Hello,
as I have come across multiple basic configurations for RouterOS and VLANs I’m a bit confused about how to set up the DNS
Server properly. Although the answer is obvious, I would like to write down my thought and would highly appreciate if it gets confirmed or answered where things are still unclear (or corrected).
I do have multiple MT Switches and one MT Router The IP of the upstream Router.
The Router is either connected directly to the internet or behind the ISP-provided router, so:
The Dynamic Servers are served from the IPS DHCP or the IPS-provided router. If the latter, it is properly the IPS-provided router’s Gateway Address.[
If nothing is set in /ip dhcp-server network dns-server the settings given in /ip dns servers and ****/ip dns dynamic-server are available to be passed to DHCP clients but which servers?
If only dynamic, then it depends /ip dhcp-server network dns-none?
If both, either both or only static ones are passed on depending /ip dhcp-server network dns-none?
If /ip dhcp-server network dns-server is set than only these servers are passed on
Configuration was given to me, where /ip dhcp-server network dns-server is the same as the /ip dhcp-server network gateway. What happens here?
the settings given in /ip dns servers and ****/ip dns dynamic-server are available to be passed to DHCP clients but what actually happens depends on the answer on point two.
DNS queries from the DHCP clients (downstream the DCHP Server) will die as there is no forwarding by the gateway
DNS queries will only be checked against entries given in Static DNS Entries / /ip dns static?
If there is nothing in there, matching the query, it will die as well.
Would be great if that puzzle could be completed as I cannot find any answer to my questions in the manual (or I’m just too stupid finding them).
The question could be framed what is the hierarchy breakdown of DNS by the MT router when:
a. peer DNS is enabled (aka from ISP)
b. peer DNS is disabled
c. dhcp-server-network is the gateway of the subnet (aka from the router)
d. dynamic servers are assigned
e. dhcp-server network is assigned a known DNS server such as 8.8.8.8 or 1.1.1.1
f. static DNS are set…
Clearly if c. is chosen, the Router is the DNS sources (and the advantage apparently is that the info could be cached on the router and thus quicker)
So what does the router use for those not in the cache, in order of precedence is my question. (ISP, dynamic servers, static)???
If e. is chosen I believe that overrides all other settings and if the DNS cannot be resolved from the DNS like 8.8.8.8 then what happens no internet??
to come somewhere close to an compressive answer may someone can tell me
Who has access to the information in /ip dns server that I configure RouterOS for?
each gateway
does this only sit on the WAN interface (as this is the router to other DNS servers)?
each time the CPU is involved, which is always the case here. In this case, however, the explicit specification of the gateway as a DNS server is obsolete.
If I now specify a DNS server, e.g. 1.1.1.1,
will all devices in between still be asked whether they know DNS xy or will the request go directly to 1.1.1.1?
It is indicated that if a DNS server is to be queried, this should explicitly go to 1.1.1.1?
mmm…
It’s easy understand Einstein than your questions.
How DNS and DHCP works for dummies:
From Routerboard point of view:
I have at least one IP for resolve DNS on /IP DNS?
NO: I can not resolve DNS query on any way.
YES, are dynamic: I can resolve DNS inside Routerboard and the DNS are coming from dynamic interface, like DHCP-CLient or PPPoE-Client as example.
YES, are static: I can resolve DNS inside Routerboard and the DNS are written manually from someone.
YES, both dynamic and static are present: I can resolve DNS inside Routerboard and the DNS are obtained with both metods described before. In this case, static have precedence.
From PC point of view:
Routerboard can resolve DNS? I do not care.
DHCP-Server give me at least one DNS?
NO: I can’t resolve DNS on any way
NO, but someone put inside PC interface static DNS: The PC can resolve DNS without any help from Routerboard or ISP
YES, but on pc DNS are set manually and right: The PC can resolve DNS without any help from Routerboard or ISP
YES, and on PC all is “auto”: The PC can resolve DNS, using DNS provided from DHCP-Server on Routerboard
YES, but on pc DNS are set manually and wrong: The PC can not resolve DNS on any way (DoH/DoT is another question)
DNS resolving precedence:
I have on PC non-Routerboard IP to resolve DNS?
The DNS are resolved with that IP and I can not provide other results
I have on PC the Routerboard IP as DNS resolver:
if “allow-remote-request” are active (without consider firewall) and the PC have only the IP of routerboard as DNS, the query go:
The PC check internal cache
if not find any corresponding record query the routerboard:
Check internal Routerboard cache if are already resolved
Check DNS Static if are corresponency
If not finded the Routerboard ask HIS OWN DNS (for example1.1.1.1) to solve DNS on that order (stop on first resolution, give not found if checked all without results):
a) first static, if are one
b) second static, if are one
c) first dynamic, if are one
d) second dynamic, if are one
at thios point if the record are unresolved, DNS give unknow as reply to PC
as your that patient answering me, you are able to answer questions about the theory of relativity easily
I'm sorry for answering that late but I have been quite limited and this limited time was absorbed by understanding VLANs on MT. Now, I know that is actually quite simple I was irritated by the expression used. I'm planning to create a topic comparable with your firewall topic. That has happened yet but at least the configurations are pushed to GitHub now: GitHub - PackElend/MikroTik
Back to the topic.
I have read up DNS Query Message Format (firewall.cx) what makes it a bit clearer to me. If RouterOS assigns 8.8.8.8 per DHCP to the client the DNS query will be routed to 8.8.8.8 if the client does not find anything in its cache.
So far so good.
Now I assign the gateway of the subnet or any other IP assigned to an interface on my Router.
Of course, the IP should be reachable from the client (firewall rules etc.) but at the end, it does not make any difference, does it?
The assigned interface (by its IP provided as DNS Server) is the gate to RouterOS.
This will makes things happens as described by you:
I did some tests and noticed that:
even provisioning no DNS Server to the client, DNS query still forwarded to my route (I did DNS flush on system and browser). That is wired, I will check again
RouterOS is either not transparent in DNS query forwarding or something is still wrong as I did DNS tracing against openDNS but openDNS is not listed:
Adresse IPv6 locale du lien : fe80::997f:70f6:408e:ac18%18
Adresse IPv4 : 10.99.99.243
Serveurs DNS IPv4 :10.99.99.1
/ip dhcp-server> print where name=VLAN_099_DHCP
Flags: D - dynamic, X - disabled, I - invalid
NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 VLAN_099_DHCP VLAN_099 VLAN_099 10m
print where comment~"^BASE"
Flags: D - dynamic
ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 ;;; BASE (MGMT) VLAN
10.99.99.0/24 10.99.99.1 10.99.99.1
The highlited information from your LAN computer indicates that it is receiving router’s IP address to be used as DNS server. This setting is configured in /ip dhcp-server network, property dns-server. The configuration of your core router shows that you’re explicitly setting router’s IP address as DNS server for DHCP clients in all VLANs while you probably want to set it to 8.8.8.8 at least for some VLANs.
No matter what IP you use (as usual, except for firewall)
But is better to use main gateway IP for that.
Example: you have both 10.1.x network and 10.2.x
You can use on both network any of the two gateway IP.
But if for some reason in future want block any form of communication between blocks or want simply change bloks IP,
all devices configured whit (working but) unproperli IP stop working.
If you do not set explicity the “No DNS” flag inside DHCP Networks,
RouterOS provide one DNS based on this (must be checked exactly):
1st the IP used as Gateway if “Allow remote requests” on DNS is on
2nd first dynamic DNS on DNS settings, if any
3rd second dynamic DNS on DNS settings, if any
4th first fixed DNS on DNS settings, if any
5th second fixed DNS on DNS settings, if any
all that all clients to use the DNS server as given in /ip DNS what are the DNS-Servers of openDNS.
reading through your replies, I dare to say that my settings are correct
For whatever reason OpenDNS blocking/filtering is not working as desired, will do some more checks (flush, restart, ...)
Dynamic have precedence
Another example:
Generic AP have inside one DNS,
but if the provider want change the DNS, do not be forced to update all AP, just give new DNS with DHCP Server or PPPoE Server
I’m too busy on this period, but MikroTik for first must study some sort of auto-configuration
My idea is to make some generic wizard to generate some script for auto configuration like:
Select user skill level (less question asked for lower levels, etc.) →
Select model->Select if is used as Switch / Router / Firewall / Access Point, etc.->Select on what port the Internet come in (WAN, on ether? as wi-fi client?)->
How many different WAN sources?->Select LAN ports->Select Wi-Fi settings->
Select detail need for 1st WAN (DHCP? PPPoE? VLAN? Passthroug from xDSL/ONT/LTE? etc.)->Select detail need for 2nd WAN->etc.->
Select if the WANs are on failover or load balancing (or both, etc.)->Select the number of wanted VLAN (+management) →
Select how the single LAN are used (trunk, VLAN, untagged, etc.)->Select default firewall rules wanted (default, default+rextended, no rules because switch, plain AP, etc.)->
Select wanted router features (IP Forward, Router Cache, etc.) ->Select new users and security settings->Select wifi SSID and password, etc.
Generate single file to import, reset configuration with that file, done…
that is going to be quite a job.
May my scripts going to help you, as I try to explain things in there as well but currently I have only VLAN configuration covered.
Currently trying to get through the details of CAPsMAN (basic WLAN is working).
