Community discussions

MikroTik App
 
R1CH
Forum Guru
Forum Guru
Topic Author
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Feature request: Static DNS NXDOMAIN

Mon Dec 18, 2017 11:35 pm

Some domains I'd like to block with NXDOMAIN, eg known malware sites, wpad, etc. Currently ROS forces you to enter an IP for entries. While 0.0.0.1 and 255.255.255.255 work for Windows, this only works because the Windows DNS client rejects invalid IPs in responses. If you actually query the DNS server, it's still returning the IP you entered. I'd like a way to mark a static DNS entry as "negative", so the DNS server always returns NXDOMAIN for it immediately.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature request: Static DNS NXDOMAIN

Tue Dec 19, 2017 12:06 pm

I don't think that we have to load up the DNS in the Mikrotik with functions. If you want to have total control about DNS the you better use something like DNSmasq on a Raspberry and there is a complete DNS solution like Pihole.
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 248
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: Feature request: Static DNS NXDOMAIN

Sat Dec 23, 2017 1:37 pm

Remember that you are incontrol of your own routing domain.
Pick an IP from any rfc based internal adress and sinkhole it in your setups this way you may send all unwanted traffic there.
And you may later on connect monitoring to get tripwire stuff in action reacting to stuff happening in your network.

Some of this should all ready be in place ad your edge.....
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature request: Static DNS NXDOMAIN

Sat Dec 23, 2017 6:39 pm

Pick an IP from any rfc based internal adress and sinkhole it in your setups this way you may send all unwanted traffic there.
There is quite some difference in behaviour from your client systems between returning NXDOMAIN and returning a valid
IP address that you then sinkhole. No matter if you DROP or REJECT it with a reply like HOST UNREACHABLE or even TCP RST.
I know that is a bug in those clients, but it is the situation we will have to live with, Microsoft is not going to change their
broken TCP just because it is more convenient to network administrators.
 
DailyHero
just joined
Posts: 2
Joined: Tue Jan 01, 2019 8:08 pm

Re: Feature request: Static DNS NXDOMAIN

Mon Sep 09, 2019 12:29 pm

Mozialla is getting closer and closer to ship DoH with Firefox. Mikrotik should strongly think about implementing a way to sending NXDOMAIN from within the integrated DNS Server since doing so for the Domain use-application-dns.net is maybe a way to tell Firefox that it should use the Mikrotik DNS Server. If their is not such an way the integrated DNS Server would become quite useless.

If Mozilla is going to use this "detetion" tool for custom DNS Servers is to my knowledge not yet decided. But since Mikrotik probably needs quite some time (hey, their finally is a beta for v7) to implement this they should probably start :wink:
 
davidg
just joined
Posts: 4
Joined: Fri Jul 14, 2017 9:20 am
Location: Transylvania, Ro

Re: Feature request: Static DNS NXDOMAIN

Thu Sep 12, 2019 2:01 pm

I agree, the DNS server currently in routerOS is just good enough that it's frustrating.
The ability to specify NXDOMAIN would be very useful, as would several other options (e.g. MX and AAAA replies, rather than just A).
 
muetzekoeln
Member Candidate
Member Candidate
Posts: 167
Joined: Fri Jun 29, 2018 2:34 pm

Re: Feature request: Static DNS NXDOMAIN

Thu Sep 12, 2019 2:15 pm

+1

and also NS and SVR entries
viewtopic.php?f=2&t=59444

as well as conditional forwarding
viewtopic.php?f=1&t=139167
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature request: Static DNS NXDOMAIN

Thu Sep 12, 2019 3:20 pm

@davidg: AAAA works already, just enter IPv6 address:
/ip dns static
add address=2001:db8::1 name=aaaa.test
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature request: Static DNS NXDOMAIN

Thu Sep 12, 2019 4:13 pm

Mozialla is getting closer and closer to ship DoH with Firefox. Mikrotik should strongly think about implementing a way to sending NXDOMAIN from within the integrated DNS Server since doing so for the Domain use-application-dns.net is maybe a way to tell Firefox that it should use the Mikrotik DNS Server.
Yes!
On the other hand, I think that Firefox should not only accept NXDOMAIN but also an A response with some magic value like 127.0.0.2 or so.
Unfortunately I cannot find a way to contact the people that are responsible for this, I get no results when searching bugzilla for use-application-dns.net (there are some other bugs about the DoH move)
 
iwikus
newbie
Posts: 33
Joined: Sat Jun 16, 2007 9:55 am

Re: Feature request: Static DNS NXDOMAIN

Tue Feb 25, 2020 4:04 pm

We need to be able return NXDOMAIN for canary domain use-application-dns.net

https://support.mozilla.org/en-US/kb/ca ... ion-dnsnet

Mozilla is making DoH as default! https://blog.mozilla.org/blog/2020/02/2 ... -us-users/

Just mikrotik have to made empty value as valid entry and return NXDOMAIN like dnsmasq.
/ip dns static> add name=use-application-dns.net address=''
syntax error (line 1 column 42)
dnsmasq:
-A, --address=/<domain>[/<domain>...]/[<ipaddr>]
Specify an IP address to return for any host in the given domains. Queries in the domains are never forwarded and always replied to with the specified IP address which may be IPv4 or IPv6. To give both IPv4 and IPv6 addresses for a domain, use repeated --address flags. To include multiple IP addresses for a single query, use --addn-hosts=<path> instead. Note that /etc/hosts and DHCP leases override this for individual names. A common use of this is to redirect the entire doubleclick.net domain to some friendly local web server to avoid banner ads. The domain specification works in the same was as for --server, with the additional facility that /#/ matches any domain. Thus --address=/#/1.2.3.4 will always return 1.2.3.4 for any query not answered from /etc/hosts or DHCP and not sent to an upstream nameserver by a more specific --server directive. As for --server, one or more domains with no address returns a no-such-domain answer, so --address=/example.com/ is equivalent to --server=/example.com/ and returns NXDOMAIN for example.com and all its subdomains. An address specified as '#' translates to the NULL address of 0.0.0.0 and its IPv6 equivalent of :: so --address=/example.com/# will return NULL addresses for example.com and its subdomains. This is partly syntactic sugar for --address=/example.com/0.0.0.0 and --address=/example.com/:: but is also more efficient than including both as seperate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.

http://www.thekelleys.org.uk/dnsmasq/do ... q-man.html
 
reinerotto
Long time Member
Long time Member
Posts: 520
Joined: Thu Dec 04, 2008 2:35 am

Re: Feature request: Static DNS NXDOMAIN

Sun Aug 16, 2020 9:51 am

Does the definition of this canary domain 'use-application-dns.net' for FF really disable DoH ?
I have FF 79, connected to non-MT router, running dnsmasq. And I can not see any access to this domain in my logs.
May be, FF dropped this option recently ?
As a workaround, I block access to many well-known DoH-server.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10196
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature request: Static DNS NXDOMAIN

Sun Aug 16, 2020 11:25 am

Note that from version 6.47, RouterOS can now return NXDOMAIN (among some other values) for static DNS records!
I have configured it on a wireless network but unfortunately RouterOS does not keep "use counts" for DNS records like it does for firewall rules etc, so it is difficult to see if it is really being used.
I think Firefox will only make this query when it has automatically decided to use DoH. That apparently depends on version and even location (how?). I think it will not make this check when DoH is either manually disabled or manually enabled.

Who is online

Users browsing this forum: abdulschizo, ACHim, DimoSK, Google [Bot], intania and 90 guests