I’m trying to use a Website content filtering DNS server in my org but I have a single problem is that when I tried using mikrotik DNS and redirect to the DNS server, it reads only the mikrotik’s IP, I tried playing with the NAT like this :
but still nothing the same mikrotik’s IP is only available in the Log of the DNS Server instead for example the IP 192.168.88.150, so what is the solution for this. I tried using L7 but it didn’t work as I need. also i want to try solving this problem using the router since if it succeeds I will have to use the DNS server in like +300 Pcs all connected to the router, and it’s tiresome and time consuming to change each pc manually.
yes it’s my own DNS it does content web filtering, but i didn’t understand what you mean, it redirects the dns query to my own DNS but the source IP in the DNS’s log are appearing from the mikrotik rather than the pc.
Is it something like Pi-hole filtering the domains and block domains not allowed to return 0.0.0.0 IP-address?
The problem of the addresses in the log of the DNS server is normal. In the eyes of the DNS server the router is talking to him and can’t see the IP address of the client. If you would use an external DNS server it could not sent back a response in that case because it does not know behind which internet connection 192.168.88.150 sits.
To solve this a Proxy is to be used but that is a different story (EDNS).
Your first srcnat rule tells router to masquerade (= change source to router’s address) any connection passing through router, no matter what’s the source or destination. What you request is what you get.
Usually you want that only for connections from LAN to internet, so it would mean adding something like out-interface-list=WAN or out-interface=, it depends on your config.
The first rule (index 0) changes SRC address of any IP packet passing router to (one of) its own address (which one depends on out-interface taken eventually). So if you want to see LAN IP addresses in logs of your DNS server, you would have to change the SRC NAT rule to be a bit less greedy, e.g. by adding out-interface-list=WAN or something alike (the example assumes otherwise default configuration and I guess yours is not really like that). But doing it will probably break DNS for LAN clients. Reason: packet flow.
When LAN client needs something from DNS server (10.10.10.1), it sends packet towards that server. Your router receives it, does dst-nat (changing DNS request destination to LAN server) and currently also does src-nat to its own address. Then it sends packet to LAN DNS server. LAN DNS server sends response to source which is router. Router receives response, undoes both NATs and delivers reply to LAN client. LAN client gladly accepts the response because it seemingly comes from server it tried to contact in the first place.
Now with src-nat made less greedy: LAN client sends request towards DNS server (10.10.10.1), router does dst-nat but doesn’t do src-nat. Now LAN DNS server receives request which has src address set to LAN client’s address, and sends response to that address. Because LAN client is in the same LAN as server, the answer goes directly, bypassing router. Router can not undo NAT and LAN client receives response from server 192.168.88.150 which it doesn’t expect and rejects that answer as being unsolicited.
There are two ways for LAN DNS server to see LAN client’s addresses:
LAN clients are configured to use LAN DNS server (either via static config or DHCP server config)
LAN DNS server is in different LAN IP subnet. In this case src-nat is not needed (dst-nat is enough) because DNS server will have to use router to send back responses.
The idea is to heat it, not to boil it. So while some alcohol might evaporate before consuming it, the rest evaporates soon after consumation … directly into consumer’s head
yes, something like Pi-hole Filtering and the other problem is that its time-consuming to get every PC on the network change the old DNS of the Mikrotik router to the new DNS.
I tried Changing the SRC rule on this router it just wouldn’t work I tried every type of interface as an OUT Interface but it either as you said broke the connection to the internet or it just wouldn’t work as it’s supposed to and the Ip still gets masked.
I tried both the following SRC config but it didn’t work:
I also tried to specify a src-address and dst-address 192.168.88.0/24 in both cases and it also didn’t work so either I’m really stupid with NAT or I’m really stupid in networking, and in both cases, I’m the glitch.
There are two ways for LAN DNS server to see LAN client’s addresses:
LAN clients are configured to use LAN DNS server (either via static config or DHCP server config)
This is really bothersome since my org before I started was using static rather than DHCP and Mke static IP (I don’t know why)
LAN DNS server is in different LAN IP subnet. In this case src-nat is not needed (dst-nat is enough) because DNS server will have to use router to send back responses.
Yes it’s on a different Subnet, and in this case do I just delete my src masq rule or prioritize the dst rule?
