new DNS FWD not working

RouterOS General
1

Hi,

i am using DNS forwarding for a specific domain using the well known srcnat and dstnat rules with layer 7 regex.

This ist working fine but i want to replace it with the new dns fwd feature.

I did a simple test that is not working:

[admin@MikroTik] > ip
[admin@MikroTik] /ip> dns
[admin@MikroTik] /ip dns> static 
[admin@MikroTik] /ip dns static> add regexp=".*\\.example\\.com\$" forward-to=10.0.0.1

10.0.0.1 is not existing, so i expected example.com not be resolved. But it still is resolved.


C:\Users\mode>nslookup example.com 192.168.6.1
Server:  mikrotik.local
Address:  192.168.6.1

Nicht autorisierende Antwort:
Name:    example.com
Addresses:  2606:2800:220:1:248:1893:25c8:1946
          93.184.216.34

Any idea why?
DoH is not enabled on the mikrotik.

BR

mode

2

I suspect the regex itself is wrong.

Putting it into a few online regex testers, the double backslash (\) is causing the backslash to be interpreted literally, using single backslashes allows the . to be evaluated literally, but then the .* at the beginning means example.com itself doesn’t match.

.*.example.com$ matches www.example.com but not example.com, at least on regex101.com. I’ve not had an opportunity to test it myself on ROS yet.

Edit: The following appears to match both example.com and www.example.com, it was actually the first . that meant only subdomains would match, not the naked domain itself:

.*example\.com$
3

ok perfect. First you have to flush the dns cache on the mikrotik when testing.

Then i changed the regex from

.*\.example\.com$

to

.*example\.com$

After this, the domain without subdomain is affected too. Thanks a lot!

4

No problem, glad to be able to help.

5

And as already known as soon as you enter a DoH Server in DNS Settings, the FWD does not work anymore. Hope that will be fixed soon…

6

Please note that “.*example.com$” also matches “anotherexample.com”, which is a completely different domain.
You could use something like this:

^(.*\.)?example\.com$
7

Me too… But after all that time I am not very optimistic on this topic…

8

Clever Idea. So (.*.) must be found 0 or 1 times?

  • 0 times without Subdomain
    → 1 times with Subdomain

This should be used as example in the wiki https://wiki.mikrotik.com/wiki/Manual:IP/DNS instead of “.*\.example\.com$” used there. Because the ^ is missig there too.

9

Exactly.

The example is fine if you expect a subdomain. As any number of any character (.) is matched there is no point in adding a match on the beginning (^*). You could even drop the former, this does the same:

\.example\.com$
10

It would have been so nice if MikroTik did it the same way as everyone else does. Simply let users say that example.com and everything under it should be forwarded to selected server or servers, for redundancy, without completely unnecessary regexps, let it play along with DoH, etc. I’m huge fan of RouterOS, but some of their decisions are really weird. Still, even current state is at least a step in the right direction. Hopefully it’s not the last one.

11

I was investigating that specific issue and I’m running 7.6, so I think it is still current, is it ?

12

Static FWD entry does not work together with DoH. Yes, learned the hard way too. This MT DoH is indeed acting weird. It forwards all DNS requests to upstream DoH server, even if there exist static DNS entries locally in ROS. Most of my static entries do work, because my upstream DNS (nextdns) can’t resolve “home.arpa” domains. Really weird and I can’t see a reason why they are handling it so.

13

http://forum.mikrotik.com/t/static-dns-fwd-entries-using-doh-not-working/165913/1