Hi there
I picked the MidroTik Router because it is supposed to let me control most everything.
I am using RouterOS 6.27
I am trying to set up the DNS to only use OpenDNS servers. In the DNS control pannel I set them up, but after connecting to my router, I picked up the Comcast DNS routers as Dynamic Servers and I need to shut them off.
I tried the following command (after looking thru lots of posts): ip dhcp-client set use-peer-dns=no
But, when I type this in I get a response of "numbers: "
I don’t know what numbers it wants - I have tried ip address that I want to stop, ip addresses that I want to add, the modem ip address, I tried 1, 2, 3, 3etc to 10 for my router ports - they all come back with “Script error: action canceled”
I have also tried to use the NAT commands to redirect all 53 port traffic to the OpenDNS server IDs, but that has not worked for everyone client in my home. I have 2 computers that have picked up the OpenDNS DNS servers, and 2 that have not (I tried to force one - and it worked when I specified it), but when I went back to allow it to obtain the DNS automatically, it went back to the Comcast addresses.
That’s because you can have multiple dhcp-clients configured at once.
Numbers: wants the index number of the client whose configuration you’re trying to change.
/ip dhcp-client print
– that will give you the index numbers. (chances are, only one with index 0)
Use winbox and go to
/ip dhcp-client
Open it up and uncheck use peer dns
Done
Now that procedure mentioned above…
Set the Open DNS servers in
/ip dns servers
That tells the router to send DNS requests to the OpenDNS server.
IN your dhcp server. Set the DNS entry to your local router.
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1
gateway=192.168.88.1
The other command can be used to “trap” requests sent to other DNS servers via a device having them set statically on them.
This will work great. If you also want to block users from specifying their own DNS servers, then you can do one of two things:
Block all other DNS requests: (has side benefit of interfering with certain types of botnet clients)
In the ip > firewall > filter menu, add two rules:
chain=forward in-interface=LAN protocol=udp dst-port=53 action=drop
chain=forward in-interface=LAN protocol=tcp dst-port=53 action=drop
Make sure they come before any “allow all outbound to Internet” kind of rules in the forward chain.
–or– Intercept all DNS requests and serve them with the Mikrotik:
In the ip > firewall > nat menu, add two rules:
chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=redirect
chain=dstnat in-interface=LAN protocol=tcp dst-port=53 action=redirect
Thank you for all the suggestions.
I started with this one:
ip dhcp-client set use-peer-dns=no
For the numbers request, I put 0 since this was the reference number to my DHCP Client.
Now, when I go to my computers and type ipconfig /all, I get the two OpenDNS addresses.
But, I also get my own gateway (in this case 10.0.1.1).
Should I be concerned?
for this suggestion:
Intercept all DNS requests and serve them with the Mikrotik:
In the ip > firewall > nat menu, add two rules:
chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=redirect
chain=dstnat in-interface=LAN protocol=tcp dst-port=53 action=redirect
When I type this in I get the following error:
ip firewall nat add chain=dstnat in-interface=LAN protoco
l=udp dst-port=53 action=redirect
input does not match any value of interface
Is there an IP address I am supposed to put in for LAN protocol?
LAN is not a protocol. It’s just a generic “lan interface” name. If your LAN side is ether4, then put ether4 there in stead of LAN. It’s common to just use tokens like that, and generic IP addresses like 192.168.x.x/24 in example code because we don’t know exactly which interfaces the reader is using.
