Hi,
I have a Mikrotik CCR1009, when I want to check for update, it is always error as follows. I have set up DNS, internet works fine.

[brg3466@CCR1009] > /system package update check-for-update
channel: current
current-version: 6.41.3
status: ERROR: could not resolve dns name

[brg3466@CCR1009] > ip dns print
servers: 8.8.8.8,8.8.4.4
dynamic-servers: 75.75.75.75,75.75.76.76
allow-remote-requests: no
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 18KiB

I can ping 8.8.8.8 but cannot ping www.google.com

[brg3466@CCR1009] > ping www.google.com
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
while resolving ip-address: could not get answer from dns server
[brg3466@CCR1009] > ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 59 17ms
1 8.8.8.8 56 59 8ms
2 8.8.8.8 56 59 9ms
sent=3 received=3 packet-loss=0% min-rtt=8ms avg-rtt=11ms max-rtt=17ms



Anything I am missing in the configuration ?

Thank you !

The difference I see with my router is that allow-remote-requests is set to yes while yours is set to no.

allow-remote-requests set to YES. this tells the Mikrotik to respond to DNS request from other network devices.
when it is set to NO, Mikrotik will only use the DNS server set here for DNS request from itself
so the DNS setting here should allow you to ping google from the terminal.

check your firewall, in case it drops DNS request on the output chain.

Hi, thank you for the suggestions.

I set the allow-romote-requests to "yes" but doesn't work. Any other suggestions ?

[brg3466@CCR1009] > ip dns print
servers: 8.8.8.8,8.8.4.4
dynamic-servers: 75.75.75.75,75.75.76.76
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 25KiB

[brg3466@CCR1009] > ping www.google.com
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
while resolving ip-address: could not get answer from dns server

Hi ,
I checked firewall filter rules, it seems I found where the issue is. The below filter rule block the dns.

5 ;;; drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""

If I disable it, check-for-update works normal. Any suggestion to modify this rule ?

I also have that rule and have no problem checking for updates via winbox???

Your rule to drop anything on chain=input is fine ... but before that you need some other that accept connections you want to allow. For example connections with connection state established or related. You need to allow those to maintain connections initiated from router itself.
If you're extra paranoid, you can only enable them when you know it's fine for router to access internet, e.g. when you want to check for updates. And disable them after you're done.

Thank you , mkx !

Before drop everything in the input , I inserted a filter rule to accept established connection in the input chain. It works now !

And thank all for your valuable inputs , have a nice weekend !