mmm...
It's easy understand Einstein than your questions.
as your that patient answering me, you are able to answer questions about the theory of relativity easily :)
I'm sorry for answering that late but I have been quite limited and this limited time was absorbed by understanding VLANs on MT. Now, I know that is actually quite simple I was irritated by the expression used. I'm planning to create a topic comparable with your firewall topic. That has happened yet but at least the configurations are pushed to GitHub now:
https://github.com/PackElend/MikroTik
Back to the topic.
I have read up
DNS Query Message Format (firewall.cx) what makes it a bit clearer to me. If RouterOS assigns 8.8.8.8 per DHCP to the client the DNS query will be routed to 8.8.8.8 if the client does not find anything in its cache.
So far so good.
Now I assign the gateway of the subnet or any other IP assigned to an interface on my Router.
Of course, the IP should be reachable from the client (firewall rules etc.) but at the end, it does not make any difference, does it?
The assigned interface (by its IP provided as DNS Server) is the gate to RouterOS.
This will makes things happens as described by you:
I have on PC the Routerboard IP as DNS resolver:
if "allow-remote-request" are active
....
I did some tests and noticed that:
- even provisioning no DNS Server to the client, DNS query still forwarded to my route (I did DNS flush on system and browser). That is wired, I will check again
- RouterOS is either not transparent in DNS query forwarding or something is still wrong as I did DNS tracing against openDNS but openDNS is not listed:
- test according to How to test for successful OpenDNS configuration? – OpenDNS are passed but still adult sites can be reached
- installed How to use BIND’s Domain Information Groper (dig) Tool | Dyn Help Center to do dig +trace
- C:\Program Files\ISC BIND 9>dig internetende.de +trace +noall +answer
. 515702 IN NS i.root-servers.net.
. 515702 IN NS j.root-servers.net.
. 515702 IN NS k.root-servers.net.
. 515702 IN NS l.root-servers.net.
. 515702 IN NS m.root-servers.net.
. 515702 IN NS a.root-servers.net.
. 515702 IN NS b.root-servers.net.
. 515702 IN NS c.root-servers.net.
. 515702 IN NS d.root-servers.net.
. 515702 IN NS e.root-servers.net.
. 515702 IN NS f.root-servers.net.
. 515702 IN NS g.root-servers.net.
. 515702 IN NS h.root-servers.net.
;; Received 813 bytes from 10.99.99.1#53(10.99.99.1) in 28 ms
;; Received 779 bytes from 192.36.148.17#53(i.root-servers.net) in 23 ms
;; Received 616 bytes from 81.91.164.5#53(f.nic.de) in 10 ms
internetende.de. 10800 IN A 109.237.138.8
;; Received 60 bytes from 148.251.254.105#53(cns2.alfahosting.info) in 22 ms
- C:\Program Files\ISC BIND 9>dig pornhub.com +trace +noall +answer
. 515172 IN NS f.root-servers.net.
. 515172 IN NS g.root-servers.net.
. 515172 IN NS h.root-servers.net.
. 515172 IN NS i.root-servers.net.
. 515172 IN NS j.root-servers.net.
. 515172 IN NS k.root-servers.net.
. 515172 IN NS l.root-servers.net.
. 515172 IN NS m.root-servers.net.
. 515172 IN NS a.root-servers.net.
. 515172 IN NS b.root-servers.net.
. 515172 IN NS c.root-servers.net.
. 515172 IN NS d.root-servers.net.
. 515172 IN NS e.root-servers.net.
;; Received 813 bytes from 10.99.99.1#53(10.99.99.1) in 12 ms
;; Received 1171 bytes from 199.7.83.42#53(l.root-servers.net) in 7 ms
;; Received 844 bytes from 192.43.172.30#53(i.gtld-servers.net) in 9 ms
pornhub.com. 3600 IN A 66.254.114.41
;; Received 56 bytes from 198.51.45.3#53(dns2.p03.nsone.net) in 11 ms
- C:\Program Files\ISC BIND 9>C:\Program Files\ISC BIND 9>tracert pornhub.com
Détermination de l’itinéraire vers pornhub.com [66.254.114.41]
avec un maximum de 30 sauts :
1 21 ms 7 ms 1 ms 10.99.99.1
2 1 ms 3 ms 3 ms fritzbox.kuerberg.ch [192.168.66.1]
3 26 ms 3 ms 2 ms 217.22.136.2
4 10 ms 20 ms 16 ms 212.25.27.122
5 78 ms 4 ms 2 ms grace.glb.as8758.net [212.25.28.238]
6 11 ms 3 ms 1 ms te0-3-1-3.rcr51.b021037-0.zrh02.atlas.cogentco.com [149.6.177.45]
7 3 ms 2 ms 3 ms be2395.ccr52.zrh02.atlas.cogentco.com [130.117.50.25]
8 292 ms 42 ms 82 ms be3073.ccr22.muc03.atlas.cogentco.com [130.117.0.62]
9 14 ms 21 ms 13 ms be2960.ccr42.fra03.atlas.cogentco.com [154.54.36.253]
10 43 ms 47 ms 15 ms haproxy.demarc.cogentco.com [149.29.8.2]
11 12 ms 11 ms 10 ms cust-reflected-svc11802.ip.reflected.net [66.254.122.141]
12 12 ms 18 ms 15 ms reflectededge.reflected.net [66.254.114.41]
Itinéraire déterminé.
- SETTINGS
- CLIENT (VLAN99 in for testing):
Adresse IPv6 locale du lien : fe80::997f:70f6:408e:ac18%18
Adresse IPv4 : 10.99.99.243
Serveurs DNS IPv4 :10.99.99.1
/ip dhcp-server> print where name=VLAN_099_DHCP
Flags: D - dynamic, X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 VLAN_099_DHCP VLAN_099 VLAN_099 10m
print where comment~"^BASE"
Flags: D - dynamic
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 ;;; BASE (MGMT) VLAN
10.99.99.0/24 10.99.99.1 10.99.99.1
- DNS SERVER:
/ip dns> print
servers: 208.67.222.222,208.67.220.220
dynamic-servers:
use-doh-server:
verify-doh-cert: no
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 332KiB