Hello people.
Days ago I setup a DNScrypt server in my network:
http://forum.mikrotik.com/t/solved-use-mikrotik-with-a-dnscrypt-server-in-lan-problems/104546/1
It works, but the router’s built-in DNS service refuse to work with it, please see pictures:
As you can see, the router neither response the DNS requests from clients, nor cache any, but it can resolve a host name itself… I don’t know why.
If anyone can help me, it would be great.
Thank you all.
If it’s the same router that does dstnat for those fake addresses, then it can’t work with them, because output packets from router won’t go to dstnat chain. I’m wondering where it got address for “mikrotik.com” from…
Thank you, so there’s no workaround available?
Yes, itself can resolve any host, just refuse to provide to clients.
Another strange thing is in the last picture, it says cache used 17, but only list 2…
Try to use src-nat with dst-nat to guarantee DNS answer passed through the router and then de-nated rightly.
DNS cache will hapily cache DNS cahce replies, but you have to allow larger packets (I think that default was already changed to 4096 packet size) That usually fixes dnsec issues.
I just tried “check update” in packages and it says “cannot resolve host”, so it can resolve host in ping tool somehow…
Thanks, but it still not work when it is 4096.
Could you give me a sample script please? Thank you.
But how? Your previous thread was about making fake addresses and redirecting DNS traffic going to them to another host and non-standard ports. It can work fine when other devices try to access those fake addresses. But when you give same fake DNS resolvers to same router, it can’t reach them. Unless some of those addresses was actually reachable somewhere and run DNS resolver. But then the router’s DNS cache would work too.
I don’t know why, but the ping tool really can resolve any DNS, I tried a lot.
However some function don’t work, as picture shown:
If ping can resolve hostnames, it must get the answer from somewhere. Try to add some logging rules:
/ip firewall mangle
add action=log chain=input protocol=udp src-port=53
add action=log chain=input protocol=tcp src-port=53
Then ping different hostnames and see what happens.
Try using ping from terminal and not winbox. Winbox could be resolving name for ping.
Sent from my Nexus 5 using Tapatalk
You’re right, that’s it. Quick test with packet sniffer shows that DNS queries for hostnames entered in WinBox come from PC, not from router.
I tried ping from ssh, yes you guys are right, it not work now…
Could anyone explain this picture in my previous post?
It shows 17 caches in use but only 2 in the list, I just checked and it’s still like that right now… Why?
Can you ping the dns servers?
Sent from my Nexus 5 using Tapatalk
Of course not, they are fake addresses.
However if you mean the real address 192.168.88.5, yes I can.
It’s not the number of records:
He can’t, because they don’t exist. 
It only makes sense when you read the other thread linked in first port and understand what he did.
And I don’t think there’s currently a way to make this kind of setup work from router itself.
Thank you so much Sob.
It confused the hell out of me when I see 17 while only 2 listing…
I think I may not use this NAT method and just assign several IPs to the DNS server, that will solve the problem.
After assign multiple IP to my server and not using the NAT method anymore, it’s fully working now. The router also can resolve DNS.