Community discussions

MikroTik App
 
User avatar
nachopro
just joined
Topic Author
Posts: 17
Joined: Tue May 26, 2020 11:38 pm

Redirect outgoing DNS requets to internal DNS server

Wed May 27, 2020 12:13 am

Hi, I'm a new mikrotik user.
I used OpenWRT and Ubiquiti stuffs in the past, but now know I have no idea about networks xD.

I have a Pi-Hole server at home. I want to filter any DNS requet to external DNS servers and redirect them to Pi-Hole.

In the past I used this "simple" rule on my Ubiquiti's device:
{
   "service": {
      "nat": {
         "rule": {
            "1": {
               "description": "DNS Redirect",
               "destination": {
                  "address": "!10.0.0.3",
                  "port": "53"
               },
               "inbound-interface": "eth1",
               "log": "disable",
               "protocol": "tcp_udp",
               "type": "destination"
            }
         }
      }
   }
}

Now I'm trying to translate that to a NAT rule via WinBox with no success: All request (except that made with drill) doesn't work, ie: firefox or ping tools fails to load pages or resolve domains to ping.
chain=dstnat action=dst-nat to-addresses=10.0.0.3 to-ports=53 protocol=udp src-address=!10.0.0.3 dst-address=0.0.0.0/0 in-interface-list=LAN dst-port=53 log=no log-prefix=""

My network diagram:
hEX @ 10.0.0.1
Pi-Hole @ 10.0.0.3

Any idea what I'm doing wrong?
Thanks!
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Redirect outgoing DNS requets to internal DNS server

Wed May 27, 2020 12:38 pm

Make that src-nat redirecting tcp/udp 53 to the Pi-hole.

dst-nat is traffic coming in and src-nat is going out. Have also look at hairpin in the wiki for traffic returning from the Pi-hole. And that is dst-nat traffic.
 
User avatar
nachopro
just joined
Topic Author
Posts: 17
Joined: Tue May 26, 2020 11:38 pm

Re: Redirect outgoing DNS requets to internal DNS server

Wed May 27, 2020 3:49 pm

Thanks @msatter I'll read the articles you recommended

At this moment I'm using this rules with success
chain=dstnat action=dst-nat to-addresses=10.0.0.3 to-ports=53 protocol=udp src-address=!10.0.0.3 dst-port=53 log=no log-prefix="" 
chain=dstnat action=dst-nat to-addresses=10.0.0.3 to-ports=53 protocol=tcp src-address=!10.0.0.3 dst-port=53 log=no log-prefix="" 
chain=srcnat action=masquerade protocol=udp src-address=10.0.0.0/24 dst-address=10.0.0.3 dst-port=53 log=no log-prefix="" 
chain=srcnat action=masquerade protocol=tcp src-address=10.0.0.0/24 dst-address=10.0.0.3 dst-port=53 log=no log-prefix=""
 
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Redirect outgoing DNS requets to internal DNS server

Wed May 27, 2020 8:22 pm

Using dstnat is correct for changing the destination no matter if it is incoming or outgoing!

I would suggest changing the ip scope of the pi-hole to outside your lan ip scope. This way you can see individual devises on your pi-hole instead of the router. Add something like 172.16.0.1/24 to the same interface as 10.0.0.1 and give the pi 172.16.0.3. Edit your 2 dstnat rules and you can omit the srcnat rule.
 
groninge
just joined
Posts: 5
Joined: Fri May 29, 2020 5:29 pm

Re: Redirect outgoing DNS requets to internal DNS server

Sat May 30, 2020 10:57 am

Using dstnat is correct for changing the destination no matter if it is incoming or outgoing!

I would suggest changing the ip scope of the pi-hole to outside your lan ip scope. This way you can see individual devises on your pi-hole instead of the router. Add something like 172.16.0.1/24 to the same interface as 10.0.0.1 and give the pi 172.16.0.3. Edit your 2 dstnat rules and you can omit the srcnat rule.
Hi, I am in a similar situation with dns safety.


This is my current ip address setup:
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                         
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    ether2                                                                                            
 1 D 178.xxx.xxx.xxx/24  178.xxx.xxx.0    ether1

The dns safety box is connected on ether3. How would I set it to another IP range so I can see my 192.168.88.x IPs?

Edited:

I added 172.16.0.1/24 and 172.16.0.0 to ether2:
 2   172.16.0.1/24      172.16.0.0      ether2
I then setup the dns safety box to have a static ip -> 172.16.0.3
DNS requests from my test device show up in the dns safety logs with it's own ip address now instead of the router's ip address. However I am not getting back the response from the dns safety box. These requests are to sites which are allowed by dns safety.

What am I missing?


Thanks,

Stefan
Last edited by groninge on Sat May 30, 2020 11:09 am, edited 1 time in total.
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Redirect outgoing DNS requets to internal DNS server

Sat May 30, 2020 3:53 pm

Please post your full config. Use “/export hide-sensitive file=myexport” and this will create a myexport.src file you can download and edit with your favorite txt editor.

The use of ether2 with slaves is outdated, so you may need to change your IPs to be on your “bridge”. Or you need to consider updating your device.
 
groninge
just joined
Posts: 5
Joined: Fri May 29, 2020 5:29 pm

Re: Redirect outgoing DNS requets to internal DNS server

Sat May 30, 2020 4:34 pm

Please post your full config. Use “/export hide-sensitive file=myexport” and this will create a myexport.src file you can download and edit with your favorite txt editor.

The use of ether2 with slaves is outdated, so you may need to change your IPs to be on your “bridge”. Or you need to consider updating your device.

I changed the IPs to be on the bridge and then ran the export. In the mean time I probably messed up something as response to the dns safety box is very sluggish :(

# may/30/2020 15:21:10 by RouterOS 6.46.4
# software id = AAKN-XINX
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXXX
/interface bridge
add admin-mac=74:4D:28:BF:61:8B auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=netherlands disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=XXXX wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=netherlands disabled=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=XXXX wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip kid-control

[ REMOVED KID CONTROL TIMES ]

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.16.0.1/24 interface=bridge network=172.16.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease

[ REMOVED STATIC DHCP ADDRESSES ]

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.88.252 list=Parental-Control-List-IPs
add address=192.168.88.244 list=Parental-Control-List-IPs
add address=192.168.88.245 list=Parental-Control-List-IPs
add address=192.168.88.239 list=Parental-Control-List-IPs
add address=192.168.88.242 list=Parental-Control-List-IPs
add address=192.168.88.31 list=DNS-Safety-List-IPs
add address=192.168.88.29 list=Parental-Control-List-IPs
add address=192.168.88.30 list=DNS-Safety-List-IPs
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
    yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=9307 in-interface=\
    ether1 log=yes log-prefix=motion protocol=tcp to-addresses=192.168.88.241 \
    to-ports=80
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address-list=\
    Parental-Control-List-IPs to-addresses=208.67.222.123
add action=dst-nat chain=dstnat dst-port=53 log=yes log-prefix=dns-safety- \
    protocol=udp src-address=!172.16.0.3 src-address-list=DNS-Safety-List-IPs \
    to-addresses=172.16.0.3 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=\
    !172.16.0.3 src-address-list=DNS-Safety-List-IPs to-addresses=172.16.0.3 \
    to-ports=53
/ip kid-control device

[ REMOVED KID CONTROL DEVICES ]

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2211
set api address=192.168.88.0/24
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system ntp client
set enabled=yes primary-ntp=213.239.154.12
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Thanks in advance for your help!
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Redirect outgoing DNS requets to internal DNS server

Sat May 30, 2020 5:34 pm

Your firewall is dropping the traffic. 172.16.0.0/24 is included in the address-list=not_from_intrrnet and is being dropped.
 
groninge
just joined
Posts: 5
Joined: Fri May 29, 2020 5:29 pm

Re: Redirect outgoing DNS requets to internal DNS server

Sat May 30, 2020 9:23 pm

My firewall was indeed dropping connections. The offending rule was not that 172.16.0.0/16 was included in the "not_in_internet" list.
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
These rules are ok.

The following rules however were dropping connections.

add action=accept chain=input src-address-list=allowed_to_router <-- added 172.16.0.3 to the list
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
    yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24 <-- created a new list with 192.168.88.0/24 & 172.16.0.0/24

Now my android and ios devices are performing requests and getting responses just fine. My windows laptop is making requests and gettings responses intermittently :(
 
User avatar
nachopro
just joined
Topic Author
Posts: 17
Joined: Tue May 26, 2020 11:38 pm

Re: Redirect outgoing DNS requets to internal DNS server

Sun May 31, 2020 10:31 am

Using dstnat is correct for changing the destination no matter if it is incoming or outgoing!

I would suggest changing the ip scope of the pi-hole to outside your lan ip scope. This way you can see individual devises on your pi-hole instead of the router. Add something like 172.16.0.1/24 to the same interface as 10.0.0.1 and give the pi 172.16.0.3. Edit your 2 dstnat rules and you can omit the srcnat rule.

I'm testing your suggestion (very nice tip) but doesn't work:

 1 X  ;;; DNS Redirect
      chain=dstnat action=dst-nat to-addresses=172.16.0.2 to-ports=53 protocol=udp src-address=!172.16.0.2 
      in-interface-list=!WAN dst-port=53 log=no log-prefix="" 

 2 X  chain=dstnat action=dst-nat to-addresses=172.16.0.2 to-ports=53 protocol=tcp src-address=!172.16.0.2 in-interface-list=!WAN 
      dst-port=53 log=no log-prefix=""

I can execute drill (or dig) from linux using an external dns server: drill @8.8.8.8 my.custom.dns and works fine, but Firefox or another programs can't resolve their requests (becouse responses comes from 172.16.0.2 instead 8.8.8.8).

Am I missing some rule or concept here?

Adding the srcnat > masquerade rules works fine, but I have the same issue in the logs: all forced requests comes from 172.16.0.1 :?

Image
 
User avatar
nachopro
just joined
Topic Author
Posts: 17
Joined: Tue May 26, 2020 11:38 pm

Re: Redirect outgoing DNS requets to internal DNS server

Sun May 31, 2020 11:45 am

Pseudo Off Topic / little trick for failover (some times my pihole goes down):

1- Use external DNS (like google's 8.8.8.8 ) on your LAN's DHCP Server

2- Use this config (it's working just now, see above)
/ip firewall nat
add action=dst-nat chain=dstnat comment=dns_redirect dst-port=53 in-interface-list=LAN protocol=udp src-address=!10.0.0.3 to-addresses=10.0.0.3 to-ports=53
add action=masquerade chain=srcnat comment=dns_redirect dst-address=10.0.0.3 dst-port=53 protocol=udp src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment=dns_redirect dst-port=53 in-interface-list=LAN protocol=tcp src-address=!10.0.0.3 to-addresses=10.0.0.3 to-ports=53
add action=masquerade chain=srcnat comment=dns_redirect dst-address=10.0.0.3 dst-port=53 protocol=tcp src-address=10.0.0.0/24

3- Add a netwatch to test PiHole availability:
/tool netwatch
add comment=Pi-Hole down-script="/ip firewall nat disable [find where comment=\"dns_redirect\"]" host=10.0.0.3 up-script="/ip firewall nat enable [find where comment=\"dns_redirect\"]"
 
Sigma

Re: Redirect outgoing DNS requets to internal DNS server

Sun Jun 07, 2020 8:30 pm

Hello

I did it a little different and it seems to work with rouge DNS Requests.

Example a NvidiaShield with Andoid TV (Nvidia) OS has hardcoded DNS entries - Even if you change the IP mode to Manual it still calls home over 8.8.8.8.

What did I do?
Winbox:
--> IP-Firewall-Address Lists added an entry with:
Name: DNSForward
Address: In my case DNS is my Router >> "192.168.0.1" <<
Comment: If you wish for one :D

Then the "dst-nat" rule comes in to play:
Winbox:
--> IP-Firewall-NAT
General Tab:
Chain "dstnat"
Protocol: 6 (tcp)
Src. Port 53
Dst. Port 53
In. Interface / In my case "bridge" or "etherX"
Advanced Tab:
Dst. Address List (!) <- IMPORTANT for NOT and choose "DNSForward"
Action Tab:
Action dst-nat
To Address 192.168.0.1 <- Example DNS Server In my case the Router itself
To Ports 53

Hit "Apply" and "Copy" for the same Rule in UDP
Done
The you should see traffic going to your designated DNS Server. :D

Best regards
Sigma
 
mur
Member Candidate
Member Candidate
Posts: 105
Joined: Thu Feb 13, 2020 8:43 pm

Re: Redirect outgoing DNS requets to internal DNS server

Thu Aug 20, 2020 10:06 pm

Hello

I did it a little different and it seems to work with rouge DNS Requests.

Example a NvidiaShield with Andoid TV (Nvidia) OS has hardcoded DNS entries - Even if you change the IP mode to Manual it still calls home over 8.8.8.8.

What did I do?
Winbox:
--> IP-Firewall-Address Lists added an entry with:
Name: DNSForward
Address: In my case DNS is my Router >> "192.168.0.1" <<
Comment: If you wish for one :D

Then the "dst-nat" rule comes in to play:
Winbox:
--> IP-Firewall-NAT
General Tab:
Chain "dstnat"
Protocol: 6 (tcp)
Src. Port 53
Dst. Port 53
In. Interface / In my case "bridge" or "etherX"
Advanced Tab:
Dst. Address List (!) <- IMPORTANT for NOT and choose "DNSForward"
Action Tab:
Action dst-nat
To Address 192.168.0.1 <- Example DNS Server In my case the Router itself
To Ports 53

Hit "Apply" and "Copy" for the same Rule in UDP
Done
The you should see traffic going to your designated DNS Server. :D

Best regards
Sigma
I tried it.
It doesn't seem to be working.
 
shafiqrahman
Member Candidate
Member Candidate
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: Redirect outgoing DNS requets to internal DNS server

Fri Apr 30, 2021 6:59 pm

I have been using my mikrotik with DoH since last year without any issues. So, I recently bought a raspberry pi for the purpose of blocking ads. My previous attempt of blocking ads with scripts in mikrotik doesn't go well. After some search I found this post and implemented this:
/ip firewall nat
add action=dst-nat chain=dstnat comment=dns_redirect dst-port=53 in-interface-list=LAN protocol=udp src-address=!192.168.88.5 to-addresses=192.168.88.5 to-ports=53
add action=masquerade chain=srcnat comment=dns_redirect dst-address=192.168.88.5 dst-port=53 protocol=udp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment=dns_redirect dst-port=53 in-interface-list=LAN protocol=tcp src-address=!192.168.88.5 to-addresses=192.168.88.5 to-ports=53
add action=masquerade chain=srcnat comment=dns_redirect dst-address=192.168.88.5 dst-port=53 protocol=tcp src-address=192.168.88.0/24
Seems, like my router is sometimes able to send queries to the pihole. And then pihole is able to use its own dns upstream servers to resolve. But, my intentions is to redirect piholes traffic to mikrotik, where mikrotik will be upstream dns for pihole.So, mikrotik can resolve using DoH. How can I make it work. Something like this:

Client --> Mikrotik-->pihole-->Mikrotik as a DNS over Https--> wan
 
foresthus
just joined
Posts: 4
Joined: Mon Apr 12, 2021 12:02 am

Re: Redirect outgoing DNS requets to internal DNS server

Fri May 14, 2021 1:18 am

Hi, I am in the same situation and I haven't got an idea, but I would be very happy to find a soltion for ...
Client --> Mikrotik-->pihole-->Mikrotik as a DNS over Https--> wan

... until now I am still searching.
 
shafiqrahman
Member Candidate
Member Candidate
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: Redirect outgoing DNS requets to internal DNS server

Thu May 20, 2021 5:25 am

Almost, done. Only issue with fallback script and performance.
viewtopic.php?f=2&t=174873&p=858144#p858144 Post #5 by @2frogs.
viewtopic.php?f=13&t=175322&p=858137#p858137 Post #4 by @anav No.1 point.

Who is online

Users browsing this forum: cesarfernandez63, SanchoHa, syslog and 49 guests