Community discussions

MikroTik App
 
merlinios
just joined
Topic Author
Posts: 21
Joined: Sat Oct 07, 2006 9:37 pm

DNS Settings question - dns forwarders

Mon Jan 09, 2017 1:36 pm

Hello,


I have a site to site ipsec tunnel between 2 offices with mikrotik routerboards. In office 2 we have an active directory dns server so i want office 1 to use this DNS Server so it can resolve internal hostnames

In mikrotik in office1 i enable DNS server and in DNS settings i add 2 servers which is the 2 active directory servers. I also enable allow remote requests. So..in office1 i setup a pc with dns server the mikrotik private ip . It seems that it cannot resolve nothing. If in this pc i change dns to the active directory server it works .

Any ideas why ?

Thanks
 
turnip
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Sep 11, 2013 7:01 pm

Re: DNS Settings question - dns forwarders

Mon Jan 09, 2017 5:07 pm

I don't have a good explanation as to why. Someone who understands Microsoft's implementation of DNS can have a go at that. But I solved this by creating a conditional DNS forwarder with L7 firewall rules.

Let's say your domain name is contoso.com, your router is 192.168.1.1 and your domain controller is 10.0.0.10
Point your router to whatever DNS server you'd like to use (ISPs, Google etc) and configure your PCs to use the router.

/ip firewall layer7-protocol
add comment="Conditional Forwarder for AD DNS" name=CONTOSO-ADDNS regexp=contoso.com

/ip firewall mangle
add action=mark-connection chain=prerouting comment "Conditional Forwarder for AD DNS" dst-address=192.168.1.1 dst-port=53 layer7-protocol=CONTOSO-ADDNS new-connection-mark=forwarded-contoso-dns passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment "Conditional Forwarder for AD DNS" dst-address=192.168.1.1 dst-port=53 layer7-protocol=CONTOSO-ADDNS new-connection-mark=forwarded-contoso-dns passthrough=yes protocol=udp

/ip firewall nat
add action=dst-nat chain=dstnat comment="Conditional Forwarder for AD DNS" connection-mark=forwarded-contoso-dns to-addresses=10.0.0.10
add action=masquerade chain=srcnat connection-mark=forwarded-contoso-dns
 
Hiekie
just joined
Posts: 7
Joined: Mon Jan 09, 2017 3:53 pm

Re: DNS Settings question - dns forwarders

Mon Jan 09, 2017 5:41 pm

The way i solve this (i have some serious knowlegde about Microsft server implementations, is setting the AD controllers DNS adress as primairy DNS server and the secondary DNS as the providers DNS. You can then configure the AD controllers DNS forwarder to catch up with the DNS servers on the internet.
 
merlinios
just joined
Topic Author
Posts: 21
Joined: Sat Oct 07, 2006 9:37 pm

Re: DNS Settings question - dns forwarders

Mon Jan 09, 2017 7:55 pm

Thanks both of you guys . I add as a workaround the AD controllers as DNS in pc settings. In next step i want to test the L7 implementation it seems very interesting.
 
silversword
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Tue Jul 23, 2013 3:36 pm

Re: DNS Settings question - dns forwarders

Thu Mar 21, 2019 9:14 pm

The way i solve this (i have some serious knowlegde about Microsft server implementations, is setting the AD controllers DNS adress as primairy DNS server and the secondary DNS as the providers DNS. You can then configure the AD controllers DNS forwarder to catch up with the DNS servers on the internet.
If you set both internal and external DNS servers, you won't know which DNS server is being queried at any time. It doesn't "Use primary" always if available. The windows TCP stack decides who to ask and you don't get to decide. It's logic is if there's a 2sec timeout on "the current" dns server, it'll fail to the next (and next till it loops). Configurations like this will work, then give you weird errors sometimes, then work again (hard to troubleshoot).

You need two separate internal DNS servers, and those are your two primary/secondary DNS servers for the network and as the IT admin it's your job to make sure at least one is always available.

Who is online

Users browsing this forum: Amazon [Bot], jahieulislam, lmeira, MarkoB, menyarito and 105 guests