Hi, I’m trying to optimize speed in my company. It uses 2 ISP failover with load balancing and the DHCP clients are setup to use OpenDNS addresses, we don’t have DCs there. When I tried to setup DNS caching in Mikrotik it just didn’t work. Internet becomes slow and it stops! It doesn’t forwards other requests to OpenDNS servers. Maybe I didn’t understand the guide quetly good. Should I use also my both ISP addresses and make static routes to them? Thank you.
How did you set it up?
Basically you need to
1.- Add OpenDNS servers to IP > DNS Servers, you can set more than one by clicking on the small, bottom pointing triangle next to the Servers field.
2.- While you’re at that screen, make sure Allow Remote Requests is enabled (this enables the DNS server for the LAN)
3.- Make sure port 53 UDP isn’t blocked to the LAN, and make sure on IP > DHCP server, Networks tab, DHCP entry, that the LAN IP of the router is set on DNS Servers field.
I’ve setup before with port redirecting with dstnat to udp port 53, Allow Remote Request tick and increasing the cache and it didn’t work. Router is powerful - Octa-core CCR1009. Clients behind are from 20 to above 100 sometimes even 200 they can be. I understand that setting the cache will increase speed. I need to ask you one more thing. Can I use my ISPs DNS addresses with making static routes to them? Load Balancing is used with classifying by addresses - half of clients use 1st ISP address, 2nd half - 2nd ISP public address. Thank you.
EDIT
If I create static entries in ip route section like these
/ip route add ISP1_DNS1 gw=ISP1
/ip route add ISP1_DNS2 gw=ISP1
/ip route add ISP2_DNS1 gw=ISP2
/ip route add ISP2_DNS2 gw=ISP2
and make clients to use as primary DNS router’s local address and then maybe public address or again from both ISP’s. If Load Balancing is working like it should my client which has been srnated through ISP2 address should use ISP2 DNS addresses respectively, am I right?
There’s no need for port redirection, are you “hijacking” outgoing DNS queries and redirecting them to the cache? Depending on the resolving library used by the client this may not work (most modern libraries). You’d better hand the DNS cache IP by DHCP or any other means you use to provision clients.
The load balancing could be the problem… check that is not getting into. (disable it, then check).
Probably won’t, due to the fact that each ISP is very likely restricting access to their DNS to only their customers, i.e. ISP1 DNS will only answer if queried through ISP1 route, and DNS2 via ISP2 route.
I’d rather have customers to use only the cache, that’s the whole point of a cache: to maximize its uselfulness everybody whould use it, so it fills up globally, and requests lookups use it. Can’t see any benefit if customers will query also external DNS on their own.
For the cache to work, there are two areas you should check:
A - The router should be able to successfully query external DNS servers. The load balancing may be getting in the way.
B - The customers should be able to query the DNS cache successfully. Again, load balancing can get in the way.
To test A, you can issue
/resolve www.google.com
No output means FQDN was resolved successfully.
A ping to the FQDN is equally useful.
To make sure DNS queries to each DNS server go through the proper ISP, you should make sure mangle doesn’t get in the way, and make sure there are proper routes, so that regardless of the source, outgoing DNS queries go via the proper ISP connection, as if you query ISP2 DNS via ISP1 connection it will surely reject the query.
Depending on your mangle, adding an specific static route, i.e
dst-address=IPS1_DNS gateway=ISP1_gateway
dst-address=IPS2_DNS gateway=ISP2_gateway
May be enough.
Post an export of the router if you have difficulty achieving this. Tomas Kirnak Mangle Deep Dive is really useful to understand all the implications of load balancing.
Once this is sorted out/checked to be working, is it time to proceed with B. You can enable DNS logging to see what’s reaching the cache.
Depending on your network size (from 400-500 users onwards), you may need to increase the Max concurrent Queries setting on IP > DNS.
Depending on your network size (from 400-500 users onwards), you may need to increase the Max concurrent Queries setting on IP > DNS.
On version 6.40.X still 100 or can be more (1000, 2000, etc) ?
Regards
You can setup this value on 6.40, AFAIK there’s no limitation.
Obviously, unless hardware is sized for the load, this won’t make a difference.
You will also need access to the router via Input chain from the LAN/INTERNAL so users can access the router DNS cache