Community discussions

MikroTik App
 
nitrohydride
newbie
Topic Author
Posts: 29
Joined: Mon Oct 08, 2018 10:37 pm

redirect ip pool to specific DNS server

Thu Jan 10, 2019 2:51 pm

Hellom

I have two local Networks - for users and guests.

Users- 10.2.0.0/24
Guests-192.168.1.0/24

My DNS server on mikrotik router allows remote requests from both networks.

1. In mikrotik i have only one DNS settings menu (IP>DNS). I would like to put different static entries to each of mentioned networks. Is this possible?
2. How to redirect whole network or selected ip pool to specific DNS (for example openvpn.com etc.)

Could you give me a code example ? I didn't see action redirect during creating firewall rules. I know i have to redirect UDP port 53 to my open VPN Ip, but have no idea how to do this.

Best Regards,
nitro
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: redirect ip pool to specific DNS server

Thu Jan 10, 2019 3:03 pm

There's only one DNS server config per RB device, so you can't have different answers depending on where's the client. What you can do is for example configure DHCP server to assign some public DNS server's address for guests and router's IP address as DNS server for users. And don't forget to disallow DNS access to the router from guest network afterwards.

/ip dhcp-server network
set [ find address="192.168.1.0/24" ] dns-server=8.8.8.8
The above assumes guest subnet is 192.168.1.0/24 and sets guests to use google's public DNS server.

N.b. double-quotes around address in the command above are necessary, without them find doesn't ...
 
nitrohydride
newbie
Topic Author
Posts: 29
Joined: Mon Oct 08, 2018 10:37 pm

Re: redirect ip pool to specific DNS server

Thu Jan 10, 2019 4:21 pm

Thank you mkx, it does exactly what i wanted.

Anyway, is there any way to redirect specific packets (port, protocol) from one ip to another ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: redirect ip pool to specific DNS server

Thu Jan 10, 2019 6:03 pm

Anyway, is there any way to redirect specific packets (port, protocol) from one ip to another ?
There is NAT. Normally it's used to overcome problem of single routable IPv4 address per ISP subscription, but with slightly inventive use one can redirect certain connections ... passing router in any direction.
 
nitrohydride
newbie
Topic Author
Posts: 29
Joined: Mon Oct 08, 2018 10:37 pm

Re: redirect ip pool to specific DNS server

Thu Jan 10, 2019 9:17 pm

(Just for testing purposes) i managed to create a rule, which redirects DNS queries from my computer to one of free OpenDNS servers. It works fine for OpenDNS server.
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.88.2 src-port="" to-addresses=208.67.222.123
I want to do the same, bur redirect DNS queries to DNS server located in my network (192.168.88.100), created on windows server 2012 R2 btw.
  • dns server works fine (tested it )
    I tried to ping it from mikrotik router - no problems as well.
So why the rule doesn't work, even though it worked for OpenDNS ?
Do i miss something ?
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: redirect ip pool to specific DNS server

Thu Jan 10, 2019 9:39 pm

That's probably redirection to the same subnet, then you'll need to src-nat too -> "hair-pin": look at that
Otherwise the dns will send responses directly to client, and client will reject it as it's unknown traffic to it
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: redirect ip pool to specific DNS server  [SOLVED]

Thu Jan 10, 2019 9:45 pm

For completeness of your rule: remove the src-port="" ... setting it as written is not wildcard. If you don't want to use certain filter (and in this case you don't), then don't include it.

As to why it doesn't work for redirecting towards LAN servers, one has to understand packet flow:
  1. LAN host sends UDP packet(s) to chosen WAN host via its default gateway
  2. router gets packets and sees it needs to perform NAT operation. Changes dst-address and sends out packets to internal host. At this moment "outgoing" packets still carry original LAN host's address as src-address.
  3. internal DNS server receives packets and sends reply to the apparent sender of query, which is in this case the original LAN host. That host is directly accessible for DNS server and reply thus completely bypasses router with it's NAT engine ... which should have reverted the address replacement if everything worked acording to normal NAT packet flow.
  4. LAN host receives reply from a server that (according to its own state) wasn't asked a question. IP stack discards packet, app times out waiting for response
  5. router has a stale NAT connection state
So for this kind of redirections you should add a corresponding src-nat rule which will rewrite also src-address in step 2 so DNS server will see request as originating from touter and will send reply back to it.
 
nitrohydride
newbie
Topic Author
Posts: 29
Joined: Mon Oct 08, 2018 10:37 pm

Re: redirect ip pool to specific DNS server

Fri Jan 11, 2019 7:56 pm

Thank you for comprehensive explanation mkx.
Have done what you adviced me and everything works fine 8)
 
blackwave
just joined
Posts: 2
Joined: Wed Sep 07, 2022 7:50 am

Re: redirect ip pool to specific DNS server

Fri Sep 09, 2022 6:28 am

(Just for testing purposes) i managed to create a rule, which redirects DNS queries from my computer to one of free OpenDNS servers. It works fine for OpenDNS server.
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.88.2 src-port="" to-addresses=208.67.222.123
I want to do the same, bur redirect DNS queries to DNS server located in my network (192.168.88.100), created on windows server 2012 R2 btw.
  • dns server works fine (tested it )
    I tried to ping it from mikrotik router - no problems as well.
So why the rule doesn't work, even though it worked for OpenDNS ?
Do i miss something ?
I’m sorry i know this is an old post, but i’m facing same situation as yours.

What solution to this problem ? I’m not good enough to understand mkx’s explanation.
I’m pretty sure the key is on adding src-nat rule.

Who is online

Users browsing this forum: Ahrefs [Bot], anav, hatred, hribowwwc, InfraErik, kolopeter and 78 guests