Hello.

Since Mikrotik have no plan to add a DNScrypt function, I just setup one myself, now the DNS proxy server run several instance at the same IP same time, but on different port, but here's some problems:

1. Neither Mikrotik nor Windows support DNS not on port 53.

2. So I try a workaround: set the DNS to some non-exist IP, then use NAT function to route them to my server, map one "virtual" IP per port. First I tried the same /24 range and failed, the packet not even logged, I think it just go through the the hardware switch.

3. Then I try use some different IP range, now the packet get logged, but still not redirect correctly, I set the following:
Chain: dstnat
Src.address: 192.168.88.0/24 (my real Lan range)
Dst.address: 192.168.10.50 (one of the fake no existing IP)
Protocol: 17(udp)
Dst.port: 53
Action: dst-nat
To Address: 192.168.88.5 (My DNScrypt server)
To ports: 49100 (One of the DNScrypt server port listening)
Others are not set.

The log shows:
dstnat: in:bridge-local(ether2-master-local) out:(none), src-mac XX:XX:XX:XX:XX:XX, proto UDP, 192.168.88.254:XXXXX->192.168.10.50:53, len XX
192.168.88.254 is the testing client, the logging source port and len values are variable, lens from 56 to 71 observed, most 71.

But the DNS is still not working, I tried TCP and still fails, is the port mapped correctly? Or is the reply also need mapping? Or any other workarounds?

The server was tested on port 53 successfully.

Thank you.

I just tried Hairpin NAT:
http://wiki.mikrotik.com/wiki/Hairpin_NAT

/ip firewall nat
add chain=dstnat dst-address=192.168.10.50 protocol=udp dst-port=53 \
action=dst-nat to-address=192.168.88.5
add chain=srcnat out-interface=ether8-gateway action=masquerade

/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 \
dst-address=192.168.88.5 protocol=udp dst-port=49100 \
out-interface=bridge-local action=masquerade

Still fails and the logs are identical to previous.

PS, I have a dynamic Wan IP, so I cannot set a fixed WAN IP as in wiki, and change it every time manually.

I'm probably missing something, but instead of all this, don't you want to just give 192.168.88.5 (DNSCrypt server) as the only DNS resolver to clients?

I'm probably missing something, but instead of all this, don't you want to just give 192.168.88.5 (DNSCrypt server) as the only DNS resolver to clients?

Thank you, problem is the I have many DNScrypt resolver in use for fail over, and in the current version of DNScrypt proxy software, each resolver I choose need a separate thread, and a separate downstream server port, or IP address.

Maybe the word 'proxy' is confusing, you can read it as 'translator', a single instance/thread of the software can, and only can:
Listen to a specific IP and port from other client,
'translate' the normal DNS request to DNScrypt,
Send to one specific official resolver/server I chosen,
Receive the dnscrypted answer,
'translate' it back to standard DNS answer,
answer the client

So for a single instance, it neither can ask several resolvers, nor can do automatic choice among resolvers-aka fail over, so if a upstream resolver fails, it fails. So I have to run several instance at the same time, however they cannot use the same listening IP/port. I know a few ways to do this:
1. The server listen on different ports at once, configure the router to act as a relay and choose among DNS servers, that's what I'm trying now.
2. Use a relay in the DNScrypt server, such as Bind. It will look like a normal DNS server from router/client.
3. Configure Vlan on server, and listen to several different IP, all on port 53.

I still want to try the first way first.

PS, to be more clear, the example in my previous post is just one instance, the final full result will be the server listen on 49100, 49101, 49102, 49103... , and the 'fake' IP will be 192.168.10.50, 192.168.10.51, 192.168.10.52, 192.168.10.53..., etc

If you want method #1, this should do the trick: Btw, method #3 does not need vlan, one interface can have many addresses.

If you want method #1, this should do the trick:

Code: Select all

/ip firewall nat
add chain=dstnat dst-address=192.168.10.50 protocol=udp dst-port=53 action=dst-nat \
    to-address=192.168.88.5 to-ports=49100
add chain=dstnat dst-address=192.168.10.51 protocol=udp dst-port=53 action=dst-nat \
    to-address=192.168.88.5 to-ports=49101
...
add chain=dstnat dst-address=192.168.10.xx protocol=udp dst-port=53 action=dst-nat \
    to-address=192.168.88.5 to-ports=491yy
add action=masquerade chain=srcnat dst-address=192.168.88.5 protocol=udp dst-port=49100-491yy

Btw, method #3 does not need vlan, one interface can have many addresses.

Oh man it works!!! Thank you so much!!!
One more question please, if I also want enable TCP for it, can I just add another set of rules that change all word "udp" to "tcp", other same than your script? Or do I need any other tweaks?

So the final script will be this:

/ip firewall nat

add chain=dstnat dst-address=192.168.10.50 protocol=udp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49100
add chain=dstnat dst-address=192.168.10.51 protocol=udp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49101
add chain=dstnat dst-address=192.168.10.52 protocol=udp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49102
add chain=dstnat dst-address=192.168.10.53 protocol=udp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49103
add chain=dstnat dst-address=192.168.10.54 protocol=udp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49104
add chain=dstnat dst-address=192.168.10.55 protocol=udp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49105
add chain=dstnat dst-address=192.168.10.56 protocol=udp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49106
add chain=dstnat dst-address=192.168.10.57 protocol=udp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49107

add chain=dstnat dst-address=192.168.10.50 protocol=tcp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49100
add chain=dstnat dst-address=192.168.10.51 protocol=tcp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49101
add chain=dstnat dst-address=192.168.10.52 protocol=tcp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49102
add chain=dstnat dst-address=192.168.10.53 protocol=tcp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49103
add chain=dstnat dst-address=192.168.10.54 protocol=tcp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49104
add chain=dstnat dst-address=192.168.10.55 protocol=tcp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49105
add chain=dstnat dst-address=192.168.10.56 protocol=tcp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49106
add chain=dstnat dst-address=192.168.10.57 protocol=tcp dst-port=53 action=dst-nat to-address=192.168.88.5 to-ports=49107

add chain=srcnat action=masquerade dst-address=192.168.88.5 protocol=udp dst-port=49100-49107
add chain=srcnat action=masquerade dst-address=192.168.88.5 protocol=tcp dst-port=49100-49107

Is it right?
Thank you again!

Okay I test it my self, very successful, appreciate your help!