The router has been updated regularly. It’s one of at least a dozen MikroTik routers on the local network, including a L009UiGS-2HaxD. The local network has redundant uplinks. Routers downstream update properly via this router. The rest of the routers have updated normally.

This router has become stuck at 7.21.3. It has been powered down completely a couple of times, but the the fault remains. DNS has been reconfigured to a single external DNS server, with no effect. As far as I remember there have been no config changes since it was upgraded to 7.21.3. I’ve cleared its cache.

It behaves as if the DNS subsystem is corrupted.

[netadmin@coreb-MikroTik] /system/package/update> print
channel: stable
installed-version: 7.21.3
status: ERROR: could not resolve dns name (timeout)
[netadmin@coreb-MikroTik] /system/package/update>

[netadmin@coreb-MikroTik] /tool> /resolve
domain-name: google.com
failure: dns server failure

DNS config:

[netadmin@coreb-MikroTik] /ip/dns> print
servers: 1.1.1.1

             use-doh-server:        
            verify-doh-cert: no     
 doh-max-server-connections: 5      
  oh-max-concurrent-queries: 50     
                doh-timeout: 5s     
      allow-remote-requests: yes    
        max-udp-packet-size: 4096   
       query-server-timeout: 2s     
        query-total-timeout: 10s    
     max-concurrent-queries: 100    

max-concurrent-tcp-sessions: 20
                 cache-size: 2048KiB
              cache-max-ttl: 1w
    address-list-extra-time: 0s
                        vrf: main
         mdns-repeat-ifaces:
                 cache-used: 49KiB

There is no issue with reaching the internet from this router

netadmin@coreb-MikroTik] /ip/dns> /tool ping 1.1.1.1
SEQ HOST SIZE TTL TIME STATUS
0 1.1.1.1 56 59 1ms750us
1 1.1.1.1 56 59 1ms176us
2 1.1.1.1 56 59 1ms935us
3 1.1.1.1 56 59 1ms960us
sent=4 received=4 packet-loss=0% min-rtt=1ms176us avg-rtt=1ms705us max-rtt=1ms960us

[netadmin@coreb-MikroTik] /ip/dns> /tool traceroute 1.1.1.1
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV

ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV

0 185.154.144.81 0% 10 1.7ms 1.9 1.6 2.3 0.2
1 172.16.3.124 0% 10 5.1ms 3.8 2.4 5.1 1
2 172.16.9.50 0% 10 2.1ms 3.8 2.1 5.3 1
3 162.158.32.40 0% 10 1.5ms 10.2 1.5 46.3 13.6
4 162.158.32.11 0% 10 1.5ms 2.1 1.4 3 0.5
5 1.1.1.1 0% 10 1.4ms 1.4 1 1.8 0.3

Is this a known problem.???

Harry

Hi,

what are the results for

/tool/ping one.one.one.one
/tool/trace one.one.one.one

Does firewall alow router itself to access DNS?
What address is used as source for ping and traceroute?
Have you tried

/tool/ping 1.1.1.1 src-address=x.y.z.t

where x.y.z.t is the WAN address or LAN address?

Yes. Sometimes it helps when you first reboot it and then try again.

(reading again… apparently you already tried that)

Nevermind, you did try:
put [:resolve google.com]

If DNS Is not working, NTP won't also I believe.

What are your DNS settings?

I do not use the NTP server function.

I have a pair of raspberry pi based timeservers that have GPS interfaces as local timeservers, synced to STP services on the internet, and to toe PPS signals from the GPS boards.

the client seems to be ok:

[netadmin@coreb-MikroTik] /system/ntp/client> print
enabled: yes
mode: unicast
servers: 172.25.25.147
172.16.16.187
vrf: main
freq-drift: 1.05 PPM
status: waiting

the waiting is suspicious…

Its peer, which is updated to current OK is not waiting…

netadmin@corea-MikroTik] /system/ntp> client print
enabled: yes
mode: unicast
servers: 172.16.16.187
172.25.25.147
vrf: main
freq-drift: 1.847 PPM
status: synchronized
synced-server: 172.25.25.147
synced-stratum: 1
system-offset: 0.466 ms

Well, I meant the NTP client.

Post your full configuration, maybe there is something seemingly unrelated that creates the issue, you don't have a VRF, right?

Sorry I updated before I saw your message, after a little thought

Can you add /ip/dns export?

Hmmm that looks wrong…

[netadmin@coreb-MikroTik] /system/ntp/client> /ip/dns export

2026-04-12 14:04:46 by RouterOS 7.21.3

software id = IPT1-2WXJ

model = L009UiGS

serial number = HG909HKA4KY

/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
[netadmin@coreb-MikroTik] /system/ntp/client>

add address=192.168.88.1 comment=defconf name=router.lan type=A

That address goes nowhere on the local network.

Not the issue.

Removed the static entry and rebooted.

No change in behaviour

Please remove serial from export, will check your config shortcuts.

Point #21 here:
GP & CSA (Good Practice and Common Sense Advice) for Mikrotik devices

Here are the extracted not-disabled filter rules from your output chain:

/ip firewall filter
add action=accept chain=output comment="pass remote syslog traffic to loghost" \
    dst-address=172.25.25.150 dst-port=514 protocol=udp src-address-list=private_address
    
add action=drop chain=output comment=" -ditto-" out-interface=ether1-YouFiber \
    protocol=udp src-port=443
    
add action=drop chain=output comment=" -ditto-" out-interface=ether1-YouFiber \
    protocol=udp src-port=80
    
add action=accept chain=output comment="accept established,related" \
    connection-state=established,related
    
add action=accept chain=output comment="Pass OSPF traffic" \
    dst-address-list=ospf_traffic protocol=ospf
    
add action=accept chain=output comment="allow new connections from internal addresses" \
    connection-state=related,new src-address-list=shoka.net-addresses
    
add action=accept chain=output comment="outbound to YouFiber" \
    connection-state=established,related,new,untracked out-interface=ether1-YouFiber \
    src-address-list=private_address
    
add action=accept chain=output protocol=icmp

add action=drop chain=output

You have a default drop policy on the output chain. Now let's look at the accept rules on this chain, there is no rules that make it possible for the router to make outgoing connection to remote port 53, UDP or TCP of 1.1.1.1.

• You have one accept rule for dst-address=172.25.25.150 dst-port=514 protocol=udp -> NOT APPLICABLE.

• You have one accept rule for connection-state=established,related -> NOT APPLICABLE for new connections.

• You have one accept rule for dst-address-list=ospf_traffic protocol=ospf -> NOT APPLICABLE.

• You have one accept rule for connection-state=related,new src-address-list=shoka.net-addresses, but the address list shoka.net-addresses is defined nowhere -> NOT APPLICABLE.

• You have one accept rule for connection-state=established,related,new,untracked out-interface=ether1-YouFiber src-address-list=private_address -> NOT APPLICABLE because outgoing connections to 1.1.1.1 will not have source IP in private subnets.

• You have one accept rule for protocol=icmp -> NOT APPLICABLE.

Conclusion: DNS queries to 1.1.1.1 will be dropped by the rule:

add action=drop chain=output

My guess: You once had address list entries for the list shoka.net-addresses that contained your public IP addresses, so it worked back then. Now the address list is gone and your router can no longer make outgoing connections to the internet (save for a couple of exceptions).

Thanks for the analysis.

I have internal name servers that all devices in the net use. In the original (designed) set up those are the only DNS devices that the rest of the network uses. Those names servers are dnsmasq(pihole) → unbound for external addresses, and dnsmasq(pihole) → NSD for internal addresses.

Trying to trace the DNS issue, I replaced the normal internal DNS servers with an external server 1.1.1.1

The issue I’m trying to resolve existed while the system was using the normal path.

I’m old and stupid, and that external DNS block has been in place for ages to stop anything leaking past pihole. I’ve gone back to the intended internal servers. Issue still persists.

Even if you change the DNS server to the internal private address, with your output rules the router still won't be able to make queries (packets with connection-state=new on chain output).

Ignoring the rules with non matching connection-state and port or protocol, you have one accept rule left with non existing address list, and one rule with src-address-list=private_address which is ok if talking to internal addresses, but that rule has non suitable out-interface (being the WAN interface).

In the end only the drop rule at the bottom of the output chain would match.

I’ve reset the DNS servers on this box to my internal DNS servers

I’ve corrected the mis spelled address list names shoka-net vs shoka_net in the firewall rules.

That has changed the problem somewhat.

I can now resolve addresses correctly from the tools menu, The upgrade menu still fails but with a new error. “ERROR:NO INTERNET CONNECTION”

Ping from the tools menu now works, and traceroute takes the You-Fiber path to google.

Clearly I still have an issue, probably a firewall issue.

Unfortunately it’s now late here, and I’m stupid tired, so I’ll have to leave this until tomorrow.

Thanks for the excellent help so far.

Cheers Harry

You're still not allowing the device to connect to Mikrotik's servers to download the update packages

If you're so concerned about the router phoning home (which during an auto-download upgrade you're kind of instructing it to do,) why not just upgrade manually?

As @lurker888 said, your router is still not able to make connections to the outside internet (apart from a few exceptions) with the way your output chain is configured. Now you have access to local DNS server, and ping to the outside work because you explicitly have this rule:

If you are paranoid and don't want the router to make arbitrary connections to the internet, you can do this to limit it to the upgrade function of RouterOS:

Add an address list entry for upgrade.mikrotik.com:

/ip firewall address-list
add address=upgrade.mikrotik.com list=MIKUPDATE

Add an accept rule to the output chain:

/ip firewall filter
add action=accept chain=output \
    dst-address-list=MIKUPDATE dst-port=80,443 protocol=tcp

Make sure to move this new rule above other drop rules on the output chain.