Static DNS and local webserver problem ...

pekr · March 18, 2008, 8:08am

Hi,

we have our webserver on local address 10.10.10.10. We have fully routed network, no NAT except main router masquarade. I wanted our customers to have access to our webserver, as there is web presentation of our town touristic portal. In the past I solved it with some DST NAT tricks, because we used NATted networks, etc. But with our new ISP and one central point I decided to simply put our locally hosted domains as static DNS entries onto our main router.

Users have DNS=gateway IP adresses. Each node runs DNS server too, and it is chained to our main router. No secondary DNS on subsequent nodes. But - there seems to be some odd behavior from time to time. It just happened for the second time in one month, when I was not able to get to the webserver, because what DNS returned was public IP adress, and not our internal, static one.

I would like to ask, if my understanding is correct, that no matter what, static entry has ALWAYS precedence. But if it is so, how subsequent nodes could get to the public address? This could mean one thing - there is some bug with OS 3.3 we run on our central router?

Thanks,
Petr

Giepie · July 6, 2008, 2:42pm

Hi

I also use MT for my DNS. At the end/core router I have a dst-nat rule which targets ALL port 53 UDP and TCP ports and dst-nat it to that router’s address. Under

I have two dst-nat firewall rules, one for port53 UDP and one for port53 TCP. It dst-nat all DNS requests to that router’s IP. I have setup that router to exclude all requests from that router. Under IP/DNS/Settings I specified my actual upstream DNS servers. For me it works like a dream.

Here’s my DNS rules:

1 chain=dstnat action=dst-nat to-addresses=0.0.0.0/0 to-ports=53
src-address=!172.29.254.254 dst-port=53 protocol=tcp

2 chain=dstnat action=dst-nat to-addresses=0.0.0.0/0 to-ports=53
src-address=!172.29.254.254 dst-port=53 protocol=udp

Where 172.29.254.254 is the CORE (and DNS) router’s address. Be sure to exclude (=!) the IP on the interface of your gateway to your upstream DNS server.

The above rules basically dst-nat’s ALL dst:port53 traffic, EXCEPT when it’s coming from that router.

Hope it helps

alex_rhys-hurn · July 12, 2008, 7:55pm

Can you also achieve the same thing by setting the primary DNS server for the router to itself and then the secondary to your ISP DNS server?

Then get your DHCP clients to set their primary DNS server to the router?

Does that not also mean you are caching your DNS requests as well as serving the static records.

Are there any other benefits to doing this your way? (obviously my way means you dont have a good backup DNS server)

Rgds

Alex

Giepie · July 12, 2008, 8:10pm

You could do it that way, but some clients like static IP addresses and use any DNS server they can think of. Then they complain to you about bad service, meanwhile the problem is on their side.

I prefer to FORCE everyone to use the DNS I want them to use.

If you setup your CORE/DNS router to use itself as primary, it won’t make any difference, as the CORE/DNS router will always check itself first anyway. And it is important to have a decent backup DNS server too.

G

alex_rhys-hurn · July 15, 2008, 10:33am

Hi!

I am playing with this, but am not sure which ip address that should be in the src-address field with the NOT (!) feature.

I have three interfaces:

ether1 - to internet, public interface
ether2 - to WISP network (customers)
ether3 - Management network in my office.

A assume that I should have the ip address for ether1 as src-address=!196.x.x.x

Is that right?

Regards

Alex

Giepie · July 16, 2008, 1:42am

Hi Alex

Yes, according to your explanation you should use ether1’s IP. If you have more than one address on that interface and still not sure what address to exclude, you could setup an IP address list (/ip firewall address-lists) with all IP’s ON your CORE router, and choose =! under the advanced tab. This will make sure that none of the IP’s ON your router will be dst-nat’d.

Hope it helps!

G

alex_rhys-hurn · July 16, 2008, 5:32am

Hi Giepie

Well, this is totally dumbfounding me. When ever I put the following rules in to place my x86 Router reboots instantly, starts up and then reboots itself again. Over and over.

The funny thing is that it only does this with the LAN cables plugged in. If I take them out, the router runs, and I am then able to log in to the CLI and disable the two rules.

These are the rules:

1 X ;;; Force DNS Cache
     chain=dstnat action=dst-nat to-addresses=0.0.0.0-255.255.255.255 
     to-ports=53 src-address-list=!core-ip dst-port=53 protocol=tcp 

 2 X chain=dstnat action=dst-nat to-addresses=0.0.0.0-255.255.255.255 
     to-ports=53 src-address-list=!core-ip dst-port=53 protocol=udp

Where address list is:

Flags: X - disabled, D - dynamic 
 #   LIST                                       ADDRESS                        
 0   core-ip                                    196.207.23.22                  
 1   core-ip                                    172.16.1.253                   
 2   core-ip                                    41.215.5.17

And my Interface / ip addresses are:

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
     196.207.23.22/30   196.207.23.20   196.207.23.23   ether1                 
     172.16.1.253/24    172.16.1.0      172.16.1.255    ether2                 
     41.215.5.17/29     41.215.5.16     41.215.5.23     ether3

RouterOS is 3.10, on an Intel Pentium 3 with 512 Ram.

Can you see what I have done wrong with my rules? Also its very weird to see it cause a router reboot. I would expect stalled traffic or something instead.

Help appreciated.

Alex

Giepie · July 16, 2008, 5:52am

Hi Alex

It really is weird that the router reboots!

The only funny thing I can see in your rules are the to-address. Usually 0.0.0.0 would be entered as 0.0.0.0/0 and not 0.0.0.0-255.255.255.255. I haven’t tried it your way, but don’t really want to risk a router rebooting. Perhaps you should mail to support, probably a ROS bug.

I would write the rules as follow:

1 X ;;; Force DNS Cache
chain=dstnat action=dst-nat to-addresses=0.0.0.0/0
to-ports=53 src-address-list=!core-ip dst-port=53 protocol=tcp

2 X chain=dstnat action=dst-nat to-addresses=0.0.0.0/0
to-ports=53 src-address-list=!core-ip dst-port=53 protocol=udp

Further on you did everything correctly.

Give it a try and let us know! G

alex_rhys-hurn · July 16, 2008, 6:37am

Hey bwana!

I created those rules with winbox. Winbox shows the entries as 0.0.0.0/0 but in the CLI it shows them as 0.0.0.0-255.255.255.255

So I removed them and recreated them using the CLI and it still behaves the same way.

I will send some stuff to support, but I will have to plan a maintenance period with my clients so it will take a few days.

Thanks for the input!

Alex

Giepie · July 16, 2008, 6:42am

I added the same rules from CLI on a RB532A running 3.10, and it definitely comes as 0.0.0.0/0.

Did you perhaps upgrade from 2.9, or was that a clean MTROS3.x installation?

My RB532A was upgraded regularly throughout all the 2.9.x ranges up to 2.9.50 and then straight to MTROS3.0, then 3.4 I think and now 3.10.

Create a sipout.rif and mail it to support, even with your disabled rules. They could recreate your scenario and investigate if it’s a bug.

G