Weird DNS Issue on Mikrotik 3011

nfletcher2 · August 21, 2017, 4:05pm

Hello all,

We are running into a weird DNS issue for one of our customers. Let me give a little context into the configuration before I describe the problem.

Site B—

Mikrotik 3011 - Comcast Internet
IP/DNS points to 8.8.8.8
LAN: 10.0.2.0/24
GW: 10.0.2.1
DHCP Scope: 10.0.2.50-10.0.2.150
DHCP DNS: 10.0.0.11, 10.0.0.6, 8.8.8.8
No Servers

Site A—

Mikrotik 3011 - Fiber Internet
LAN: 10.0.1.0/24
GW: 10.0.1.1
Servers: AD/DNS Server (10.0.0.11 and 10.0.0.6)

So, we have two sites that are fairly normal. Site B is a remote site that is connected to Site A via a PPTP VPN.All LOB apps work normally that Site B access. These LOB apps are hosted at Site A.

The Problem

We use software called Labtech to monitor our customer PCs. Labtech relies on resolving a specific public DNS name (msp.company.com resolved to 69.A.A.A we will say) in order for the PCs to report online. We received notice that all PCs at site B were offline. We began investigating and found that everything was actually online but reporting offline. After doing a bit of testing we found something odd…

When I log into the Mikrotik and ping msp.company.com through the ping tool (Tools\Ping) it actually resolves to the internal IP address of our labtech server, which is not connected to this location or even the same network. So when I ping through Tools\Ping msp.company.com it resolves to 10.0.12.10. But if I ping through the terminal it resolves correctly to the 69.A.A.A public address. I had another tech log in and he can ping and resolve fine through all means.

We have cleared all cache’s on the DNS servers that DHCP point to. We have even created a static record on the Mikrotiks to point to the public IP but when I ping through the IP tool it always resolved to the local IP of the Labtech server.

I am more than happy to provide some information if needed.

It is very Bizarre… thoughts?

Sob · August 23, 2017, 1:13am

You mean terminal on same router where it resolves wrong using Tools->Ping, or terminal on some different device? In any case, router must be getting the address from somewhere, so check your resolvers one by one (temporarily remove the other two) and it should give you the answer.

nfletcher2 · August 23, 2017, 11:59am

Also, we control the public DNS for this domain and I have validated that there are no public records pointing to this internal IP.

Thoughts?

cdiedrich · August 23, 2017, 2:40pm

I think it has to do with WinBox.
AFAIR Winbox resolves locally on the client it is running on whereas the terminal really makes the router resolve.
I just tested it on a local router over here and I can fully reconstruct this issue.
But it still does not explain why the host was suddenly resolved wrong for the clients…
-Chris

nfletcher2 · August 24, 2017, 6:04pm

Yes, but it has to be pulling that 10.0.12.10 address from somewhere. That address is the internal IP on the labtech server, which is not attached or on the same network at all. It is strange.

cdiedrich · August 24, 2017, 10:23pm

It’s definitely strange.
Was your local DNS resolving that address when you were connected to the suspect router via Winbox?

So one of the 10.-range DNS servers must have had the wrong address in its database.

-Chris

nfletcher2 · August 25, 2017, 3:39pm

OMG! I just re-read what you said and it clicked. I have the labtech server explicitly listed in my hosts file on my PC. So Winbox was resolving from my PC and the terminal was resolving from the router itself. Seems odd that it runs that way but I am sure there is a back-end reason. Doesn’t explain why the customer PCs are offline but I am beginning to think it is not related. I will dig in further. Thank you for your help!