MT as DNS server (PIA-vpn) + DoH

luka33 · March 9, 2025, 3:21pm

Hi, after setting up my MT I also configured MT as a DNS server for all my networks:
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=8.8.8.8 verify-doh-cert=yes
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1

In BASE I have some clients running the PIA vpn-client for Linux/windows. It offers the following options:
dns pia 1.png
I have selected for now PIA DNS, but I think this will override my setup of MT as a DNS server, am I right?

Which of the available options would you recommend I choose? Or is there even a bettter way to set up the vpn to have better control of the dns when using the vpn (actually to force my clients to use the MT DNS)?

luka33 · March 9, 2025, 8:17pm

I guess the option “Use existing DNS” is the one I need to let the vpn run and still use the dns from the MT DNS server.

How can I check the MT is serving the DNS for this client running the pia vpn?

luka33 · March 11, 2025, 9:08pm

I confirmed that allowing “LAN traffic” in pia vpn has an interface configuration without default gateway. This means that traffic for other destinations will go to the interface with the default gateway (MT).
For the MT local DNS server, as long as it is not configured to use PIA dns servers and allow LAN traffic is enabled, you will go to your local servers (MT router). Wanted to describe this in case anyone is in the same situation.

Now, moving forward, I did also setup DoH following the instructions of my dns provider (nextdns):

/tool fetch url=https://curl.se/ca/cacert.pem  
/certificate import file-name=cacert.pem  
/ip dns set servers=""  
/ip dns static add name=dns.nextdns.io address=XX.XX[code].XX.XX type=A  
/ip dns static add name=dns.nextdns.io address=XX.XX

.XX.XX type=A
/ip dns static add name=dns.nextdns.io address=XX.XX.XX.XX:: type=AAAA
/ip dns static add name=dns.nextdns.io address=XX.XX.XX.XX:: type=AAAA
/ip dns set use-doh-server=“https://dns.nextdns.io/myaccount verify-doh-cert=yes[/code]

DoH uses the same port and protocol as used for all HTTPS web traffic (tcp/443). I only have FW rules for tcp+udp/53 traffic. My actual FW rules for DNS traffic in BASE are:

add action=accept chain=input comment="***** LAN users to Services: DNS (tcp)  *****" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="***** LAN users to Services: DNS (udp)  *****" dst-port=53 in-interface-list=LAN log-prefix="DNS (BASE)" protocol=udp

How can I check that actually DoH is working. Since I do not have any specific rule for tcp/443 I am not sure how MT is handling dns?

luka33 · March 15, 2025, 5:16pm

Can anyone let me know if I need to add any NAT rules to the ones already in place:

add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp

Maybe this rule?:

chain=dstnat action=redirect protocol=tcp dst-port=53 
chain=dstnat action=redirect protocol=udp dst-port=53