Static DNS record does not suppress external one?

SpaceCommander · September 20, 2013, 6:56pm

There is RouterOS 5.25, with DNS server enabled.
All clients are confugured to use ROS DNS only.

When “www.microsoft.com” is added to IP/DNS/Static as 10.20.30.40,
nslookup on client workstations returns multiple values - 10.20.30.40 and external ones.

How to suppress external DNS resolution for names presented in static DNS list?
I want to get 10.20.30.40 only.

asaleh75 · September 20, 2013, 7:01pm

Hi,
Please check your work stations DNS entry. There should be only your router’s IP.

SpaceCommander · September 20, 2013, 7:03pm

Yes, it is so, of course.

asaleh75 · September 20, 2013, 7:12pm

Please provide your DNS configuration.

SpaceCommander · September 20, 2013, 7:26pm

Mikrotik Settings:

[admin@MikroTik] > /ip dns ex
# sep/20/2013 23:17:15 by RouterOS 5.25
# software id = N69E-277L
#
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 \
    servers=""
/ip dns static
add address=192.168.88.1 disabled=no name=router ttl=1d
add address=10.20.30.40 disabled=no name=microsoft.com ttl=1d

[admin@MikroTik] > /ip dns pr
                servers: 
        dynamic-servers: 8.8.8.8, 8.8.4.4
  allow-remote-requests: yes
    max-udp-packet-size: 4096
             cache-size: 2048KiB
          cache-max-ttl: 1w
             cache-used: 452KiB

Workstation Settings (Ubuntu + NetworkManager):

$ cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

$ pgrep -fl dns
801 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-dnsmasq.conf --cache-size=0 --proxy-dnssec

$ cat /var/run/nm-dns-dnsmasq.conf
server=192.168.88.1

Workstation Check:

$ host microsoft.com
microsoft.com has address 64.4.11.37
microsoft.com has address 65.55.58.201
microsoft.com has address 10.20.30.40
microsoft.com mail is handled by 10 microsoft-com.mail.protection.outlook.com.

$ host microsoft.com 192.168.88.1
Using domain server:
Name: 192.168.88.1
Address: 192.168.88.1#53
Aliases: 

microsoft.com has address 65.55.58.201
microsoft.com has address 64.4.11.37
microsoft.com has address 10.20.30.40
microsoft.com mail is handled by 10 microsoft-com.mail.protection.outlook.com.

asaleh75 · September 20, 2013, 7:39pm

Hi,
I tested it on my network & working fine. Please try to redirect all dns traffic to router itself.

/ip firewall nat add action=redirect chain=dstnat disabled=no dst-port=53 protocol=udp src-address=192.168.88.0/24 to-ports=53

SpaceCommander · September 20, 2013, 7:52pm

asaleh75:

Hi,
I tested it on my network & working fine. Please try to redirect all dns traffic to router itself.
/ip firewall nat add action=redirect chain=dstnat disabled=no dst-port=53 protocol=udp src-address=192.168.88.0/24 to-ports=53

Hmmm…
It is very-very strange, but after adding this rule all works fine, as it should be.
And even after disabling this rule, all still works.

asaleh75 · September 20, 2013, 7:57pm

It is very-very strange, but after adding this rule all works fine, as it should be.
And even after disabling this rule, all still works.

Good Luck

JackANSI · September 21, 2013, 3:16pm

Client devices tend to have a DNS cache… Be sure in the future to clear the MikroTik’s cache as well as the computer you’re running the test on.