Page 1 of 1

Long DNS timeouts

Posted: Fri May 03, 2019 8:34 pm
by Åndrew
Hi there. I've been using my Mikrotik hEX now for about a year. Yesterday I switched ISPs though and I haven't been able to get it to work right since then. It seems to take forever to do a DNS lookup. See https://www.dropbox.com/s/svzzh46bjdgk5 ... S.mp4?dl=0 for an example. Once the DNS has been cached it works fine.

In the router setup, it's using Google's DNS (8.8.8.8, 8.8.4.4) but those are greyed out and in "auto" mode and it doesn't seem like I can change them. I tried adding OpenDNS' records as well but I'm not sure if that's even the problem or not. I also switched my Mac to using OpenDNS, thinking that would bypass the router's DNS lookup but it hasn't helped.

Also, if I route through NordVPN everything works smoothly as I assume once the tunnel is open all the Mikrotik has to do is route the traffic. Right now I have the ethernet cable from the ISP's equipment going straight into my Mac and everything's fine.

I did a software reset, tried using the recommended settings, and also did a reset and tried configuring myself and haven't been able to resolve this issue. If anyone has any suggestions I'd appreciate it.

Thank you.

Re: Long DNS timeouts

Posted: Sat May 04, 2019 1:12 pm
by cieplik206
Is router itself resolving dns well?

Check it in ping tool or in console.

Paste
/ip dns export here

Re: Long DNS timeouts

Posted: Sat May 04, 2019 2:44 pm
by Paternot
You changed ISP. So, the connection changed too. Is it pure DHCP? Is it PPPoE? Was it one thing, and the new router uses another?

Why do I ask?

Because several connections have the option "Use Peer DNS". If is checked, your router will use the DNS server of the ISP - and maybe these are slow.

Take a look at your configuration, and see if you can uncheck the option.

If it is already unchecked, there is another possibility: your ISP is intercepting your DNS queries, and changing them. Yes, some ISPs do this. One sure tell is when you no longer get the "could not resolve host name" error - the browser is directed to some generic site, with lots of advertisements.

Yes, this is imoral. Yes, it brakes completely the DNS system. But some ISPs do it.

Re: Long DNS timeouts

Posted: Sat May 04, 2019 3:46 pm
by Åndrew
Thank you both for your ideas.

[admin@MikroTik] > /ip dns export
# may/04/2019 08:17:41 by RouterOS 6.44.3
# software id = GF0B-N7VV
#
# model = RouterBOARD 750G r3
# serial number = 6F3908E9E80C
/ip dns
set servers=208.67.222.222,208.67.222.220
/ip dns static
add address=208.67.222.222 name=208.67.222.222
add address=208.67.222.220 name=208.67.222.220

Here's an example of a ping that worked, and one that didn't:

[admin@MikroTik] > ping example.com
SEQ HOST SIZE TTL TIME STATUS
0 93.184.216.34 56 48 28ms
1 93.184.216.34 56 48 24ms
2 93.184.216.34 56 48 24ms
sent=3 received=3 packet-loss=0% min-rtt=24ms avg-rtt=25ms max-rtt=28ms

[admin@MikroTik] > ping polaris.com
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
while resolving ip-address: could not get answer from dns server

The Polaris ping took maybe 5-10 seconds to come up with that error. When I came back 30 seconds later and tried again, after a couple seconds pause it was successful:

[admin@MikroTik] > ping polaris.com
SEQ HOST SIZE TTL TIME STATUS
0 45.60.31.71 56 50 25ms
1 45.60.31.71 56 50 24ms
2 45.60.31.71 56 50 29ms
sent=3 received=3 packet-loss=0% min-rtt=24ms avg-rtt=26ms max-rtt=29ms

As per the question of the type of connection it is: the old ISP was PPPoE and the new one provides a DHCP address. I removed the PPPoE configuration.

[admin@MikroTik] /ip dhcp-server> /ip dhcp-client
[admin@MikroTik] /ip dhcp-client> print
Flags: X - disabled, I - invalid, D - dynamic
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ether1 yes yes bound 192.168.5.3/24

I turned off "use peer DNS" and things seem to be working now based on a short test. My computer is now telling me my DNS servers are 1.1.1.1 and 10.0.200.1 (I just pulled the OpenDNS entries out of there). Those are my ISP's DNS entries so I'm not sure how they're magically working now that I've turned "Use Peer DNS" off.

Now I'll just give it some time to see if it's actually fixed or just a blip.

Thanks again for your help.

Re: Long DNS timeouts

Posted: Sat May 04, 2019 3:56 pm
by cieplik206
Remove this as well, is not needed

/ip dns static
add address=208.67.222.222 name=208.67.222.222
add address=208.67.222.220 name=208.67.222.220

And your isp via DHCP was giving you dns that might be slow. By turning off use-peer-dns you told your router to not use dns provided by dhcp

Re: Long DNS timeouts

Posted: Sat May 04, 2019 4:38 pm
by anav
Your config............
/ip dns static
add address=208.67.222.222 name=208.67.222.222
add address=208.67.222.220 name=208.67.222.220


OpenDNS addresses, 208.67.222.222 and 208.67.220.220

Re: Long DNS timeouts

Posted: Sun May 05, 2019 1:42 am
by Paternot
Your config............
/ip dns static
add address=208.67.222.222 name=208.67.222.222
add address=208.67.222.220 name=208.67.222.220


OpenDNS addresses, 208.67.222.222 and 208.67.220.220
Weird thing is, I did a DNS lookup and both 222 servers answered!

Re: Long DNS timeouts

Posted: Sun May 05, 2019 1:45 am
by Paternot
I turned off "use peer DNS" and things seem to be working now based on a short test. My computer is now telling me my DNS servers are 1.1.1.1 and 10.0.200.1 (I just pulled the OpenDNS entries out of there). Those are my ISP's DNS entries so I'm not sure how they're magically working now that I've turned "Use Peer DNS" off.

Now I'll just give it some time to see if it's actually fixed or just a blip.

Thanks again for your help.
I don't know which server 1.1.1.1 is, but 10.0.200.1 must be your intranet default gateway. Makes sense, since You disabled the "use server DNS". Now it is your router that is doing the heavy lifting.

Re: Long DNS timeouts

Posted: Sun May 05, 2019 3:53 am
by Åndrew
Here's what I have now:
[admin@MikroTik] > /ip dns export
# may/04/2019 20:50:34 by RouterOS 6.44.3
# software id = GF0B-N7VV
#
# model = RouterBOARD 750G r3
# serial number = 6F3908E9E80C
/ip dns
set servers=208.67.222.222,208.67.220.220

I removed the static DNS entries and changed the second OpenDNS IP address. When things work, they work, but maybe 10% of the time a page will time out the first time I visit it. Or just take a long time to resolve. Even speed tests, sometimes they'll do the download against a new server and repeatedly fail the upload, until it works, or sometimes it will work the first time, or sometimes won't work at all.

I don't THINK this is on my ISP's end as when I had the ethernet plugged into my computer directly things seemed to work well for several hours. But I'm not sure.

Also, I thought if I removed those two "set servers" completely from DNS it would pick up the ISP's settings, but it seemed like all it did was knock me offline so I put them back.

Thanks again for your help.

Re: Long DNS timeouts

Posted: Sun May 05, 2019 3:12 pm
by Paternot
It should work, with two remote DNS servers. I did test them, and they work ok for me.

But, first, lets clarify some things.

1) At the connection tab, you can make the mikrotik use the DNS server given by your ISP - or not. If you uncheck the "Use Peer DNS" option, your router will do the name resolution itself. Problem is: the clients (your desktop) will not have a DNS server to use, and won't solve anything. That is where the step 2) comes in
2) At IP/DNS, you can check the "Allow Remote Requests" box. This will turn your router in a recursive DNS cache. That is: it will do the DNS heavy lifting for the clients.

== VERY IMPORTANT ==

Before checking the "Allow Remote Requests" box, confirm that your firewall is denying DNS queries that come FROM the internet. Time and again we find someone that don't do this, and the router gets used in DDoS attacks.

That said, I still find odd your problem. Unless, of course, that the culprit is the remote DNS server, not yours. Could it be that some of the domains you access are overloaded? May it is their problem, not yours.

Re: Long DNS timeouts

Posted: Mon May 06, 2019 11:50 am
by Åndrew
I think that's finally sorted it out. I have added some firewall rules for port 53, removed my customer DNS IPs, and turned on "Allow Remote Requests" and "Use Peer DNS". It seems like everything's working the way it should. Thank you all very much; I wouldn't have figured that out on my own.