Mikrotik DNS and IPSec

Hi,

We have a central location with multiple branch locations connecting via IPSec. IPSec tunnel works fine, but we would like to use the Mikrotik as a local DNS server at each location.

Logical Network Layout:
Laptop (LT1) - Mikrotik (MT2) - IPSECTUNNEL - Mikrotik (MT1) - DnsServer (DNS1)

Ideal Configuration:
If we set MT2 to use DNS1 as the DNS server and on LT1 to use MT2 as the DNS server, DNS queries fail. In this configuration, we also tried doing DNS lookups on MT2 in the terminal and they also failed.

Not-ideal Configuration:
If we set LT1 to use DNS1 for the DNS server, everything is fine. However, this is not ideal as it adds a significant delay to the DNS lookup and will fail if the IPSec tunnel goes down for some reason.

Debug-Only Configuration:
If we set MT1 to use DNS1 as its DNS server, and MT2 to use the public IP of MT1 as its DNS server, the DNS lookups work. This is not a viable method because it sends the DNS lookups unencrypted over the WAN rather than the IPSec tunnel.


We suspect this is failing in our ideal configuration because IPSec only forwards traffic to the remote LAN if the traffic comes in on the LAN interface on MT2.

Is there any way around this? Can we force the MT2 DNS requests through the IPSec tunnel? Let me know if any part of my description is unclear.

First thing to try would be a source NAT rule to change the source address of the DNS request leaving the Mikrotik to something that will match the policy. According to the packet flow diagram, that should hit the IPSec policy and send it down the tunnel. I’m just not 100% sure that it will catch it.

The other option would be to create another IPSec policy that matches the public IP address of the local MikroTik and the DNS server. That should establish another connection and allow communication that way.

Hello
you have only to set the “prefered source” in the route of MT2 to MT1 in MT2 ROUTER- (and best too in MT1 router the same thing) - this way it will use corret ip to use the ipsec tunnel.