2) goes offline, I will have no working DNS in my network. Any tips?

rextended · July 24, 2021, 11:40pm

Try to instead of redirect,
drop on firewall filter forward the direct connections from “pool of smartphone ip” to the IP 8.8.8.8 and 8.8.4.4
On this way probably the device must be forced to use internal provided IP from DHCP Server

Gomo · July 25, 2021, 12:01am

Would like to give it a try, just not sure about the rule (since I'm new to MikroTik)
Would it look something like this?

/ip firewall nat add protocol=udp dst-port=53 dst-address=8.8.8.8 action=drop

Not sure how to add both destination addresses, and also I would do it for the whole subnet because otherwise I'll have to either set-up 2 DHCP servers or manually sort smartphones / assign them static IPs in a specific range. I think ..

biomesh · July 25, 2021, 12:55am

Your rules only cover udp, so don’t forget the tcp rules for DNS (not as common as udp).

I don’t know if any failover scenario other than using bgp and creating an anycast address to be used by DNS.

You would use bird on the pihole devices for bgp.

In the dst-nat rule you would use the anycast address.

rextended · July 25, 2021, 6:43am

I mean this, not on NAT but on fiilters:

6.6.6.6 is the smartphone IP just for do the test

/ip fire filter
add action=drop chain=forward dst-address=8.8.8.8 dst-port=53 protocol=tcp src-address=6.6.6.6
add action=drop chain=forward dst-address=8.8.8.8 dst-port=53 protocol=udp src-address=6.6.6.6
add action=drop chain=forward dst-address=8.8.4.4 dst-port=53 protocol=tcp src-address=6.6.6.6
add action=drop chain=forward dst-address=8.8.4.4 dst-port=53 protocol=udp src-address=6.6.6.6

Gomo · July 25, 2021, 8:26am

Yap, it works well!

I’ll change it now so that it’ll be valid for whole /24 network. Thanks for the help!