Multiple DNS server issues

I have a Windows DNS server running for my office VLANs, however, even with allow-remote-requests=no, my RB seems to be intercepting all the traffic. There are no firewall rules that are redirecting DNS traffic.

I have nslookup set to use my windows server DNS, and it works for external sites, but there are no hits on the DNS server (have all the logging options enabled, and verified working from machines not routed through the RB yet).

Ultimately, what I would like to accomplish is

1. All office VLANs to use Windows DNS server for local domain, without touching RB’s DNS cache if possible.
2. Guest VLAN to use RB as DNS server (with external DNS server, such as Google’s), with no access to Windows DNS server.

Is this doable?

Thanks in advance

Check DNS settings in your DHCP server (in mikrotik: /ip dhcp network)

That looks like it will help with keeping different DNS servers assigned through DHCP, but ‘/ip dns’, or something, seems to be caching results, and requests don’t even make it to my windows dns server. IE, anyone trying to access our servers can’t resolve their hostnames, only external sites.

/ip dns print
                      servers: 8.8.8.8
              dynamic-servers: 
        allow-remote-requests: no
          max-udp-packet-size: 4096
         query-server-timeout: 2s
          query-total-timeout: 10s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 2048KiB
                cache-max-ttl: 1w
                   cache-used: 33KiB

I am hesitant to put my local DNS server in there, or making a static DNS entry on the routerboard, since I believe that anyone on the guest VLAN will be able to resolve our server’s hostnames, etc…

You need to do some troubleshooting steps to gain some more information / zero in on the source of the issue.

Are the LAN clients being configured to use the correct server, but the requests just aren’t reaching it?
If so, then SOMETHING must be redirecting the traffic. Period. End of story.
If not, then fix that and try again.

In Mikrotik, make sure that hotspot isn’t turned on anywhere, and check through the dstnat chain of your nat table, which is where dns redirection would happen.
Enabling remote requests is simply the light switch for the DNS cache service - i.e. turning it on and off only enables/disables the service itself, and does not have any effect on packet redirection.

To answer another of your questions: if you use the dns proxy on the Mikrotik, then you cannot selectively block/allow views of your internal server names because
a) the ROS cache is not that sophisticated. it simply proxies and caches requests
b) all requests will appear to come from the Mikrotik so there’s no way on the Windows server to determine which queries come from LAN clients and which come from guest network clients.

If you want to benefit from the Mikrotik’s cacheing on both networks, the way to do it is to set the Windows DNS service to use the Mikrotik as a forwarding host (i.e. ask the Mikrotik whenever the query is not about one of your local host names) and then set the Mikrotik to use 8.8.8.8 or your ISP’s DNS server or whatever.

Thanks for the detailed response. This helps me a lot, and it is very much appreciated. I’m going to spend as much time as I can today troubleshooting this, but I’ll update this thread as I go through things. Just a couple questions before I get crackin’:

Enabling remote requests is simply the light switch for the DNS cache service - i.e. turning it on and off only enables/disables the service itself, and does not have any effect on packet redirection.

allow-remote-requests is set to no. When I set it to yes, port scans show port 53 open, so I turned it off and am leaving it closed for now. ATM, no DNS is being resolved/cached at all, but I can’t see my DNS server, so that’s first on my ‘fix’ list. Mikrotik pings it fine.

Are the LAN clients being configured to use the correct server, but the requests just aren’t reaching it?

Yup, client PC and cell phone both getting everything from DHCP server running on the VLAN.

In Mikrotik, make sure that hotspot isn’t turned on anywhere, and check through the dstnat chain of your nat table, which is where dns redirection would happen.

I turned it off for now, could be what is causing the inability to reach the DNS server, but not too worried about that yet. I’m considering doing a full export, wiping the routerboard, and putting everything in by hand, now that I have a bit better understanding of what’s going on. Would also be a good ‘study’ opportunity.

To answer another of your questions: if you use the dns proxy on the Mikrotik, then you cannot selectively block/allow views of your internal server names because
a) the ROS cache is not that sophisticated. it simply proxies and caches requests
b) all requests will appear to come from the Mikrotik so there’s no way on the Windows server to determine which queries come from LAN clients and which come from guest network clients.

If you want to benefit from the Mikrotik’s cacheing on both networks, the way to do it is to set the Windows DNS service to use the Mikrotik as a forwarding host (i.e. ask the Mikrotik whenever the query is not about one of your local host names) and then set the Mikrotik to use 8.8.8.8 or your ISP’s DNS server or whatever.

I’m gonna have to read this over several times, but it sounds like what I was hoping to do isn’t possible based on a). I am thinking I’ll pick up a Raspberry Pi and install PiHole for the guest network (or similar solution). If I leave allow-remote-requests off, and set up the two DHCP servers (office and guest networks) to assign the appropriate DNS server, there shouldn’t be any “crosstalk” between DNS servers, correct?

One more “silly question:” you have verified that the server itself is able to resolve DNS queries, right? As in logged into the server itself, is it able to resolve all DNS queries locally?

Yes, the server has been running in production for years now.

I didn’t have much time to work on this on Friday, but I did find the problem not being able to access the server. We had a power outage on Wednesday and I lost a static route (not going to make it persistent, it will be removed one I’ve got the routerboard set up correctly).

I did as you recommended and turned off the hotspot. All DNS queries hit the windows server just fine. As soon as I turn on the hotspot, DNS starts getting cached on the routerboard and requests (presumably) going to 8.8.8.8 which is what I have set in /ip dns.

I found these two rules in /ip firewall nat when the hotspot is active
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53

To test things out, I’ve disabled both, but didn’t get the hotspot login page unless putting in the URL by hand. Once I log in (after manually accessing the login page), DNS requests are going to the windows server and nothing is caching on the mikrotik. Unfortunately, I need the login page to come up automatically, so I need to figure out why those nat rules are needed and find a workaround. If you have any suggestions, I would be very appreciative.

Active hotspot tests
What my tests did confirm, traffic coming in on the hotspot interface are forced to use the built in DNS, even with allow-remote-requests set to no, while the hotspot is active (assuming the 2 nat rules above aren’t disabled). Windows server logs show no hits.
Then I did lookups from a PC on another subnet that doesn’t touch the hotspot interface, and none of the lookups are being cached on the routerboard, and the requests are showing up on the windows server.

Just as some additional information, I did a port scan on the hotspot/VLAN’s IP with the hotspot active, and the following ports are open
53,80,443,3128,64872-64875
Nothing open from the other ports except SSH/winbox on the management VLAN

With hotspot disabled, port scan on hotspot shows nothing open, as I would prefer things… I understand the need for a web server for logins, but the rest seem like they would be better as optional. I don’t see a way to disable the dns and proxy… I don’t want those.

DNS proxy is needed because the hotspot name is important. You’ll also find that name pops up in the DNS static entries as a dynamic item. DNS proxy is a subset of the hotspot functionality which is why the service works even when “allow remote requests” is set to no. I’m pretty sure that the non-hotspot networks won’t be answering queries.

Your hotspot network and your internal LAN should completely separated at layer 2 and up, so that shouldn’t affect the internal workstations and devices. If it does, then perhaps there’s some bleed-over that shouldn’t be there.

Thanks, that helps me understand better.

I’m trying to keep things as seamless as possible for the end user. The requirements are

1. Guest network to be completely isolated from office network and use guest hotspot (guest SSID)
2. Office PCs do not need to use hotspot and have access to all servers
3. Staff laptops can access all servers without any accounting being applied or needing to login (office SSID), but any external traffic gets accounted on radius server.

I was planning on putting the guest hotspots on the access points (once I get the funding to purchase them) to take stress off the main routerboard. I was hoping to get things working for the staff laptops at least on the main routerboard, seeing as I won’t have the new access points for a long time still.

I’m going to see if I can maybe get a cheap hAP to throw in somewhere as a hotspot server or something. Probably best to get back to the drawing board on this problem. Seems this isn’t ‘beginners basics’

Thanks again for the advice