Hi,
Is it possible to set mikrotik to be a DNS provider for VPN user but acting as primary DNS server for VPN user and forwarding queries to another DNS server in network but this DNS server isn’t available for VPN user (different network address / no routing between them).
VPN User 172.16.xx.xx → mikrotik 10.5.x.x (DNS resolver) → Primary DNS in that network 10.4.x.x
Yes
Yes and No.
Yes because I can push DNS to VPN users or for LAN users. And also to prevent them of using another DNS I can redirect 53 in firewall / NAT. Ok it seems ok but..
I have the following scenario
DNS serwer: 10.4.0.120
CHR Mikrotik : 10.5.0.120
CHR and DNS can see each other.
On CHR I’m doing :
/ip ipsec policy> /put [resolve jenkins]
10.1.13.16
So it seems to work as I expected.
servers: 10.4.0.124,1.1.1.1
dynamic-servers:
allow-remote-requests: yes
allow request on and dns server set.
This CHR is also a DNS server for other mikrotik which is outside that network connected through GRE tunnel with IPSec.
So CHR has also 172.16.16.1/30 address and second mikrotik has 172.16.16.2/30
To make sure that CHR will forward queries I’ve set on CHR a DST-NAT with redirect on dst-port=53 to-port=53. So CHR will resolve queries by his own. I don’t want to use action=dst-nat and basically forward all request to 10.4.0.120 because if that hosts goes down VPN users from CHR will lose DNS service. The same goes for the second mikrotik (172.16.16.2) it also has redirect rule and in /ip dns
servers: 10.5.0.120,1.1.1.1
dynamic-servers:
allow-remote-requests: yes
but the issue is that this mikrotik has trouble with resolving names even that he knows where tu send queries → 10.5.0.120
/ping 10.5.0.120
SEQ HOST SIZE TTL TIME STATUS
0 10.5.0.120 56 64 49ms
1 10.5.0.120 56 64 49ms
sent=2 received=2 packet-loss=0% min-rtt=49ms avg-rtt=49ms max-rtt=49ms
Sometimes it looses ability to resolve names from 10.5.0.120
put [:resolve iodine]
failure: dns name does not exist
I can’t figure it out
And I also found that when I add new entrie in DNS server (PowerDNS on Linux) the mikrotik doesn’t know what is the new host IP. After flushing cache it works.. It’s pointless 