i have several Problems opening Websites in Networks with Mikrotik RB3011 as Router.
Customer one has an internal AD Domain customer1.de, his Website is hosted external so i did some Split DNS for www.customer1.de → IP Webserver. This works fine for several months.
Now without any Updates or Changes the Website wont open. If i lookup everything is fine, if i open the Site over IP it works. For Customer 1 i did some Workaround, i set UP an Web Proxy at the RB3011 and the Websites will open.
Now customer2.
He has some Webservice at an internal Server, especially he has to Webserver on one Server (no internal AD Domain):
Service 1: https://my.cust2.de:14145 the DNS ist set with A-Record from external on the WAN IP of the RB3011 an here DSTNAT to internal IP → WORKS
Clients internal are Using the RB3011 as DNS, here i did an static Record for the internal IP of the Webserver → WORKS
Service 2: https://ai.cust2.de:14149 → like Service1 A-RECORD, external WORKS
Clients internal looking up asking the RB3011, lookup works, but here Website won’t open
If i try to open https://my.cust2.de:14149 it works but certificate ist wrong.
Does anybody know what i mean and maybe has the same issue?
One important concept you need to understand about DNS is this:
It is NOT POSSIBLE to reliably operate a network with multiple DNS servers, all visible to the same router and client, where these DNS servers return different information.
So, when you install a MikroTik router and input the DNS server addresses, you CANNOT enter the DNS of AD and a DNS on the internet as two DNS servers.
THAT WILL NOT WORK CORRECTLY and you will be pulling your hair forever.
Either input only internal DNS servers that also work as resolvers for internet domains, OR input only exernal DNS servers in your router. Never both.
This is because there is NO priority order in querying DNS (it will not try the first server and then the second server when the first one fails) and there is no “well this server returns NOT FOUND so let’s try the other server” kind of lookup.
I agree with @pe1chl,
The only excemption in terms of priority would be between static and dynamic DNS entries, where the static are more prefered, but that does not indicate that the static will always be used… https://help.mikrotik.com/docs/display/ROS/DNS
Thank you, i never propagate morde than one DNS Servers if i dont know that the both have the same database (2 or more Domain DNS Servers).
So thats not der Problem here. Customer 1 has 1 DNS Server (Domain Controller) this is the only one the Clients Ask for lookup. Customer 2 has only the RB3011 as DNS Server.
So DNS is not the Main Problem i think, because nslookup resolves correctly, just the Browsers dont open the Website. (connection refused)
Then set in the RB3011 that the Domain Controller is the DNS server.
When you look in IP->DNS you should see only the IP of the Domain Controller(s).
When you also see “dynamic entry” with another IP, go to the connection protocol where these are set (PPPoE, DHCP, ..) and remove the “use DNS” checkmark there.
Now, the query will always be via the Domain Controller and the result will always be the same.
Now it either works or does not work, that depends on what IP the Domain Controller returns for the website (and also can depend on possible hairpin NAT requirement).
Not even that! Both static and dynamic servers are used in a round-robin fashion, using the servers that respond the fastest more often.
I can easily see that in a router where I have statically configured DNS servers plus the dynamic entry added by a LTE stick used as backup. Even when the main link is up, there still is DNS traffic via the stick. Only a little, because it has high latency so it mainly uses the static servers, but once in a while it sends a lookup to the dynamic server to compare the latencies.
The only priority in the MikroTik DNS resolve is that DoH will be used when available, in favor of the configured DNS servers.
If I read it correctly, what you really want is to allow internal clients access internal server that’s otherwise available publicly (ports forwarded from public address). If that’s the case, then forget about messing with DNS, let everyone use the hostname pointing to public address, configure hairpin NAT (if clients and server are in same subnet) and live happily ever after without any troubles and worries, because it will just work. See e.g. https://forum.mikrotik.com/viewtopic.php?t=179343 (it’s actually much much simpler than the length of that post suggests).
Not even that! Both static and dynamic servers are used in a round-robin fashion
Well that’s what the manual say in the first paragraph… When both static and dynamic servers are set, static server entries are more preferred, however, it does not indicate that static server will always be used (for example, previously query was received from a dynamic server, but static was added later, then a dynamic entry will be preferred). https://help.mikrotik.com/docs/display/ROS/DNS
You can see exactly this behaviour when browser uses some other resolver than rest of system. When you check hostname using nslookup or when you ping it, you get 10.10.10.10 and it works. Then browses uses some remote DoH resolver and gets public address. And it doesn’t work. Foolproof solution is to make it work with public address, regardless of where clients are (internal/external).
ahhh shit thats what i didnt try, i tried edge, chrome, firefox but never checked if they use some other DNS Server…thanks for this hint i check it tomorrow
Yes? I think NAT is the Problem in this case cause without Split DNS the internal Clients lookup the external IP Address and are going from internal network to LAN/Bridge interface of the router than to WAN interface and there they stop cause the connection went from in to out but hast to go in again. I dont know how to fix this correctly because of that i normally use Split DNS
NAT is fact of life … so is becoming DoH. So one has to solve issues by taking both into account and currently hairpin NAT is the best (only?) solution.
You understanding of hairpin NAT is slightly flawed: packets don’t go out and in again, they are handled when they first hit NAT-performing router. Router can perform multiple actions on same packet in well known sequence and SRC NAT and DST NAT are two such actions … studying packet flow description reveals, that DST-NAT is performed earlier (part of pre-routing function block) while SRC-NAT is performed later (part of post-routing function block). Hairpin NAT simply means that a packet will get both SRC-NATed and DST-NATed, normal NAT only performs one of those actions (DST-NAT on packets arriving from internet and being forwarded to LAN server and SRC-NAT on packets arriving from LAN and targeting WAN server).
When server is in the same LAN as client, hairpin NAT (both NATs) is strictly necessary or else connections fail. When server is in another LAN (but can be behind same firewall / NAT router), ordinary DST-NAT is sufficient.