Community discussions

MUM Europe 2020
 
mali2003
just joined
Topic Author
Posts: 23
Joined: Sat Oct 21, 2017 1:15 am

Access List - resolving time DNS Names  [SOLVED]

Wed Nov 27, 2019 4:19 pm

Hello.

My situation:

I have a script, wich checks my entries (dns names) in my firewall access list and rewrites the checked ip.
this script runs everty 60 sec.

My question:

is it nessesary to do this?
is there not a check in routeros inside, which checks for example TTL and corrects the new ip automatically in the access list?

thx - regards
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Access List - resolving time DNS Names

Wed Nov 27, 2019 8:17 pm

You mean address lists...
There is a TTL value for every DNS name in the routers DNS cache.
However this has nothing to do with the firewall...If an address is added to an address list then its your concern if that address must stay there or should be removed...
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access List - resolving time DNS Names

Wed Nov 27, 2019 8:24 pm

It wasn't supported in the past, but for some time now (few years I guess) it's possible to add hostnames in address list and RouterOS will automatically resolve them, watch for TTL and keep addresses updated. The only change is if you currently use src/src-address, you'd need to replace it with src/dst-address-list and add the list with hostname.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Access List - resolving time DNS Names

Wed Nov 27, 2019 11:25 pm

@sob exactly, it will resolve the host name...
So for example if the hostname is name.local which resolves to 1.2.3.4 and i add that entry to an address list, this means that 1.2.3.4 is in the list....
If name.local changes to 5.6.7.8 then it will be added to the list as well... so my list will have both 1.2.3.4 and 5.6.7.8... or even if it is not added, my list will have an address that no more corresponds to the same host name...
I think what @mali2003 wants is a script that would delete the 1.2.3.4 and replace it with the 5.6.7.8

Edit: From a quick search it seems that if you add a dns name as an address then the dns name it self is added to the list without actually being resolved, so if that actually happens no need to worry about anything since it will be updated without the need of any script...
 
mali2003
just joined
Topic Author
Posts: 23
Joined: Sat Oct 21, 2017 1:15 am

Re: Access List - resolving time DNS Names

Wed Nov 27, 2019 11:40 pm

Thx very much.
My question is solved now.
I do not need a script to delete entries, just update them and be sure there are always correct dns names corresponding to there is address.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Access List - resolving time DNS Names

Wed Nov 27, 2019 11:41 pm

Is the address in the address list resolved or you can see that actual dns name inside the list ?
Havent tested that yet...
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access List - resolving time DNS Names

Thu Nov 28, 2019 1:16 am

You can see the name (that's what is saved in config) and you can also see resolved address(es), which happens automatically at startup or when you add the item. Addresses are valid until record's TTL expires and then they are resolved again.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
mali2003
just joined
Topic Author
Posts: 23
Joined: Sat Oct 21, 2017 1:15 am

Re: Access List - resolving time DNS Names

Thu Nov 28, 2019 11:18 am

You can see the name (that's what is saved in config) and you can also see resolved address(es), which happens automatically at startup or when you add the item. Addresses are valid until record's TTL expires and then they are resolved again.
Thx, thats the way i expected it suposed to be.
Now i know again why my Script was nessesary some time ago, as u described some posts ago, that this feature was not in previeus Firmware implemented.

Gesendet von meinem MI 8 Lite mit Tapatalk

 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Access List - resolving time DNS Names

Thu Nov 28, 2019 3:21 pm

You can see the name (that's what is saved in config) and you can also see resolved address(es), which happens automatically at startup or when you add the item. Addresses are valid until record's TTL expires and then they are resolved again.
@sob you make it more confusing to me. My question was, if i add a dst address to an address list and that dst adress is a domain name then in the address list i will see the domain name or the IP the domain name resolves to?
The way you explain it is like i will see both...
Anyways, didint have time to test is today...
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access List - resolving time DNS Names

Thu Nov 28, 2019 4:34 pm

Let's put it like this, this is real config:
/ip firewall address-list
add address=forum.mikrotik.com list=test
So router saves "forum.mikrotik.com". But you'll see both this and dynamic 159.148.147.205, which the hostname currently resolves to. After TTL expires, it will be resolved again and if the address changes, the old one will disappear and list will contain the new one.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Access List - resolving time DNS Names

Sat Nov 30, 2019 2:23 pm

@sob, i did as you said and yes i could see the real IP for forum.mikrotik.com...
Then i did flush the cache of the DNS, added a static dns entry for forum.mikrotik.com to another IP...
Nothing changed, no IP was renewed... inside the address list i was still seeing the previous IP...
Although ofcorse when i did ping forum.mikrotik.com i was correctly getting reply from the IP i manually added...
The DNS cache was showing the correct IP i manually added but again no change inside the address list..!
So i dont think it works the way you say it does...!
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access List - resolving time DNS Names

Sat Nov 30, 2019 5:48 pm

I'd say it's meant mainly to keep up with changes done outside of router. So there's a hostname you don't control, you add it in address list and if its target address changes, router will update it, after TTL of record in address list expires. Yours can be viewed as a special case, but it still works like this, apparently it doesn't get any special handling. When you added forum.mikrotik.com to address list, its TTL was X seconds. Then when you added new static DNS entry, address list doesn't care, because the address it has is still valid for "X minus how long it took you to add static entry" seconds. If you wait for that long, it will be correctly updated.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Access List - resolving time DNS Names

Sat Nov 30, 2019 9:51 pm

Then when you added new static DNS entry, address list doesn't care, because the address it has is still valid for "X minus how long it took you to add static entry" seconds. If you wait for that long, it will be correctly updated.
What do you mean ? There was no TTL value inside the address list...
Also my static dns had TTL changed to 1 minute.. after that 1 minute although i deleted the static entry, the address list was never updated to the real IP... it continued showing the previous IP.
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access List - resolving time DNS Names

Sat Nov 30, 2019 11:20 pm

TTL in address list is internal thing, you don't see it.

So when you first addded forum.mikrotik.com, address list resolved it (using local resolver) and stored the result with whatever TTL was in local DNS cache (or what came from upstream resolver if it wasn't in local cache before). Default TTL for forum.mikrotik.com set on authoritative server is currently two hours, so your record had TTL anywhere between zero and that, depending on where and how long it was already cached. Let's say it was full two hours. It means that you or anyone else can do whatever you want with forum.mikrotik.com, authoritative server can assign different address, you can add local override in IP->DNS, but address list doesn't care, it has address valid for two hours and only after that time it will try to resolve forum.mikrotik.com again.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Access List - resolving time DNS Names

Sun Dec 01, 2019 9:13 am

What about when i did the opossite ? First tested with the static entry that had TTL to 1 minute ?
After that 1 minute i never saw the real IP in the address list.
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access List - resolving time DNS Names

Sun Dec 01, 2019 7:11 pm

Works here too. I added static record for forum.mikrotik.com pointing to 127.0.0.1 with one minute TTL. Then I added forum.mikrotik.com to address list and it got address 127.0.0.1. I disabled static record and it didn't affect address list right away (as expected). But after a minute it expired and address in list changed to real one from public DNS.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1083
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Access List - resolving time DNS Names

Sun Dec 01, 2019 8:08 pm

Works here too. I added static record for forum.mikrotik.com pointing to 127.0.0.1 with one minute TTL. Then I added forum.mikrotik.com to address list and it got address 127.0.0.1. I disabled static record and it didn't affect address list right away (as expected). But after a minute it expired and address in list changed to real one from public DNS.
Ok i ll check it again tomorrow...

Edit: Tested again and it works...i guess i missed something the previous time i tested...

Who is online

Users browsing this forum: No registered users and 47 guests