Community discussions

MikroTik App
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

(silly) question how does DNS query forwarded / DCHP DNS settings

Sun Jun 06, 2021 5:21 am

Hello,
as I have come across multiple basic configurations for RouterOS and VLANs I'm a bit confused about how to set up the DNS
Server properly. Although the answer is obvious, I would like to write down my thought and would highly appreciate if it gets confirmed or answered where things are still unclear (or corrected).

I do have multiple MT Switches and one MT Router The IP of the upstream Router.
The Router is either connected directly to the internet or behind the ISP-provided router, so:
  1. The Dynamic Servers are served from the IPS DHCP or the IPS-provided router. If the latter, it is properly the IPS-provided router's Gateway Address.[
  2. If nothing is set in /ip dhcp-server network dns-server the settings given in /ip dns servers and /ip dns dynamic-server are available to be passed to DHCP clients but which servers?
    1. If only static, then static will be always passed on, regardless/ip dhcp-server network dns-none as given in Manual:IP/DHCP Server - MikroTik Wiki?
    2. If only dynamic, then it depends /ip dhcp-server network dns-none?
    3. If both, either both or only static ones are passed on depending /ip dhcp-server network dns-none?
    4. If /ip dhcp-server network dns-server is set than only these servers are passed on
  3. Configuration was given to me, where /ip dhcp-server network dns-server is the same as the /ip dhcp-server network gateway. What happens here?
    1. the settings given in /ip dns servers and /ip dns dynamic-server are available to be passed to DHCP clients but what actually happens depends on the answer on point two.
    2. DNS queries from the DHCP clients (downstream the DCHP Server) will die as there is no forwarding by the gateway
    3. DNS queries will only be checked against entries given in Static DNS Entries / /ip dns static?
      If there is nothing in there, matching the query, it will die as well.
Would be great if that puzzle could be completed as I cannot find any answer to my questions in the manual (or I'm just too stupid finding them).

thx

Stefan
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Sun Jun 06, 2021 2:50 pm

The question could be framed what is the hierarchy breakdown of DNS by the MT router when:

a. peer DNS is enabled (aka from ISP)
b. peer DNS is disabled
c. dhcp-server-network is the gateway of the subnet (aka from the router)
d. dynamic servers are assigned
e. dhcp-server network is assigned a known DNS server such as 8.8.8.8 or 1.1.1.1
f. static DNS are set.....

Clearly if c. is chosen, the Router is the DNS sources (and the advantage apparently is that the info could be cached on the router and thus quicker)
So what does the router use for those not in the cache, in order of precedence is my question. (ISP, dynamic servers, static)?????

If e. is chosen I believe that overrides all other settings and if the DNS cannot be resolved from the DNS like 8.8.8.8 then what happens no internet??
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Sun Jun 06, 2021 3:53 pm

that is another perspective, thx for the input.

What about putting "Gateway of Subnet / DHCP Server IP is defined as DNS Server" between c and d?
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Tue Jun 08, 2021 9:50 pm

to come somewhere close to an compressive answer may someone can tell me
  1. Who has access to the information in /ip dns server that I configure RouterOS for?
    1. each gateway
    2. does this only sit on the WAN interface (as this is the router to other DNS servers)?
    3. each time the CPU is involved, which is always the case here. In this case, however, the explicit specification of the gateway as a DNS server is obsolete.
  2. If I now specify a DNS server, e.g. 1.1.1.1,
    1. will all devices in between still be asked whether they know DNS xy or will the request go directly to 1.1.1.1?
    2. It is indicated that if a DNS server is to be queried, this should explicitly go to 1.1.1.1?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jun 09, 2021 2:10 am

mmm...
It's easy understand Einstein than your questions.

How DNS and DHCP works for dummies:

From Routerboard point of view:
I have at least one IP for resolve DNS on /IP DNS?
NO: I can not resolve DNS query on any way.
YES, are dynamic: I can resolve DNS inside Routerboard and the DNS are coming from dynamic interface, like DHCP-CLient or PPPoE-Client as example.
YES, are static: I can resolve DNS inside Routerboard and the DNS are written manually from someone.
YES, both dynamic and static are present: I can resolve DNS inside Routerboard and the DNS are obtained with both metods described before. In this case, static have precedence.

From PC point of view:
Routerboard can resolve DNS? I do not care.

DHCP-Server give me at least one DNS?
NO: I can't resolve DNS on any way
NO, but someone put inside PC interface static DNS: The PC can resolve DNS without any help from Routerboard or ISP
YES, but on pc DNS are set manually and right: The PC can resolve DNS without any help from Routerboard or ISP
YES, and on PC all is "auto": The PC can resolve DNS, using DNS provided from DHCP-Server on Routerboard
YES, but on pc DNS are set manually and wrong: The PC can not resolve DNS on any way (DoH/DoT is another question)


DNS resolving precedence:
I have on PC non-Routerboard IP to resolve DNS?
The DNS are resolved with that IP and I can not provide other results

I have on PC the Routerboard IP as DNS resolver:
if "allow-remote-request" are active (without consider firewall) and the PC have only the IP of routerboard as DNS, the query go:
1) The PC check internal cache
if not find any corresponding record query the routerboard:
2) Check internal Routerboard cache if are already resolved
3) Check DNS Static if are corresponency
4) If not finded the Routerboard ask HIS OWN DNS (for example1.1.1.1) to solve DNS on that order (stop on first resolution, give not found if checked all without results):
a) first static, if are one
b) second static, if are one
c) first dynamic, if are one
d) second dynamic, if are one
at thios point if the record are unresolved, DNS give unknow as reply to PC
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 2:17 pm

mmm...
It's easy understand Einstein than your questions.
as your that patient answering me, you are able to answer questions about the theory of relativity easily :)
I'm sorry for answering that late but I have been quite limited and this limited time was absorbed by understanding VLANs on MT. Now, I know that is actually quite simple I was irritated by the expression used. I'm planning to create a topic comparable with your firewall topic. That has happened yet but at least the configurations are pushed to GitHub now: https://github.com/PackElend/MikroTik

Back to the topic.
I have read up DNS Query Message Format (firewall.cx) what makes it a bit clearer to me. If RouterOS assigns 8.8.8.8 per DHCP to the client the DNS query will be routed to 8.8.8.8 if the client does not find anything in its cache.
So far so good.
Now I assign the gateway of the subnet or any other IP assigned to an interface on my Router.
Of course, the IP should be reachable from the client (firewall rules etc.) but at the end, it does not make any difference, does it?
The assigned interface (by its IP provided as DNS Server) is the gate to RouterOS.
This will makes things happens as described by you:
I have on PC the Routerboard IP as DNS resolver:
if "allow-remote-request" are active
....
I did some tests and noticed that:
  1. even provisioning no DNS Server to the client, DNS query still forwarded to my route (I did DNS flush on system and browser). That is wired, I will check again
  2. RouterOS is either not transparent in DNS query forwarding or something is still wrong as I did DNS tracing against openDNS but openDNS is not listed:
    1. test according to How to test for successful OpenDNS configuration? – OpenDNS are passed but still adult sites can be reached
    2. installed How to use BIND’s Domain Information Groper (dig) Tool | Dyn Help Center to do dig +trace
    3. C:\Program Files\ISC BIND 9>dig internetende.de +trace +noall +answer
      . 515702 IN NS i.root-servers.net.
      . 515702 IN NS j.root-servers.net.
      . 515702 IN NS k.root-servers.net.
      . 515702 IN NS l.root-servers.net.
      . 515702 IN NS m.root-servers.net.
      . 515702 IN NS a.root-servers.net.
      . 515702 IN NS b.root-servers.net.
      . 515702 IN NS c.root-servers.net.
      . 515702 IN NS d.root-servers.net.
      . 515702 IN NS e.root-servers.net.
      . 515702 IN NS f.root-servers.net.
      . 515702 IN NS g.root-servers.net.
      . 515702 IN NS h.root-servers.net.
      ;; Received 813 bytes from 10.99.99.1#53(10.99.99.1) in 28 ms

      ;; Received 779 bytes from 192.36.148.17#53(i.root-servers.net) in 23 ms

      ;; Received 616 bytes from 81.91.164.5#53(f.nic.de) in 10 ms

      internetende.de. 10800 IN A 109.237.138.8
      ;; Received 60 bytes from 148.251.254.105#53(cns2.alfahosting.info) in 22 ms
    4. C:\Program Files\ISC BIND 9>dig pornhub.com +trace +noall +answer
      . 515172 IN NS f.root-servers.net.
      . 515172 IN NS g.root-servers.net.
      . 515172 IN NS h.root-servers.net.
      . 515172 IN NS i.root-servers.net.
      . 515172 IN NS j.root-servers.net.
      . 515172 IN NS k.root-servers.net.
      . 515172 IN NS l.root-servers.net.
      . 515172 IN NS m.root-servers.net.
      . 515172 IN NS a.root-servers.net.
      . 515172 IN NS b.root-servers.net.
      . 515172 IN NS c.root-servers.net.
      . 515172 IN NS d.root-servers.net.
      . 515172 IN NS e.root-servers.net.
      ;; Received 813 bytes from 10.99.99.1#53(10.99.99.1) in 12 ms

      ;; Received 1171 bytes from 199.7.83.42#53(l.root-servers.net) in 7 ms

      ;; Received 844 bytes from 192.43.172.30#53(i.gtld-servers.net) in 9 ms

      pornhub.com. 3600 IN A 66.254.114.41
      ;; Received 56 bytes from 198.51.45.3#53(dns2.p03.nsone.net) in 11 ms
    5. C:\Program Files\ISC BIND 9>C:\Program Files\ISC BIND 9>tracert pornhub.com
      Détermination de l’itinéraire vers pornhub.com [66.254.114.41]
      avec un maximum de 30 sauts :

      1 21 ms 7 ms 1 ms 10.99.99.1
      2 1 ms 3 ms 3 ms fritzbox.kuerberg.ch [192.168.66.1]
      3 26 ms 3 ms 2 ms 217.22.136.2
      4 10 ms 20 ms 16 ms 212.25.27.122
      5 78 ms 4 ms 2 ms grace.glb.as8758.net [212.25.28.238]
      6 11 ms 3 ms 1 ms te0-3-1-3.rcr51.b021037-0.zrh02.atlas.cogentco.com [149.6.177.45]
      7 3 ms 2 ms 3 ms be2395.ccr52.zrh02.atlas.cogentco.com [130.117.50.25]
      8 292 ms 42 ms 82 ms be3073.ccr22.muc03.atlas.cogentco.com [130.117.0.62]
      9 14 ms 21 ms 13 ms be2960.ccr42.fra03.atlas.cogentco.com [154.54.36.253]
      10 43 ms 47 ms 15 ms haproxy.demarc.cogentco.com [149.29.8.2]
      11 12 ms 11 ms 10 ms cust-reflected-svc11802.ip.reflected.net [66.254.122.141]
      12 12 ms 18 ms 15 ms reflectededge.reflected.net [66.254.114.41]

      Itinéraire déterminé.
    6. SETTINGS
      1. CLIENT (VLAN99 in for testing):
        Adresse IPv6 locale du lien : fe80::997f:70f6:408e:ac18%18
        Adresse IPv4 : 10.99.99.243
        Serveurs DNS IPv4 :10.99.99.1
        /ip dhcp-server> print where name=VLAN_099_DHCP
        Flags: D - dynamic, X - disabled, I - invalid
        # NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
        0 VLAN_099_DHCP VLAN_099 VLAN_099 10m

        print where comment~"^BASE"
        Flags: D - dynamic
        # ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
        0 ;;; BASE (MGMT) VLAN
        10.99.99.0/24 10.99.99.1 10.99.99.1
      2. DNS SERVER:
        /ip dns> print
        servers: 208.67.222.222,208.67.220.220
        dynamic-servers:
        use-doh-server:
        verify-doh-cert: no
        allow-remote-requests: yes
        max-udp-packet-size: 4096
        query-server-timeout: 2s
        query-total-timeout: 10s
        max-concurrent-queries: 100
        max-concurrent-tcp-sessions: 20
        cache-size: 2048KiB
        cache-max-ttl: 1w
        cache-used: 332KiB
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 2:30 pm

Adresse IPv6 locale du lien : fe80::997f:70f6:408e:ac18%18
Adresse IPv4 : 10.99.99.243
Serveurs DNS IPv4 :10.99.99.1

The highlited information from your LAN computer indicates that it is receiving router's IP address to be used as DNS server. This setting is configured in /ip dhcp-server network, property dns-server. The configuration of your core router shows that you're explicitly setting router's IP address as DNS server for DHCP clients in all VLANs while you probably want to set it to 8.8.8.8 at least for some VLANs.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 2:50 pm

Now I assign the gateway of the subnet or any other IP assigned to an interface on my Router.
Of course, the IP should be reachable from the client (firewall rules etc.) but at the end, it does not make any difference, does it?
No matter what IP you use (as usual, except for firewall)
But is better to use main gateway IP for that.
Example: you have both 10.1.x network and 10.2.x
You can use on both network any of the two gateway IP.
But if for some reason in future want block any form of communication between blocks or want simply change bloks IP,
all devices configured whit (working but) unproperli IP stop working.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 2:58 pm

even provisioning no DNS Server to the client, DNS query still forwarded to my route (I did DNS flush on system and browser). That is wired, I will check again
If you do not set explicity the "No DNS" flag inside DHCP Networks,
RouterOS provide one DNS based on this (must be checked exactly):
1st the IP used as Gateway if "Allow remote requests" on DNS is on
2nd first dynamic DNS on DNS settings, if any
3rd second dynamic DNS on DNS settings, if any
4th first fixed DNS on DNS settings, if any
5th second fixed DNS on DNS settings, if any
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 2:59 pm

thx for this super quick response :)
Adresse IPv6 locale du lien : fe80::997f:70f6:408e:ac18%18
Adresse IPv4 : 10.99.99.243
Serveurs DNS IPv4 :10.99.99.1
...router's IP address as DNS server for DHCP clients in all VLANs while you probably want to set it to 8.8.8.8 at least for some VLANs.
all that all clients to use the DNS server as given in /ip DNS what are the DNS-Servers of openDNS.
reading through your replies, I dare to say that my settings are correct

For whatever reason OpenDNS blocking/filtering is not working as desired, will do some more checks (flush, restart, ...)

Now I assign the gateway of the subnet or any other IP assigned to an interface on my Router.
Of course, the IP should be reachable from the client (firewall rules etc.) but at the end, it does not make any difference, does it?
No matter what IP you use (as usual, except for firewall)
But is better to use main gateway IP for that.
agree, just for educational purposes
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 3:02 pm

2nd first dynamic DNS on DNS settings, if any
3rd second dynamic DNS on DNS settings, if any
4th first fixed DNS on DNS settings, if any
5th second fixed DNS on DNS settings, if any
static/fixed settings are normally not prioritised over dynamic settings, are they?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 3:04 pm

Dynamic have precedence
Another example:
Generic AP have inside one DNS,
but if the provider want change the DNS, do not be forced to update all AP, just give new DNS with DHCP Server or PPPoE Server
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 3:07 pm

so, if I have dynamic and static settings how can I prevent that dynamic settings are used first/provisioned?
Firewall rules?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 3:44 pm

No, simply specify the DNS IP address under DHCP Networks
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 3:51 pm

No, simply specify the DNS IP address under DHCP Networks
I'm hoping for a solution to do it in one place only instead of setting each DHCP Network individually
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 4:27 pm

If you have already configured dozen of DHCP, update with script....
/ip dhcp-server network set [find] dns-server=1.1.1.1,8.8.8.8
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 4:30 pm

you got me :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 6:59 pm

I'm too busy on this period, but MikroTik for first must study some sort of auto-configuration

My idea is to make some generic wizard to generate some script for auto configuration like:
Select user skill level (less question asked for lower levels, etc.) ->
Select model->Select if is used as Switch / Router / Firewall / Access Point, etc.->Select on what port the Internet come in (WAN, on ether? as wi-fi client?)->
How many different WAN sources?->Select LAN ports->Select Wi-Fi settings->
Select detail need for 1st WAN (DHCP? PPPoE? VLAN? Passthroug from xDSL/ONT/LTE? etc.)->Select detail need for 2nd WAN->etc.->
Select if the WANs are on failover or load balancing (or both, etc.)->Select the number of wanted VLAN (+management) ->
Select how the single LAN are used (trunk, VLAN, untagged, etc.)->Select default firewall rules wanted (default, default+rextended, no rules because switch, plain AP, etc.)->
Select wanted router features (IP Forward, Router Cache, etc.) ->Select new users and security settings->Select wifi SSID and password, etc.

Generate single file to import, reset configuration with that file, done...
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 7:46 pm

I'm too busy on this period, ...
doing what?
I would say all is said in this topic

...
Generate single file to import, reset configuration with that file, done...
that is going to be quite a job.
May my scripts going to help you, as I try to explain things in there as well but currently I have only VLAN configuration covered.
Currently trying to get through the details of CAPsMAN (basic WLAN is working).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 7:58 pm

doing what?
I'm talking about the "Project Wizard"

I forgot the CAPsMAN, but it must be done at the end, when the main wizard is finished, without forgetting to prepare for the CAPsMAN ...
 
PackElend
Member Candidate
Member Candidate
Topic Author
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: (silly) question how does DNS query forwarded / DCHP DNS settings

Wed Jul 07, 2021 8:52 pm

good luck, will definitely benefit from it

Who is online

Users browsing this forum: BioMax, PBondurant and 43 guests