Community discussions

MikroTik App
 
Landver
just joined
Topic Author
Posts: 7
Joined: Mon Sep 19, 2016 9:25 am

Timer for DNS resolve is too short

Tue Oct 18, 2016 11:40 am

Hi guys.
To make nice filter against mailware sites I added 2000 dns addresses in Firewall >> Address List

The problem is that Mikrotik each few seconds make DNS resolve of those 2000 sites. So he open 2000 sessions each few seconds that harm network a lot.

I see 2 options to solve that problem:
1)stop using dns addresses in Address list
2)change timer for DNS resolve from few seconds to 1 day

How I can achieve second option?
 
User avatar
Splash
Member Candidate
Member Candidate
Posts: 206
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Timer for DNS resolve is too short

Tue Oct 18, 2016 2:56 pm

There isnt a way to set a minimum TTL for cached DNS entries. Depending on how static this list is, one option (be it painful unless you script it), is to add a static entry for each address and set a TTL for it. Adding a static entry will stop the router having to lookup the hostname on a remote DNS server and keep it in memory for faster lookups.

*Just an idea*

You could do the script in excel or linux cli, depending on what your flavour is of an OS.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Timer for DNS resolve is too short

Wed Oct 19, 2016 4:30 am

DNS in firewall's address list uses TTL from records, so some of them will be resolved very often. IMHO it wasn't meant for this kind of use. You would have better luck if you did your blocking by setting static DNS records in IP->DNS. But you would have to make sure that clients use your router as their resolver.

Who is online

Users browsing this forum: 0xAA55, itsbenlol, jaclaz and 32 guests