i’ve configured conditional dns forwarding via this guide https://blog.johannfenech.com/mikrotik-conditional-dns-forwarding/
everything looks good, all request ending with my domain name is forwarded through openvpn to domain dns server - these requests are NOT visible in ros dns cache.
But when i try to do a gpupdate on my computer, i think that part of dns requests gets to the domain server and part gets to internal ros dns:
It looks like first request is correct, but next one ended with error:
And i see these requests on cache too:
My questions:
How can these requests get to ros internal dns resolver, when all other xxxx.mydomain.com request are correctly forwarded to outside domain dns server
Why are these requests logged with some strange IPs (it’s changing time to time, now its 119.156.152.116) - i’ve try to turn on logging on all /input,fw,out,mangle/ rules and never catch any of these IPs to really comunicate with router and i have fw rule blocking outside dns requests.
Looking at the article you’ve posted, it only deals with redirection of DNS requests coming to Mikrotik’s private LAN IP, so presumably from the LAN.
But your log shows that the requests which don’t get redirected come from 118.251.24.116, which is a public IP address assigned to China Telecom. So unless you are really an expat, I guess these requests arrive to the WAN interface, which Johann’s setup ignores. This suggests that your firewall isn’t very tight and accepts at least DNS queries, if not something more, from outside.
So depending on what you actually want, you have to either tighten your firewall or modify the dst-nat rule so that it would handle also requests coming in via WAN.
Thank you for your answer, i definitely don’t want to see this IPs in log
I have drop rules on input port 53, only accept rules which i have is defconf accept established+related, all other is dropped.
Even when i put log rules on the very top of fw - log everything, that coming to port 53 through WAN interface(and yes, i’ve tried all other interfaces too), i never get logged this IPs (and this rule works good, i’ve tested it with portscan)
And how it’s possible, that some external IP is asking internal DNS in ros the !SAME! DNS request at a same time, as i send qpupdate request from computer (and part of this request is correctly forwarded by mangle to domain DNS server, as i see on mangle/dstnat logs). It clearly can be my misconfiguration, but i cannot track how does this external IP gets to DNS log…
OK, now I got it, there are actually two issues - why your PC on LAN sends DNS queries from a Chinese IP address, and why some queries to the same domain are redirected and some are not.
Regarding the first part I have no answer - if you tested the logging firewall rule for this address also on the LAN interface and it hasn’t logged anything when you’ve sent the gpupdate command, it must be a bug inside RouterOS because src-nat rules are not used in the input chain so no rule there can change the source address of the request.
Regarding the second part, the regular expressions are normally case-sensitive, I don’t remember whether it is the case with Mikrotik as well. So if domain names in some of the queries are in uppercase and in some in lowercase, this could be an explanation. I can also see that all of them are queries to SRV records, so I thought that the domain name may be encoded in some unusual format in the query packet so the regexp would not match on it, but RFC 2782 doesn’t indicate any special encoding format for the query fqdn. So check the upper/lower case theory.
Thanks for all your informations, i’ve ended up with same answer - that it’s some kind of bug with this external IPs… I was diggin deeper into this gpupdate requests, but it’s too complicated for me to understand, why gpupdate not working (in that case, i just activate openVPN client on computer with default route to VPN and gpupdate runs smoothly - domain is too big and complicated with many subdomains and dns servers) all other domain internal servers/websites dns requests works just fine with my fw/mangle/l7 rules. Just a small info, when i connect openVPN client on a computer and perform gpupdate, i can then disconnect openVPN client and try to re-run gpupdate again - it’s working even without local openVPN client running, so it has to be some DNS entries and local computer DNS cache is pushing for a while after openVPN client disconnection…
Just thanks for your time and have a nice day
