I’ve stumbled on a weird DNS problem with my router setup. My LAN clients can’t reach a particular DNS server (my ISP’s), the same server (dynamically set by ISP’s DHCP) is unreachable for mikrotik’s internal dns server. If LAN clients use the default DHCP set DNS (router’s IP) the resolve fails. If I manually set google’s DNS (8.8.8.
in router DNS settings everything works.
It gets weirder, if I plug the PC directly in the ISP’s modem and obtain same DNS via DHCP, everything works, so the ISP’s DNS is working.
As far as I can see, I have no address filtering, and i can’t figure it out, why google DNS works and my ISP’s does not. How can I pinpoint, where the packets get stuck?
My FIREWALL FILTERS:
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=drop chain=input comment=\
"default configuration/pomecemo vse, kar je pokvarjeno / state = invalid" \
connection-state=invalid log-prefix="drop invalid input"
add action=accept chain=input comment="default configuration/dovolimo vse, kar\
\_je ze vzpostavljeno / state = established, related" connection-state=\
established,related
add action=accept chain=input comment=\
"dovolim imput na router iz mojega bridga (moj most)" in-interface=\
LAN-bridge
add action=accept chain=input comment="T2-iptv: Allow Broadcast Traffic" \
dst-address-type=broadcast in-interface=ether1-WAN-dyn log-prefix=\
"T2-iptv-allow broadcast traffiv"
add action=accept chain=input comment="T2-iptv: Allow IGMP" in-interface=\
ether1-WAN-dyn log=yes log-prefix="T2-iptv- allow IGMP" protocol=igmp
add action=accept chain=input comment="T2-Iptv: Allow T-2 IPtv" in-interface=\
ether1-WAN-dyn log-prefix=iptv-t2 protocol=udp src-address=172.16.0.0/12
add action=accept chain=input comment="Odprem tcp 1194 na statiki za VPN" \
dst-port=1194 in-interface=ether10-WAN-stat log=yes log-prefix=\
"vpn povezave" protocol=tcp
add action=drop chain=input comment="pomecem stran ves ostali input" log=yes \
log-prefix="drop rest of the input"
add action=fasttrack-connection chain=forward comment=\
"forward - vse, kar je ze vzpostavljeno, damo v fastrack connection" \
connection-state=established,related
add action=accept chain=forward comment=\
"EstabliForward - sprejmemo vse, kar je Established, Related" \
connection-state=established,related,new
add action=drop chain=forward comment=\
"forward - default configuration/pomecemo vse, kar je pokvarjeno" \
connection-state=invalid log=yes log-prefix="drop invalid forward"
add action=drop chain=forward comment="forward pomecemo vse iz dinamicnega net\
a, nar ni \"natted\" ali z manglom markirano kot \"iptv\"" \
connection-nat-state=!dstnat connection-state=new in-interface=\
ether1-WAN-dyn log-prefix="!NAT mecem, kar ni oznaceno kot iptv" \
packet-mark=!iptv
add action=drop chain=forward comment=\
"forward pomecemo vse iz staticnega neta, nar ni \"natted\"" \
connection-nat-state=!dstnat connection-state=new in-interface=\
ether10-WAN-stat in-interface-list=all log-prefix="mecem, kar ni nated"
add action=drop chain=forward comment="forward - pomecemo pakete iz dinamicneg\
a neta, ki nimajo javnega ip-ja ali z manglom markirano kot \"iptv\"" \
in-interface=ether1-WAN-dyn log-prefix="mecem, kar ni lokalnp" \
packet-mark=!iptv src-address-list=not_in_internet
add action=drop chain=forward comment=\
"forward - pomecemo pakete iz staticnega neta, ki nimajo javnega ip-ja" \
in-interface=ether10-WAN-stat log-prefix="!public mecem, kar ni javno" \
src-address-list=not_in_internet
add action=drop chain=forward comment=\
"forward - pomecemo pakete iz LANa, ki nimajo lokalnega naslova" \
in-interface=LAN-bridge log-prefix="LAN ki ni LAN" src-address=\
!10.10.10.0/24
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=ether1-WAN-dyn \
log-prefix=markiram new-packet-mark=iptv passthrough=yes protocol=udp \
src-address=172.16.0.0/12
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1-WAN-dyn