Hi,
I have a question — have you encountered this kind of behavior on a MikroTik?
RouterOS version: 7.20.1
I have a PPPoE connection to my ISP with a public IP address.
Because of PPPoE, I have an mangle firewall rule in the forward chain to adjust the MSS to 1438 (as provided by my ISP).
An IPSec tunnel is established to the main site (headquarters). Behind this IPSec tunnel, there is a DNS server.
On the MikroTik router, I have local DNS enabled, and in the static entries I’ve set up a forward record as follows:
/ip/dns/static add forward-to=to-xxxx-dc match-subdomain=yes name=xxxx.yyyy type=FWD /ip dns set allow-remote-requests=yes servers=192.168.88.1 /ip dns forwarders add dns-servers=8.8.8.8 name=Google verify-doh-cert=no add dns-servers=172.17.10.10 name=to-xxxx-dc verify-doh-cert=no
When I add a static A record in DNS that points to an address behind the IPSec tunnel — it works fine.
However, when I add the following entry:
/ip/dns/static add forward-to=to-xxxx-dc match-subdomain=yes name=xxxx.yyyy type=FWD
it does not work.
I have an identical configuration in another location, and there it works fine.
Also, I can successfully query the remote DNS server behind the IPSec tunnel from the MikroTik network — so the firewall rules definitely allow DNS traffic through the tunnel.