Problems with hijacking the intranet dns

RouterOS General
1

The original network was built on a Ruijie Layer 3 switch. The switch added a default route 0.0.0.0/0 to 192.168.252.102, so I bought a CRS309 to bridge the egress network and set up filtering. Change the route of the Ruijie switch to 0.0.0.0/0 192.168.88.1, and then set 0.0.0.0/0 192.168.252.102 on the CRS. The rest of the intranet segments have been set up and can access the Internet normally.

The current requirement is that the school needs to conduct a large-scale exam. Since the server is in the external network and uses CDN, I used the match subdomain function of dns to match the domain name suffix, and then filtered through dst-address-list. In the nat chain, chain=dstnat action=dst-nat to-addresses=192.168.252.101 to-ports=53 protocol=udp src-address=0.0.0.0/0 dst-port=53 log=no log-prefix=“”

We have about 1,000 people taking the exam, and the maximum number of concurrent connections can reach 10,000+, so I switched to CHR (48 cores, 16G memory, set the queue to multi-queue-ethernet-default, and turn off RPS) the next day. However, the domain name cannot be resolved. Specifically, pinging any domain name is stuck and cannot be resolved successfully.
Later, I changed the NAT rules and set 20 rules. Each rule is as follows:
chain=dstnat action=dst-nat to-addresses=192.168.252.101 to-ports=53 protocol=udp src-address=172.22.113.0/24 dst-port=53 log=no log-prefix=“”
It was very normal at first, but when students logged in in batches or did questions, a large number of unresponsiveness occurred. After checking, it was found that 192.168.252.101 (CHR address) would not respond to the client’s dns request.

I want to confirm how to set it up to ensure the normal operation of an exam with 1,000 or even 2,000 people?

/queue type
set 8 mq-pfifo-limit=10
/queue interface
set ether1 queue=multi-queue-ethernet-default
set ether2 queue=multi-queue-ethernet-default
/ip address
add address=192.168.252.101/30 interface=ether1 network=192.168.252.100
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dns
set allow-remote-requests=yes cache-max-ttl=1m cache-size=204800KiB max-concurrent-queries=20000 max-concurrent-tcp-sessions=20000 max-udp-packet-size=40960 query-server-timeout=20s query-total-timeout=1m40s servers=114.114.114.114,8.8.8.8
/ip dns static
add address-list=chaoxing forward-to=114.114.114.114 match-subdomain=yes name=chaoxing.com type=FWD
add address-list=chaoxing forward-to=8.8.8.8 match-subdomain=yes name=chaoxing.com type=FWD
add address-list=chaoxing forward-to=114.114.114.114 match-subdomain=yes name=reconova.com type=FWD
add address-list=chaoxing forward-to=8.8.8.8 match-subdomain=yes name=reconova.com type=FWD
add address-list=chaoxing forward-to=114.114.114.114 match-subdomain=yes name=easemob.com type=FWD
add address-list=chaoxing forward-to=8.8.8.8 match-subdomain=yes name=easemob.com type=FWD
add address-list=chaoxing forward-to=114.114.114.114 match-subdomain=yes name=www.time.ac.cn type=FWD
add address-list=chaoxing forward-to=8.8.8.8 match-subdomain=yes name=www.time.ac.cn type=FWD
add address-list=chaoxing forward-to=114.114.114.114 match-subdomain=yes name=time.windows.com type=FWD
add address-list=chaoxing forward-to=8.8.8.8 match-subdomain=yes name=time.windows.com type=FWD
add address-list=chaoxing forward-to=114.114.114.114 match-subdomain=yes name=cn.pool.ntp.org type=FWD
add address-list=chaoxing forward-to=8.8.8.8 match-subdomain=yes name=cn.pool.ntp.org type=FWD
add address-list=chaoxing forward-to=114.114.114.114 match-subdomain=yes name=aichaoxing.com type=FWD
add address-list=chaoxing forward-to=8.8.8.8 match-subdomain=yes name=aichaoxing.com type=FWD
add address-list=chaoxing forward-to=114.114.114.114 match-subdomain=yes name=ntp.aliyun.com type=FWD
add address-list=chaoxing forward-to=8.8.8.8 match-subdomain=yes name=ntp.aliyun.com type=FWD
add address-list=qyyyfz forward-to=114.114.114.114 match-subdomain=yes name=qyyyfz.com type=FWD
add address-list=qyyyfz forward-to=8.8.8.8 match-subdomain=yes name=qyyyfz.com type=FWD
add address-list=qyyyfz forward-to=114.114.114.114 match-subdomain=yes name=chuangjianweilai.com type=FWD
add address-list=qyyyfz forward-to=8.8.8.8 match-subdomain=yes name=chuangjianweilai.com type=FWD
/ip firewall address-list
add address=172.22.113.0/24 list=jszx
add address=172.22.115.0/24 disabled=yes list=jszx
add address=172.22.116.0/24 disabled=yes list=jszx
add address=172.22.118.0/24 list=jszx
add address=172.22.119.0/24 disabled=yes list=jszx
add address=172.22.120.0/24 disabled=yes list=jszx
add address=172.22.121.0/24 disabled=yes list=jszx
add address=172.22.122.0/24 list=jszx
add address=172.22.127.0/24 disabled=yes list=jszx
add address=172.22.128.0/24 disabled=yes list=jszx
add address=172.22.129.0/24 disabled=yes list=jszx
add address=172.22.130.0/24 disabled=yes list=jszx
add address=172.22.131.0/24 disabled=yes list=jszx
add address=172.22.132.0/24 disabled=yes list=jszx
add address=172.22.136.0/23 list=jszx
add address=172.22.139.0/24 list=jszx
add address=172.22.140.0/24 disabled=yes list=jszx
add address=172.22.141.0/24 disabled=yes list=jszx
add address=172.22.142.0/24 disabled=yes list=jszx
add address=172.22.149.0/24 disabled=yes list=jszx
add address=172.22.151.0/24 disabled=yes list=jszx
add address=172.22.152.0/24 disabled=yes list=jszx
add address=172.22.153.0/24 disabled=yes list=jszx
add address=172.22.154.0/24 disabled=yes list=jszx
add address=39.107.80.219 list=qyyyfz
/ip firewall filter
add action=accept chain=forward comment="allow wireguard" src-address=172.22.114.25
add action=accept chain=forward comment="accept jiketang conn" src-address=172.22.114.196
add action=accept chain=forward comment="allow 114 dns" dst-address=114.114.114.114
add action=accept chain=forward comment="allow google dns" dst-address=8.8.8.8
add action=accept chain=forward comment="allow google dns" dst-address=192.168.252.101
add action=accept chain=forward comment="allow chaoxing conn" dst-address-list=chaoxing src-address-list=jszx
add action=accept chain=forward comment="allow chaoxing conn" dst-address-list=qyyyfz src-address-list=jszx
add action=accept chain=forward comment="allow established related untracked conn" connection-state=established,related,untracked
add action=drop chain=forward comment="drop other conn" connection-state=new protocol=tcp src-address-list=jszx
add action=drop chain=forward comment="drop other conn" protocol=udp src-address-list=jszx
/ip firewall nat
add action=dst-nat chain=dstnat comment="6 floor conn" disabled=yes dst-port=53 protocol=udp src-address=172.22.130.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.131.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.141.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.140.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.132.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat comment="5 floor conn" disabled=yes dst-port=53 protocol=udp src-address=172.22.128.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.129.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.151.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.142.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.120.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.119.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat comment="4 floor conn" dst-port=53 protocol=udp src-address=172.22.113.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=172.22.118.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=172.22.122.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=172.22.115.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=172.22.139.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat comment="3 floor conn" disabled=yes dst-port=53 protocol=udp src-address=172.22.149.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.127.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.116.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.153.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp src-address=172.22.121.0/24 to-addresses=192.168.252.101 to-ports=53
add action=dst-nat chain=dstnat comment="2 floor conn" dst-port=53 protocol=udp src-address=172.22.136.0/23 to-addresses=192.168.252.101 to-ports=53
2

In this screenshot, you can see that the CHR request reaches the DNS
屏幕截图 2024-10-13 105615.png
But when the client requests CHR, there will only be a request but no response.
I am curious, is this due to a DNS setting problem or a routeros bug? Is there a way to solve it?
屏幕截图 2024-10-13 110029.png

3

I think I found a solution, remove the servers and dynamic servers in the DNS settings. In the exam, only the corresponding domain name needs to be resolved, and the rest can be resolved without providing an IP address.

With this setting, the exam for 2,000 people is no problem. But there is still a little perceptible slowness. So I changed the interface queue to only-hardware-queue. I use the X722 Intel network card, which can provide 1536 tx rx queues. I guess only-hardware-queue can give full play to the performance of the network card, and under manual testing, there is no perceptible slowness.

12,000+ connection entries, everything works well.

At present, it is speculated that it may be a FWD type static DNS. When chr sets /ip dns servers=114.114.114.114,8.8.8.8, the large number of requests will be mixed with other requests, resulting in resolution failure (FWD entries are also forwarded to 114). Or does the DNS server think I am attacking with ddos? Is the number of requests limited?