My DNS server on mikrotik router allows remote requests from both networks.
In mikrotik i have only one DNS settings menu (IP>DNS). I would like to put different static entries to each of mentioned networks. Is this possible?
How to redirect whole network or selected ip pool to specific DNS (for example openvpn.com etc.)
Could you give me a code example ? I didn’t see action redirect during creating firewall rules. I know i have to redirect UDP port 53 to my open VPN Ip, but have no idea how to do this.
There’s only one DNS server config per RB device, so you can’t have different answers depending on where’s the client. What you can do is for example configure DHCP server to assign some public DNS server’s address for guests and router’s IP address as DNS server for users. And don’t forget to disallow DNS access to the router from guest network afterwards.
/ip dhcp-server network
set [ find address="192.168.1.0/24" ] dns-server=8.8.8.8
The above assumes guest subnet is 192.168.1.0/24 and sets guests to use google’s public DNS server.
N.b. double-quotes around address in the command above are necessary, without them find doesn’t …
There is NAT. Normally it’s used to overcome problem of single routable IPv4 address per ISP subscription, but with slightly inventive use one can redirect certain connections … passing router in any direction.
(Just for testing purposes) i managed to create a rule, which redirects DNS queries from my computer to one of free OpenDNS servers. It works fine for OpenDNS server.
That’s probably redirection to the same subnet, then you’ll need to src-nat too → “hair-pin”: look at that
Otherwise the dns will send responses directly to client, and client will reject it as it’s unknown traffic to it
For completeness of your rule: remove the src-port=“” … setting it as written is not wildcard. If you don’t want to use certain filter (and in this case you don’t), then don’t include it.
As to why it doesn’t work for redirecting towards LAN servers, one has to understand packet flow:
LAN host sends UDP packet(s) to chosen WAN host via its default gateway
router gets packets and sees it needs to perform NAT operation. Changes dst-address and sends out packets to internal host. At this moment “outgoing” packets still carry original LAN host’s address as src-address.
internal DNS server receives packets and sends reply to the apparent sender of query, which is in this case the original LAN host. That host is directly accessible for DNS server and reply thus completely bypasses router with it’s NAT engine … which should have reverted the address replacement if everything worked acording to normal NAT packet flow.
LAN host receives reply from a server that (according to its own state) wasn’t asked a question. IP stack discards packet, app times out waiting for response
router has a stale NAT connection state
So for this kind of redirections you should add a corresponding src-nat rule which will rewrite also src-address in step 2 so DNS server will see request as originating from touter and will send reply back to it.
