[Solved] Default Config Will Not Resolve Any DNS Queries (Bell Fibe)

rogerking1 · January 16, 2020, 2:34am

I have a RB2011, and a month or so ago, it stopped being able to do anything DNS related. I’ve had it on a shelf and pull it down to tinker with every once in a while, but can’t get it working. Just pulled 6.46.1, updated and reset the config to default, and still can’t get a DNS resolve.

I have it behind my ISP’s router, but set into DMZ, and I can see the Mikrotik getting the external facing IP as its own. DNS servers are default what the ISP sends down, but I’ve tried in the past with google DNS as well, and that doesn’t seem to do anything.

Where’s a good place to start troubleshooting this problem?

Sob · January 16, 2020, 4:58am

Tools->Torch or logging:

/ip firewall mangle
add action=log chain=output dst-port=53 log-prefix=dns-query protocol=udp
add action=log chain=input log-prefix=dns-response protocol=udp src-port=53

Then make the router resolve something, e.g. with ping in Terminal:

/ping forum.mikrotik.com

rogerking1 · January 18, 2020, 1:09pm

Did the logging. I have a bunch of entries that all look the same, starting with dns-query, but it looks like I never receive a response. I then added Google DNS servers, and I see the out queries to them as well, but no apparent in responses.

What’s the next debug?

pe1chl · January 18, 2020, 1:23pm

You are sure you have the default firewall and not some extra or other rules?
Also sure that the network is confgured correctly? Did you set ether1 as a DHCP client of your ISP router and does it set a correct internal address and default gateway? Did it automatically set the DNS server addresses?

Sob · January 18, 2020, 7:17pm

If router is sending queries but gets no responses, it looks like it’s blocked by something else, ISP’s router, further in ISP’s network, … But it doesn’t make sense why would it happen.

macsrwe · January 18, 2020, 9:04pm

Did you perhaps attempt to harden your router against being used in a DDNS attack shortly before this problem started? If you do this incorrectly, you can get this behavior.

Requests for DNS service from outside your network (bad) look very similar to responses to DNS queries from inside your network (good).

You must block only NEW traffic to DNS port from outside your network, using connection-state parameter. If NEW is not set, traffic is a DNS response and should be allowed.

rogerking1 · February 8, 2020, 1:11pm

Thanks everyone for the suggestions. I’m posting this so someone else can find the likely answer.

After getting frustrated with it, I let it marinate for a while and just shelved the router again.

Doing further research, I discovered a few accounts of just rebooting the router and the Bell HomeHub (3000). Some users said this might take a try or two to get right, so I did.

Leaving the MikroTik online, I rebooted the ISP gear a few times, checking if DNS worked on the MikroTik each time.

Default config, no changes at all.
HomeHub has the MikroTik set as being in the DMZ, using Advanced DMZ mode so that it gets the assigned IP.
Reboot the HomeHub router once or twice, try Ping each time.

And now it works. Screenshot of HomeHub settings attached.