Hello, I have installed AdGuard Home in a container on my home LAN network (192.168.0.254). On Mikrotik (192.168.0.1) i have a DNS over HTTPS server running. In the DHCP settings, I have assigned the DNS address of Mikrotik 192.168.0.1. I would like to keep only one DNS address in DHCP, and have Mikrotik redirect DNS traffic to AdGuard, and in case AdGuard goes down, Mikrotik would take over its role. Is such a scenario possible?
Thank you in advance for the valuable information!
Best regards
Settings on MikroTik:
DHCP server
DHCP server
# ADDRESS GATEWAY DNS-SERVER
0 192.168.1.0/24 192.168.1.1 192.168.1.1
DNS
servers:
dynamic-servers:
use-doh-server: https://1.1.1.1/dns-query
verify-doh-cert: yes
doh-max-server-connections: 5
doh-max-concurrent-queries: 50
doh-timeout: 5s
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
address-list-extra-time: 0s
cache-used: 99KiB
NAT
1 ;;; Redirect DNS to AdGuard (UDP)
chain=dstnat action=dst-nat to-addresses=192.168.1.254 to-ports=53 protocol=udp src-address=!192.168.1.254 dst-port=53 log=no log-prefix=""
2 ;;; Redirect DNS to AdGuard (TCP)
chain=dstnat action=dst-nat to-addresses=192.168.1.254 to-ports=53 protocol=tcp src-address=!192.168.1.254 dst-port=53 log=no log-prefix=""
Script
:local adguardIP "192.168.1.254"
:local isAdguardAlive [/ping $adguardIP count=3]
:if ($isAdguardAlive = 0) do={
:log info "AdGuard Home is down, disabling DNS redirection NAT rules."
/ip firewall nat set [find comment="Redirect DNS to AdGuard"] disabled=yes
} else={
:log info "AdGuard Home is up, enabling DNS redirection NAT rules."
/ip firewall nat set [find comment="Redirect DNS to AdGuard"] disabled=no
}
In this configuration, websites don’t work. After disabling NAT rules, everything works flawlessly. There seems to be an issue with forwarding. Does anyone have any idea?
Tricky problem. Make sense what you’re trying to do (e.g. DNS is always up, with AdGuard perferred) since you never how multiple DNS servers are used by a client - so you want to only one DNS provided to clients. All makes sense.
I’m not sure there is an easy solution however. Mikrotik DNS has a “FWD” entry but…
Currently, DoH is not compatible with FWD-type static entries, in order to utilize FWD entries, DoH must not be configured.
and even if it were allowed… if/how it check the fwd’ed server is up (e.g. an AdGuard DNS) is not clear.
The only idea I have using another IP, say 192.168.0.2 as the DNS address in DHCP/etc for your clients & add .2 as /ip/address (or a VRRP interface work too). Then use either policy routing or firewall mangle to send dst 192.168.0.2 port 53 to a new /routing/table with /ip/route for 192.168.0.254/24 that uses check-gateway=ping. And after that… it’s still just check if the AdGuard container was alive (pingable), not that it was working… I suppose a netwatch script could do a https check of DoH and disable the 192.168.0.254 route in table to cover that case… But that’s a lot of config…
Basically all the complexity of a “multiwan”, for a single port (e.g. DNS).
I thought so too, that it would be possible, but not with my current level of knowledge 
But I will tackle the topic in the future, when I gain a bit more experience! 
I’ll ask further… in the configuration as above, when I do an nslookup from a computer on the LAN, then:
> nslookup google.com 192.168.1.254
Server: UnKnown
Address: 192.168.1.254
Non-authoritative answer:
Name: google.com
Address: 142.251.36.46
> nslookup google.com 192.168.1.1
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1
> nslookup google.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.1
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
In this case, when there is a redirection, by specifying the Mikrotik DNS address, shouldn’t AdGuard be the one responding? Am I mistaken?
Hmm.
Are you sure the AdGuard is NOT using Mikrotik as a DNS server? – that create a loop.
Also, is AdGuard at 192.168.0.254 or 192.168.0.32? – or what’s !192.168.0.32 in your NAT
Might want to post your config (“:export file=dnsissues.rsc” at Terminal & download from files) & redact as needed.
192.168.1.1 = Mikortik
192.168.1.232 = AdGuard = (lab environment: proxmox>ubuntu server>docker>container / home environment: truenas scale as app read container)
/ip pool
add name=dhcp-pool1 ranges=192.168.1.10-192.168.1.169
/ip dhcp-server
add address-pool=dhcp-pool1 interface=bridge name=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge list=LAN
add interface=namehere list=WAN
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,192.168.1.232 gateway=\
192.168.1.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
verify-doh-cert=yes
/ip dns static
add address=1.1.1.1 name=1.1.1.1
add address=1.0.0.1 name=1.0.0.1
add address=2606:4700:4700::1111 disabled=yes name=2606:4700:4700::1111 type=\
AAAA
add address=2606:4700:4700::1001 disabled=yes name=2606:4700:4700::1001 type=\
AAAA
add address=8.8.8.8 name=8.8.8.8
add address=8.8.4.4 name=8.8.4.4
add address=2001:4860:4860::8888 disabled=yes name=2001:4860:4860::8888 type=\
AAAA
add address=2001:4860:4860::8844 disabled=yes name=2001:4860:4860::8844 type=\
AAAA
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="TCP SYN" connection-limit=1,5 \
connection-state=new protocol=tcp tcp-flags=syn
add action=drop chain=input comment="TCP SYN" connection-state=new protocol=\
tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=namehere
add action=dst-nat chain=dstnat comment="AdGuard Redirect" dst-port=53 \
protocol=udp src-address=!192.168.1.232 to-addresses=192.168.1.232 \
to-ports=53
add action=dst-nat chain=dstnat comment="AdGuard Redirect" dst-port=53 \
protocol=tcp src-address=!192.168.1.232 to-addresses=192.168.1.232 \
to-ports=53
add action=dst-nat chain=dstnat comment=AdGuardNAT1 disabled=yes dst-address=\
!192.168.1.232 dst-port=53 in-interface=bridge protocol=udp src-address=\
!192.168.1.232 to-addresses=192.168.1.232
add action=dst-nat chain=dstnat comment=AdGuardNAT2 disabled=yes dst-address=\
!192.168.1.232 dst-port=53 in-interface=bridge protocol=tcp src-address=\
!192.168.1.232 to-addresses=192.168.1.232
add action=masquerade chain=srcnat comment=AdGuardNAT3 disabled=yes \
dst-address=192.168.1.232 dst-port=53 protocol=udp src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment=AdGuardNAT4 disabled=yes \
dst-address=192.168.1.232 dst-port=53 protocol=tcp src-address=\
192.168.1.0/24
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=namehere routing-table=\
main suppress-hw-offload=no
Hmm.. In both cases, Adguard is as a container.. maybe that’s where the problem lies, right?
Any idea?
That looks like it should work. Do the NAT rules packet counters go up? From the LAN can you use nslookup to access the Pi-Hole at 192.168.0.32?
The alternative is the 192.168.0.0/24 network is not bridged to the Pi-Hole. e.g. There are few networking stops in proxmox>Ubuntu+Docker>Pi-Hole container setup/
Having both up at the same time is possible, but I am not so sure you can “fail over” from ad guard to MT.
I would say you have to manually adjust the config.
For example
/ip NAT
add chain=dst-nat action=dst-nat dst-port=53 protocol=udp source-address-list=!Adguard to-address=AdguardIP
add chain=dst-nat action=dst-nat dst-port=53 protocol=tcp source-address-list=!Adguard to-address=AdguardIP
Direct all LAN traffic to the IP address of the adguard except those addresses which should not,
a. primarily the adguard IP itself as it needs to go out the internet for DNS (not loop to itself).
b. any other users that you dont want going out adguard.
By disabling the above rules then normal DNS should flow.
If your normal DNS is DOH DNS via Mikrotik that will be used.