Hello,
googling did not help me so I thought this is the place to ask.
my hap ac2 is running 6.48.3. It is the only DNS server for devices on my LAN.
I’ve configured some static DNS records and these hosts (A-records) are being resolved as I want.
My upstream (DoH) DNS is NextDNS which has logging. It shows that Mikrotik regularly query these hosts which is a big & unpleasant surprise for me.
Why would it go to upstream server if it has them in static? They are different from NextDNS anyway.
Is the NextDNS DoH upstream configured only on the hAP, or have you got it on the client computers as well? It may be that your clients are querying both in parallel in case one goes down, to avoid the delays inherent in serial querying.
Can you set up packet monitoring on the hAP to show that a DoH query goes out to NextDNS from the hAP when you do a DNS query on the client for one of your local static DNS entries?
The thing is, NextDNS allows to identify clients, so I am sure this is Mikrotik:
"Identify your devices
Follow the instructions below to identify your devices in Analytics and Logs.
DNS-over-HTTPS
Append the name to the provided URL (the name should be URL encoded).
For “John’s Firefox”, you would use https://dns.nextdns.io/1a2bc3d4/John’s%20Firefox as your DNS-over-HTTPS endpoint."
So I set up my router to identify as ‘Mikrotik’ and in the logs right now I can see that one of the hostnames in question was requested by:
“Mikrotik a minute ago”
So I have a similar setup using NextDNS.
I have added a few static DNS records that end in network.lan so I can assess network assets by name instead of IP.
Clients can ONLY use MT or NextDNS as DNS resolver. Everything else is blocked.
So I did a quick look in the NetxDNS GUI and found nothing. I however downloaded the entire log and hey presto there they are. All my MT DNS resolvers are trying to resolve the internal static records I have added and like you I see them on a regular interval asking. Guess the reason I do not see them in GUI is that they cannot be resolved. I will add all my records to NextDNS as well (as you can do this) and track it some more but this is not how a A record should behave.
Have you created a case for this?
Hi,
no, I’m kinda new in interaction with Mikrotik so no case created yet. And thanks for the tip, did not know there is such functionality
Perhaps that is related to the fact that type=FWD does not work if DoH is enabled… I hope Mikrotik will look into this and fix this/both issues.
The DoH function was added to the existing DNS resolver in a completely incorrect way.
Of course the correct thing to do would have been to add it as a next-level resolver the same way as the existing resolvers already were.
But it appears that once you enable DoH, it does not go as a resolver behind the existing static and cache function, but rather it is added in front of it.
So, it is not possible to combine static records with DoH mode. Disable DoH and it will work as you want (first look in cache and static records, and only query the configured resolvers when that does not yield a result).
I wonder if this is part of CNAME issues I have. If you add a CNAME with a public A record it does not resolve. When you query the CNAME it does not lookup the A record and only provides a response if the A record is in the cache.
Will turn off Doh as soon as I have access and test again.
Nope did not solve the CNAME issue I have (and have a case for at MT).
Yes, the resolver really needs to be ditched and replaced with a working opensource resolver (there are several)…