Dear Community,
I have an Active Directory Server located in 192.168.100.250 with domain name xyz.com, the problem is the domain xyz.com is already registered at public domain by someone out there, so if i ping to xyz.com it resolving to the public domain not my local AD Server. Is there any way to redirect the dns traffic ?, so if i ping to my AD Server domain name it will resolving to my local IP 192.168.100.250. Thanks in advance 
If the DNS server is the Mikrotik router, make a static record in it for that IP address.
My home MikroTik runs a permanent tunnel to our offices. DHCP configures devices to send DNS requests to the MikroTik which then either proxies the requests to Google or forwards it to our AD server.
AD realm = ad.lair.co.za
AD server = 192.168.1.3
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall layer7-protocol
add name=ad_dns regexp=ad.lair.co.za
/ip firewall mangle
add action=mark-packet chain=prerouting dst-address-type=local dst-port=53 layer7-protocol=\
ad_dns new-packet-mark=forwarded-dns passthrough=yes protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat comment="Intercept DNS:" packet-mark=forwarded-dns \
to-addresses=192.168.1.3
#add action=masquerade chain=srcnat disabled=yes packet-mark=forwarded-dns
You probably don’t need the second NAT rule. It would originate packets to the AD server as coming from the MikroTik to ensure return traffic gets unnatted properly before arriving back at the initiator.
A dst-nat rule should do this week enough. If you match against anything destined TCP/UDP 53 and just dst-nat it to your server you can rule all dns through it.
Have you specified it on the DHCP server as well or is the MT not doing that?
Dear community, first of all thanks for the answer, but none of them work as my needs.
i’ve tried static DNS, wether using regexp or name. It does resolving to my server when i ping to it’s domain name, but seems like if i ping to host.xyz.com it doesn’t resolve to the host IP address, i think it’s becaus the static DNS only resolving to the AD Server
i’ve tried the two method up there two, but it seems not working. My mikrotik and my host computer still resolving to the public host when ping to xyz.com
but thank’s anyway, i appreciate your help
have a look here: same question - http://forum.mikrotik.com/t/conditional-dns-forwarding-for-internal-ad-server/125253/1
I’ve tried this, but it only resolving the AD server it self, when i ping to the host ex: host1.xyz,com, my router not resolving…
You need to add every host you would like to resolve to your local DNS
/ip dns static
add address=192.168.88.50 comment="My local server" name=host1.xyz,com
Or use L7 filtering for a dodgy implementation of a conditional forwarder :
/ip firewall layer7-protocol
add name="my AD DNS" regexp="xyz.com|[0-9]+.100.168.192.in-addr.arpa"
/ip firewall nat
add action=dst-nat chain=dstnat comment="AD DNS" dst-port=53 layer7-protocol="my AD DNS" protocol=udp to-addresses=192.168.100.250 to-ports=53
Working like a charm for me in a couple of satellite offices.
-Chris
Mikrotik itself stated that L7 needs at least 2k of data / few packets, and router will buffer the connection. See slide 8 in https://mum.mikrotik.com/presentations/EU17/presentation_4058_1490948376.pdf.
Not an issue here?
That’s a misinterpretation. It doesn’t need at least 2k of data or 10 packets but it takes up to 2k of data or 10 packets.
DNS requests are small enough to fit into these margins.
Working great over here with about 10 satellite offices.
For CPUs sake it’s important to narrow L7 down to only the packets really needed (look at the dst-nat matcher).
-Chris
Actually it’s not misinterpretation: listen between 5:00-6:00 of https://www.youtube.com/watch?v=D80_a_O86jc.
But good to learn of this usage.
Thx
i’ve trief all of solution from above, but it seems none of them works. The closest things is i can only ping to my AD server and resolve it as local IP.
But thanks anyway to the community, any further help will be appreciated
best regards,
Sam