I am setting up an internal domain, testlab.local.
I tried using NS record instead of FWD, however, it does not work. There is no resolution and gets an NXDOMAIN
My setup -
Mikrotik Interface → WAN + LAN 10.10.1.0/24 [for all LAN and Wifi devices, dhcp and dns] + Private 10.11.1.0/24 [Virtual Machines running Windows Servers].
Private Network resolves to DNS of Mikrotik 10.10.1.1. Mikrotik has DNS static entry [“testlab.local”] → FWD → pdc.testlab.local [10.11.1.1] / bdc.testlab.local [10.11.1.2]. This works, just that DNS resolution from any device on LAN or Private network is slow. If the static FWDs are disabled, DNS resolution on LAN is very quick, however, loses resolution to testlab.local.
I tried to change the FWD record to NS record and it does not resolve testlab.local
Is there a way to resolve/configure this correctly
NS records don’t seem to be working, tested in v7.6
as a workaround, i ended up using this FWD entry with regexp.
simply type the zone name in the regexp field, put ^* at the very start, put $ at the end, escape every dot with ** and it works like a NS record would (don’t add the trailing root dot or it wont work)
if you don’t want to risk accidentally including a domain that ends the same as yours (for example, you want to FWD “example.com” but there’s an actual internet domain called “livingbyexample.com”), you will instead have to make 2 of these entries, one starting with ^ and another starting with ^*.
still not as good as a NS record though since this can only forward to IP addresses instead of domain names
I think that you may have wrong expectations regarding static NS records in RouterOS. If you do e.g.:
/ip dns static
add type=NS name=xxx.test ns=a.ns.yyy.test
Then this works:
# host -t NS xxx.test 192.168.80.183
Using domain server:
Name: 192.168.80.183
Address: 192.168.80.183#53
Aliases:
xxx.test name server a.ns.yyy.test.
And that’s all it’s supposed to do. If you expect that router itself would forward queries for anything.xxx.test to a.ns.yyy.test, then nope, that’s not the plan, it’s what FWD records are for:
/ip dns static
add type=FWD name=xxx.test forward-to=a.ns.yyy.test match-subdomain=yes
I’d avoid regexp, it was needed in older versions before they added match-subdomain option, but there’s no need to use it now, unless you need something special.
in my case the DNS server is within the same domain i’m trying to point the NS record to, so your example is missing the A record to actually achieve the redirect. this technique is called a “glue record”.
not sure why this wouldn’t work in RouterOS since it seems to be doing all the basic stuff normal authoritative DNS servers do.
thanks for the match-subdomain tip, i see it is CLI only so why i didn’t notice it before.
also, FWD entries seem to not work with DoH enabled… real bummer.
It’s definitely not authoritative DNS server (I know that you didn’t exactly write that), it’s simple caching forwarding resolver that can override some records, nothing more. Some things are inconsistent, e.g. FWD not working with DoH, as you discovered, but it’s not the only one. It also seems to lack any plan where it’s going. It’s getting better, but very slowly, it’s clearly low priority for Mikrotik.
As for glue, I’d expect it to work, meaning that it would make sense, because something like ns.domain.tld is more specific record than domain.tld, so it should have priority, that’s how DNS normally works. But not in current RouterOS. Although, if you’d be using glue, which is static, you might as well use IP address directly, so it shouldn’t be a problem.