Mikrotik AC3 DNS Resolution Problem

HI All,

I have really annoying and frustrating problem.
My router:

       routerboard: yes              
        board-name: hAP ac^3         
             model: RBD53iG-5HacD2HnD
     serial-number: F3**********54     
     firmware-type: ipq4000          
  factory-firmware: 6.47.10          
  current-firmware: 7.19.1           
  upgrade-firmware: 7.19.1

DNS Settings:

[admin@MikroTikAc3] /ip/dns> print 
                      servers: 1.1.1.1
                               8.8.8.8
                               8.8.4.4
              dynamic-servers:        
               use-doh-server:        
              verify-doh-cert: no     
   doh-max-server-connections: 5      
   doh-max-concurrent-queries: 50     
                  doh-timeout: 5s     
        allow-remote-requests: yes    
          max-udp-packet-size: 4096   
         query-server-timeout: 2s     
          query-total-timeout: 10s    
       max-concurrent-queries: 100    
  max-concurrent-tcp-sessions: 20     
                   cache-size: 2048KiB
                cache-max-ttl: 5m     
      address-list-extra-time: 0s     
                          vrf: main   
           mdns-repeat-ifaces:        
                   cache-used: 72KiB

I have a BIND9 DNS server on the internet.
And I have a dynamic zone, means that the zone update by nsupdate. This is a kind of dynamic DNS service.

But my host cannot be resolved via my Mikrotik router:

It works with public (Google) DNS service:

dig @8.8.8.8  test.dyn.vincze.work

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @8.8.8.8 test.dyn.vincze.work
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65399
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;test.dyn.vincze.work.          IN      A

;; ANSWER SECTION:
test.dyn.vincze.work.   60      IN      A       192.168.0.10

;; Query time: 39 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed Jun 18 13:47:16 CEST 2025
;; MSG SIZE  rcvd: 65

Hint: I know that the “192.168.0.10” IP address is private, but the situation is the same with public IP addresses.

But using my Mikrotik rotuer’s IP address:

dig @172.16.0.1  test.dyn.vincze.work

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @172.16.0.1 test.dyn.vincze.work
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46904
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.dyn.vincze.work.          IN      A

;; Query time: 75 msec
;; SERVER: 172.16.0.1#53(172.16.0.1) (UDP)
;; WHEN: Wed Jun 18 13:48:24 CEST 2025
;; MSG SIZE  rcvd: 38

This is my SOA record:

dig @8.8.8.8  test.dyn.vincze.work -t SOA

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @8.8.8.8 test.dyn.vincze.work -t SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50990
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;test.dyn.vincze.work.          IN      SOA

;; AUTHORITY SECTION:
dyn.vincze.work.        600     IN      SOA     dyn.vincze.work. jvincze84.gmail.com. 2025061749 28800 7200 604800 600

;; Query time: 35 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed Jun 18 13:50:00 CEST 2025
;; MSG SIZE  rcvd: 104

I’ve tried to flush dns, restart the router but did not helped.

Here comes my struggle.
Sometimes it works fine (usually after flush dns, and wait one or two minutes):

First query (see the timestamp) working: (NOERROR)

date && dig @172.16.0.1 mikrotik-gomba.dyn.vincze.work 
Wed Jun 18 01:55:15 PM CEST 2025

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @172.16.0.1 mikrotik-gomba.dyn.vincze.work
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8024
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mikrotik-gomba.dyn.vincze.work.        IN      A

;; ANSWER SECTION:
mikrotik-gomba.dyn.vincze.work. 8 IN    A       91.120.111.242

;; Query time: 0 msec
;; SERVER: 172.16.0.1#53(172.16.0.1) (UDP)
;; WHEN: Wed Jun 18 13:55:15 CEST 2025
;; MSG SIZE  rcvd: 64

But after less than a minute (NXDOMAIN):

date && dig @172.16.0.1 mikrotik-gomba.dyn.vincze.work 
Wed Jun 18 01:55:32 PM CEST 2025

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @172.16.0.1 mikrotik-gomba.dyn.vincze.work
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10041
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mikrotik-gomba.dyn.vincze.work.        IN      A

;; Query time: 47 msec
;; SERVER: 172.16.0.1#53(172.16.0.1) (UDP)
;; WHEN: Wed Jun 18 13:55:32 CEST 2025
;; MSG SIZE  rcvd: 48

I don’t have to say that I did not modify anything between the two request.

I don’t understand what’s happening.

Every help would be appreciated.

Br,
Janos Vincze

Hi All,

It seems I’ve successfully resolved the issue.
The problem was that my secondary dns server did not received the zone update, thus it was unable to resolve the host.

Best regards,
Janos VIncze