Local access by public domain:

RouterOS Beginner Basics
1

Hi everyone!
I have domain e-example.ru and NAT, hitch catches service requests. I can access to e-xample.ru:80 from outside, but when I use the same URL from the local network, I’ve got Domain not found error.
Windows nslookup says that Mikrotik returns public IP instead of local adress.

nslookup e-dnk.ru
DNS request timed out.
    timeout was 2 seconds.
╤хЁтхЁ:  UnKnown
Address:  192.168.1.1

Не заслуживающий доверия ответ:
DNS request timed out.
    timeout was 2 seconds.
╚ь :     e-dnk.ru
Address:  109.68.*.*

Help me, please figure out what happens?

I have following configuration:

  1. Local private network with PC 192.168.1.2 and NAT 192.168.1.3
  2. Domain e-example.ru.
  3. All services (like ssh, http, except RDP) are routed to NAT.
  4. Router is set as DNS server in DHCP config.
  5. DNS has static route e-exmaple.ru → 192.168.1.3
  6. NAT to NAT =) chain=dstnat action=netmap to-addresses=192.168.1.3 protocol=tcp in-interface-list=WAN dst-port=80,5000,5001 log=no log-prefix=“”
  7. chain=dstnat action=netmap to-addresses=192.168.1.3 protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix=“”
  8. Here is my DNS config on router:
 ip dns print
                      servers: 8.8.8.8,80.70.224.2,4.4.4.4,80.70.224.4
              dynamic-servers: 
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 30KiB
2

The timeout suggests that not everything is correct.

Can client really communicate with DNS resolver on router? Can’t it be blocked by firewall?

Does client have only one resolver (192.168.1.1) or more?

Does “DNS has static route e-exmaple.ru → 192.168.1.3” mean the following?

/ip dns static
add address=192.168.1.3 name=e-exmaple.ru

(I play along and pretend that I don’t see your real domain :wink:)

3

There are my firewall rules:

/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=4w2d chain=input comment="Port scanners to list " protocol=tcp \
    psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=4w2d chain=input comment="NMAP FIN Stealth scan" protocol=tcp \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanner" src-address-list=port_scanners
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment=\
    "detect DoS attack(10 connections/ip from internet)" connection-limit=10,32 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="DOS attack protection(50 connections/ip)" \
    connection-limit=50,32 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: accept established,related, untracked" connection-state=established,related,untracked in-interface=\
    ether1
add action=accept chain=input connection-state="" dst-port=80,5000,5001 protocol=tcp
add action=accept chain=input comment=SSH dst-port=26 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=\
    WAN
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=netmap chain=dstnat dst-port=80,5000,5001 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.3
add action=dst-nat chain=dstnat disabled=yes dst-port=38008,38443,8008,8443,6690 protocol=tcp to-addresses=192.168.1.3

I assume, that DNS should be available:

add action=accept chain=input comment=DNS dst-port=53 in-interface-list=LAN protocol=udp

DHCP:

add address-pool=dhcp disabled=no interface=bridge name=dhcp
add add-arp=yes address-pool=poolforWIfi disabled=no interface=bGuest name=dhcpWforWifi
/ip dhcp-server lease
add address=192.168.1.2 always-broadcast=yes client-id=1:* comment=PC mac-address=D8* server=dhcp
add address=192.168.1.3 always-broadcast=yes client-id=1:* comment=DS mac-address=00* server=dhcp
add address=192.168.1.4 client-id=1:* comment="phone" mac-address=00* server=dhcp
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.8.8,4.4.4.4 gateway=192.168.1.1 netmask=24 ntp-server=192.168.1.1 wins-server=192.168.1.3
add address=192.168.80.0/24 dns-server=192.168.80.1,8.8.8.8,4.4.4.4 gateway=192.168.80.1 netmask=24 ntp-server=192.168.80.1

What else could I look to?
Yes, I hide my real ip and domain because I don’t want to get addresses grubbed by some bots.

4

I don’t see clear reason for timeout. As you wrote, DNS on router should be available. If it was me, I’d use packet sniffer and see what exactly happens.

But there’s one thing that won’t work reliably, if you give mix of private and public servers to client (dns-server=192.168.x.1,8.8.8.8,4.4.4.4), there’s no guarantee that the first one will be always used first. So if it happens that client ask public one, it will get the public address.

5

Thank you. I’ll try package sniffer today.
What is the best practice about dns? Probably I should not share public dns in DHCP, and send only 192.168.1.1, when public DNS is only kept in mikrtotik DNS?
I suppose, mikrotik redirects to public dns if it doesn’t have an appropriate record.

6

It’s best to not mix public and private servers (where private have extra/different records not available on public ones). As far as I can tell, resolver in RouterOS works reliably, so it the router is alive, it will be ok. And if router is not alive, client won’t be able to reach 8.8.8.8 and others anyway.

7

I figured one the problem. It’s not mikrotik issue, but driver troubles, when I had switched off VirtualBox adapter - DNS reached and all wors good.

Thank you very much for your attention.