Offload dns with hotspot.

Essentially I want to offload the dns to another sever so that the router isn’t handling dns requests. How can this be done? I’ve seen it mentioned a couple of times, but have seen no examples if how to do it.

Last time I checked, the hotspot walled garden depends on the dns cache to allow access to domains in the walled garden. If you managed to bypass the dns service of the router, the hotspot walled garden would not function. Just a FYI.

According to this mum it can be done.

http://mum.mikrotik.com/presentations/US10/FelixWindt.pdf

I’m sure it can be done with authorized users, but I’ve no idea how.

It also says it’s possible in the official documentation. We are utilizing mac authentication for our clients as it is.

http://wiki.mikrotik.com/wiki/Manual:Hotspot_Introduction

I did a bit of experimenting and maybe found a way. Print the dynamic rules and set the redirect for tcp and udp dst-port=53 to “hotspot=!auth”. Mine were rules 2 and 3.

/ip firewall nat
print dynamic
set 2 hotspot=!auth
set 3 hotspot=!auth

Note it added “hotspot=!auth” to rules 2 and 3.

[admin@test] /ip firewall nat> print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client

1 D chain=hotspot action=jump jump-target=pre-hotspot

2 D chain=hotspot action=redirect to-ports=64872 protocol=udp hotspot=!auth dst-port=53

3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp hotspot=!auth dst-port=53

4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80

5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443

6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth

7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth

8 D chain=hs-unauth action=return dst-address=192.168.0.1

9 D chain=hs-unauth action=return dst-address=68.99.58.119

10 D ;;; currentIP
chain=hs-unauth action=return dst-address=68.99.58.116

11 D ;;; oldIP
chain=hs-unauth action=return dst-address=68.99.58.115

12 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80

13 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128

14 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080

15 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443

16 D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25

17 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http

18 D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25

No guarantees.

Thank you, I’ll give it a shot Monday

this method seems to have worked with both simple queues and PCQ queuing. I appreciate it.