Page 1 of 1

Feature request: Static DNS NXDOMAIN

Posted: Mon Dec 18, 2017 11:35 pm
by R1CH
Some domains I'd like to block with NXDOMAIN, eg known malware sites, wpad, etc. Currently ROS forces you to enter an IP for entries. While 0.0.0.1 and 255.255.255.255 work for Windows, this only works because the Windows DNS client rejects invalid IPs in responses. If you actually query the DNS server, it's still returning the IP you entered. I'd like a way to mark a static DNS entry as "negative", so the DNS server always returns NXDOMAIN for it immediately.

Re: Feature request: Static DNS NXDOMAIN

Posted: Tue Dec 19, 2017 12:06 pm
by msatter
I don't think that we have to load up the DNS in the Mikrotik with functions. If you want to have total control about DNS the you better use something like DNSmasq on a Raspberry and there is a complete DNS solution like Pihole.

Re: Feature request: Static DNS NXDOMAIN

Posted: Sat Dec 23, 2017 1:37 pm
by JimmyNyholm
Remember that you are incontrol of your own routing domain.
Pick an IP from any rfc based internal adress and sinkhole it in your setups this way you may send all unwanted traffic there.
And you may later on connect monitoring to get tripwire stuff in action reacting to stuff happening in your network.

Some of this should all ready be in place ad your edge.....

Re: Feature request: Static DNS NXDOMAIN

Posted: Sat Dec 23, 2017 6:39 pm
by pe1chl
Pick an IP from any rfc based internal adress and sinkhole it in your setups this way you may send all unwanted traffic there.
There is quite some difference in behaviour from your client systems between returning NXDOMAIN and returning a valid
IP address that you then sinkhole. No matter if you DROP or REJECT it with a reply like HOST UNREACHABLE or even TCP RST.
I know that is a bug in those clients, but it is the situation we will have to live with, Microsoft is not going to change their
broken TCP just because it is more convenient to network administrators.

Re: Feature request: Static DNS NXDOMAIN

Posted: Mon Sep 09, 2019 12:29 pm
by DailyHero
Mozialla is getting closer and closer to ship DoH with Firefox. Mikrotik should strongly think about implementing a way to sending NXDOMAIN from within the integrated DNS Server since doing so for the Domain use-application-dns.net is maybe a way to tell Firefox that it should use the Mikrotik DNS Server. If their is not such an way the integrated DNS Server would become quite useless.

If Mozilla is going to use this "detetion" tool for custom DNS Servers is to my knowledge not yet decided. But since Mikrotik probably needs quite some time (hey, their finally is a beta for v7) to implement this they should probably start :wink:

Re: Feature request: Static DNS NXDOMAIN

Posted: Thu Sep 12, 2019 2:01 pm
by davidg
I agree, the DNS server currently in routerOS is just good enough that it's frustrating.
The ability to specify NXDOMAIN would be very useful, as would several other options (e.g. MX and AAAA replies, rather than just A).

Re: Feature request: Static DNS NXDOMAIN

Posted: Thu Sep 12, 2019 2:15 pm
by muetzekoeln
+1

and also NS and SVR entries
viewtopic.php?f=2&t=59444

as well as conditional forwarding
viewtopic.php?f=1&t=139167

Re: Feature request: Static DNS NXDOMAIN

Posted: Thu Sep 12, 2019 3:20 pm
by Sob
@davidg: AAAA works already, just enter IPv6 address:
/ip dns static
add address=2001:db8::1 name=aaaa.test

Re: Feature request: Static DNS NXDOMAIN

Posted: Thu Sep 12, 2019 4:13 pm
by pe1chl
Mozialla is getting closer and closer to ship DoH with Firefox. Mikrotik should strongly think about implementing a way to sending NXDOMAIN from within the integrated DNS Server since doing so for the Domain use-application-dns.net is maybe a way to tell Firefox that it should use the Mikrotik DNS Server.
Yes!
On the other hand, I think that Firefox should not only accept NXDOMAIN but also an A response with some magic value like 127.0.0.2 or so.
Unfortunately I cannot find a way to contact the people that are responsible for this, I get no results when searching bugzilla for use-application-dns.net (there are some other bugs about the DoH move)