mikrotik local DNS-Server are unstable?

mikrotik75 · November 18, 2015, 4:31pm

Hello there,

I have a RB750GR2. I am very satisfied with the device. The router has a fixed IP address on the WAN side (no DHCP client) and on the LAN side also only fixed IP addresses (no DHCP server). But only one problem I could not solve:

The client PC’s use the Mikrotik router as a DNS server. That everything works. But about 24 hours after the router reboot, the DNS resolution for the client PCs does not work anymore. After restarting everything is running again. I’ve searched the forum and tried all the tips, but without success.

What can be the problem? I really do not know anymore.

I am pleased about each tip that solves the problem.

Many greetings
mikrotik75

capprentice · November 18, 2015, 5:51pm

Umm… increase dns the cache size and flush the dns cache more often. Is your RB getting overheated?

hgonzale · November 18, 2015, 8:18pm

From the computers, whats is happening if you do a nslookup searching anything?

What do you get?

If you switch off/on just the DNS in the mikrotik, does it solve the problem?

jarda · November 18, 2015, 9:08pm

I would say that the router has forgotten the dns server obtained in dhcp message from server. It is a bug I reported during the times to mikrotik several times and they solved it and then broke it repeatedly. Just set the dns server in the router manually until they solve it finally. Looks like 6.33 and 6.34rc are somehow fixed regarding this problem.

mikrotik75 · November 19, 2015, 8:05am

@capprentice:
The device is cold. As workaround I can test a schedule-service to delete the DNS cache.

Yes, I think also that the router has forgotten the DNS server. But I have registered the DNS server fix (static WAN-IP) and no DHCP. The RouterOS is version 6.33 and the firmware 3.27. I hope the next firmware version the problem has been considered.

@hgonzale:
How can I switch the DNS server on/off?

Here the nslookup:

D:>nslookup www.google.de
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.

capprentice · November 19, 2015, 10:11am

mikrotik75:

@capprentice:
The device is cold. As workaround I can test a schedule-service to delete the DNS cache.

jarda:

I would say that the router has forgotten the dns server obtained in dhcp message from server. It is a bug I reported during the times to mikrotik several times and they solved it and then broke it repeatedly. Just set the dns server in the router manually until they solve it finally. Looks like 6.33 and 6.34rc are somehow fixed regarding this problem.

Yes, I think also that the router has forgotten the DNS server. But I have registered the DNS server fix (static WAN-IP) and no DHCP. The RouterOS is version 6.33 and the firmware 3.27. I hope the next firmware version the problem has been considered.

@hgonzale:
How can I switch the DNS server on/off?

Here the nslookup:

D:>nslookup http://www.google.de
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.

What filters are in placed in your firewall? Do you have any mangle rule for udp/53 traffic?

mikrotik75 · November 20, 2015, 8:56am

I’ve no “mangle rule” only this:

Here my Filter Rules. 200.1.x.x are local or own vpn-peer. The “DA” comments are my posts:

 0    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 1    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no 
      log-prefix="" 

 2    ;;; DA: for coming IPSec VPN-connections
      chain=input action=accept protocol=udp dst-port=500,4500 log=no 
      log-prefix="" 

 3    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 4    ;;; DA: Winbox from remote 200.1.1.0/24
      chain=input action=accept connection-nat-state=!srcnat protocol=tcp 
      src-address=200.1.1.0/24 dst-port=8291 log=no log-prefix="" 

 5    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 

 6    ;;; DA: block direkt internet for special clients
      chain=forward action=drop src-address-list=block_internet 
      dst-address-list=!own_vpns log=no log-prefix="" 

 7    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no 
      log-prefix="" 

 8    ;;; DA: Connect from 200.1.1.0/24 to 200.1.8.0/24 as forward
      chain=forward action=accept connection-state=new 
      connection-nat-state=!srcnat,dstnat src-address=200.1.1.0/24 
      dst-address=200.1.8.0/24 in-interface=ether1-gateway log=no log-prefix="" 

 9    ;;; DA: Print over VPN-connection
      chain=forward action=accept dst-address=200.1.8.0/24 
      src-address-list=print_over_vpn in-interface=ether1-gateway 
      out-interface=ether2-master-local log=no log-prefix="" 

10    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

11    ;;; default configuration
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface=ether1-gateway log=no 
      log-prefix=""

The rule 6 is deactivated!

mikrotik75 · November 21, 2015, 3:33pm

I’ve updated to 6.33.1 an set the Cache Max TTL to 01:00:00. Now it look’s like good…