Community discussions

MikroTik App
 
hsn
just joined
Topic Author
Posts: 1
Joined: Sat Jan 26, 2019 5:39 pm

DNS Failover

Sat Jan 26, 2019 5:52 pm

Hi,

I am using Pihole as my DNS server and configured RouterOS to use Pihole DNS which is working fine. What I want to do is configure RouterOS to use a failover DNS (ISP or any public DNS like Google) in case of pihole stopped working and mikrotik takes DNS server from predefined DNS servers. I do not want load balancing. Just wanted to use them as failover in case of pihole goes down since it is running inside a VM. Some times I get electricity issues or sometimes windows get updates and workstation takes longer to install them in restarting procedure.


Regards,
Hassan
 
gmx
just joined
Posts: 16
Joined: Wed Apr 17, 2019 4:12 am

Re: DNS Failover

Fri Apr 19, 2019 3:42 am

Hi, did you have any luck with this?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS Failover

Fri Apr 19, 2019 3:57 am

Generally, DNS resolvers are not meant to function like this. You can have multiple for redundancy, but it's assumed that all are equal and client can use any of them. But it doesn't work for this use case, where you need a special one that knows something that others don't and you want to only use others when the special one fails.

A not completely foolproof, but possibly good enough solution could be to use Netwatch, to monitor Pihole's IP address. If it goes down, set system resolvers to public ones. If it goes up, set it to Pihole.
 
whitbread
Member Candidate
Member Candidate
Posts: 119
Joined: Fri Nov 08, 2013 9:55 pm

Re: DNS Failover

Fri Apr 19, 2019 8:01 pm

you need a good script to do what u want.
 
mu17
just joined
Posts: 1
Joined: Mon Apr 30, 2018 2:36 am

Re: DNS Failover

Sat Apr 20, 2019 1:27 am

A not completely foolproof, but possibly good enough solution could be to use Netwatch, to monitor Pihole's IP address. If it goes down, set system resolvers to public ones. If it goes up, set it to Pihole.
I looked into the Netwatch feature <https://wiki.mikrotik.com/wiki/Manual:Tools/Netwatch> and it seems to do the trick! Netwatch will watch a host with pings, and run a script if the host is up or down.

Code: Select all

/tool netwatch
add comment="pi-hole failover" down-script="/ip dhcp-server network set 0 dns-server=\"\"" host=192.168.88.15 \
up-script="/ip dhcp-server network set 0 dns-server=192.168.88.15"
my pi-hole is `192.168.88.15`
01.gif
if up: `/ip dhcp-server network set 0 dns-server=192.168.88.15`
02.gif
if down, blank it out (or set it to 1.1.1.1 or 192.168.88.1): `/ip dhcp-server network set 0 dns-server=""`
03.gif
my dhcp network settings
04.gif
You do not have the required permissions to view the files attached to this post.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: DNS Failover

Sat Apr 20, 2019 2:24 pm

Set the Mikrotik to use a DNS other than piehole... Like 8.8.8.8, 1.1.1.1.

Then in your DHCP server... Set the DNS value under network to be piehole, Mikrotik.

If piehole doesn't work... The client will ask the Mikrotik.
 
mt99
newbie
Posts: 43
Joined: Wed Jan 03, 2018 6:07 pm

Re: DNS Failover

Mon Apr 22, 2019 2:54 am

This is exactly correct, all DNS servers are equal to the client so setting a “secondary” DNS server doesn’t work the way you might think. I use a Pihole which runs on a 2010 Mac Mini, and even though I dropped in a new hard drive I had concerns about redundancy. So I use scripts with netwatch to set the router as a backup DNS, and it works pretty well. I’m out of town right now but can take a look at the script when I get home.
Generally, DNS resolvers are not meant to function like this. You can have multiple for redundancy, but it's assumed that all are equal and client can use any of them. But it doesn't work for this use case, where you need a special one that knows something that others don't and you want to only use others when the special one fails.

A not completely foolproof, but possibly good enough solution could be to use Netwatch, to monitor Pihole's IP address. If it goes down, set system resolvers to public ones. If it goes up, set it to Pihole.
 
mt99
newbie
Posts: 43
Joined: Wed Jan 03, 2018 6:07 pm

Re: DNS Failover

Sat Apr 27, 2019 3:05 am

Everything starting with my_* should be customized for your environment. I use the router as the DNS server so I can still have control and a central place to redirect via NAT rule. For this to work best, I also recommend setting the router as a second DNS server address on all clients. This works fast enough that I receive all the notification emails :)

EDIT: I realized that, if the device never went down, Netwatch will always run the "Up" script any time a change is made to it (because the device is still "up"). I don't want this to happen if the pihole never went down, so I put a condition in to check whether the router is actually acting as a DNS server before doing anything.

EDIT 2: Turns out you can't script firewall rule changes unless you either enumerate all rules first with a print, or determine their internal IDs and use those (see viewtopic.php?p=632253 for more details). I cheated and just did the print, but later when I have the chance I'll do it a better way.

Netwatch down script for the pihole IP:
# script to enable backupDNS if pihole doesn't ping
# this script does nothing if the core switch is also down

# set variables
:local myhost ([/system identity get name])
:local recv my_alerts@email.com
:local target my_pihole;

# Query the core switch interface
:local inetinterface "ether1"
:if ([/interface get [find name="$inetinterface"] running]=true) do={

:log info "BackupDNS: Pihole down, enabling"
# change to your upstream resolvers
/ip dns set servers=your_resolver_IP1,your_resolver_IP2
:delay 2
:log info "BackupDNS: resolvers changed"

# enable DNS server
/ip dns set allow-remote-requests=yes
:delay 2
:log info "BackupDNS: started server"

# assuming you have one NAT redirect rule which is first in the list, change the to-address to your router IP
/ip firewall nat print; /ip firewall nat set to-addresses=your_router_IP numbers=1
:delay 1
:log info "BackupDNS: NAT rule redirected"

# email notification
/tool e-mail send to=$recv subject="$myhost started BackupDNS" body="On $mydate at $mytime, $myhost started BackupDNS because $target was reported down."

} else={ :log info "BackupDNS: Core switch interface $inetinterface is not running, script exited" }

Netwatch up script for the pihole IP:
# script to disable secondary DNS when pihole is back up

# set variables
:local myhost ([/system identity get name])
:local recv my_alerts@email.com
:local target my_pihole;

:if ([/ip dns get allow-remote-requests]=true) do={

# email notification
/tool e-mail send to=$recv subject="$myhost stopping BackupDNS" body="On $mydate at $mytime, $myhost stopping BackupDNS because $target was reported back up."
:delay 10
:log info "BackupDNS: Pihole up, stopping"

# change resolver back to my_pihole
/ip dns set servers=my_pihole_IP
:delay 1
:log info "BackupDNS: pihole now set as resolver"

# assuming you have one NAT redirect rule which is first in the list, change back to your pihole
/ip firewall print; /ip firewall nat set to-addresses=my_pihole_IP numbers=1
:delay 1
:log info "BackupDNS: NAT rule changed back to pihole"

# disable DNS server and flush the cache
/ip dns set allow-remote-requests=no
:delay 1
/ip dns cache flush
:log info "BackupDNS: DNS server disabled and cache flushed"

} else={ :log info "BackupDNS: Pihole is up but router wasn't DNS server, script exited" }
Last edited by mt99 on Sat Oct 12, 2019 1:07 am, edited 1 time in total.
 
User avatar
Halfeez92
Member Candidate
Member Candidate
Posts: 101
Joined: Tue Oct 30, 2012 12:58 pm
Location: 127.0.0.1
Contact:

Re: DNS Failover

Mon May 06, 2019 5:24 am

A not completely foolproof, but possibly good enough solution could be to use Netwatch, to monitor Pihole's IP address. If it goes down, set system resolvers to public ones. If it goes up, set it to Pihole.
I looked into the Netwatch feature <https://wiki.mikrotik.com/wiki/Manual:Tools/Netwatch> and it seems to do the trick! Netwatch will watch a host with pings, and run a script if the host is up or down.

Code: Select all

/tool netwatch
add comment="pi-hole failover" down-script="/ip dhcp-server network set 0 dns-server=\"\"" host=192.168.88.15 \
up-script="/ip dhcp-server network set 0 dns-server=192.168.88.15"
my pi-hole is `192.168.88.15`
01.gif

if up: `/ip dhcp-server network set 0 dns-server=192.168.88.15`
02.gif

if down, blank it out (or set it to 1.1.1.1 or 192.168.88.1): `/ip dhcp-server network set 0 dns-server=""`
03.gif

my dhcp network settings
04.gif
this is the easiest way, but maybe you can add another line for disabling firewall nat rules that dst-nat port 53 udp/tcp to the pihole server? Because some of us maybe restrict the end users from using external dns server, so we redirect all dns request to the pihole no matter what ip they change.
 
meimcounting
just joined
Posts: 1
Joined: Mon Oct 28, 2019 10:52 am

Re: DNS Failover

Mon Oct 28, 2019 11:25 am

I couldn't get netwatch to trigger properly with all of its permissions restrictions. For my home use case, running a little script once a minute from the scheduler seems to work well. I have my DHCP Server > Networks > DNS Servers pointed to my MikroTik router gateway address so clients do not need to reconfigure.

Here is my script if it's helpful. You can customize the fallbackDNS addresses, Pi-Hole ip address, and resolve url to fit your needs.
# set variables
:local fallbackDNS 1.1.1.1,1.0.0.1
:local pihole 192.XXX.XX.XXX;
:local currentDNS 
:set $currentDNS [/ip dns get servers];

:do {
  :put [resolve google.com server=$pihole];
  if ($currentDNS!=pihole) do={
    :log info "DNS Failover: Switching to Pi-Hole";
    ip dns set servers $pihole
  } else={}
} on-error={ :set $currentDNS [/ip dns get servers];
  if ($currentDNS!=$fallbackDNS) do={
    :log info "DNS Failover: Switching to FallbackDNS"; 
    ip dns set servers $fallbackDNS;
  } else={:log info "DNS Failover: Pi-Hole Unavailable"} 
}

#try to reach google through the pi-hole
#if it works and we are on a different DNS, set the DNS server to the pi-hole
#if it works and we are already on the pi-hole, do nothing
#if we can't reach google and we aren't already on our FallbackDNS, switch to fallback
#if we can't reach google through pi-hole and we are on the fallback, log that pi-hole is unavailable
 
zilexa
just joined
Posts: 16
Joined: Tue Apr 10, 2018 6:05 pm

Re: DNS Failover

Sun Apr 12, 2020 2:59 pm

Set the Mikrotik to use a DNS other than piehole... Like 8.8.8.8, 1.1.1.1.

Then in your DHCP server... Set the DNS value under network to be piehole, Mikrotik.

If piehole doesn't work... The client will ask the Mikrotik.
Is this suppose to work? Because everyone else in this topic is using a script.. but your solution would be smarter since you don't have to ping your pihole every minute.

.
I couldn't get netwatch to trigger properly with all of its permissions restrictions. For my home use case, running a little script once a minute from the scheduler seems to work well. I have my DHCP Server > Networks > DNS Servers pointed to my MikroTik router gateway address so clients do not need to reconfigure.

Here is my script if it's helpful. You can customize the fallbackDNS addresses, Pi-Hole ip address, and resolve url to fit your needs.
(..)
 
mcb777
just joined
Posts: 3
Joined: Thu May 14, 2020 6:29 pm

Re: DNS Failover

Thu May 28, 2020 2:54 am

The problem with netwatch is that it just pings the server. The server may be up but Pi-hole can be down. I wrote the following script and run it once a minute. If Pi-hole is down the fetch will fail and the on-error code executes. Once Pi-hole is back up it is set as DNS server again.
:local servers [/ip dns get servers];
:do {
    /tool fetch url="http://192.168.1.26:8082/admin/api.php?status";
    if ($servers != "192.168.1.26") do={
        /ip dns set servers=192.168.1.26;
    }
} on-error {
    if ($servers != "208.67.220.123;208.67.222.123") do={
        /ip dns set servers=208.67.220.123,208.67.222.123;
        :log error "Pi-hole isn't working, using OpenDNS instead";
    }
}
Last edited by mcb777 on Thu May 28, 2020 7:14 pm, edited 2 times in total.
 
mcb777
just joined
Posts: 3
Joined: Thu May 14, 2020 6:29 pm

Re: DNS Failover

Thu May 28, 2020 2:55 am

Set the Mikrotik to use a DNS other than piehole... Like 8.8.8.8, 1.1.1.1.

Then in your DHCP server... Set the DNS value under network to be piehole, Mikrotik.

If piehole doesn't work... The client will ask the Mikrotik.
I tried this and it doesn't work
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: DNS Failover

Thu May 28, 2020 12:49 pm

Set the Mikrotik to use a DNS other than piehole... Like 8.8.8.8, 1.1.1.1.

Then in your DHCP server... Set the DNS value under network to be piehole, Mikrotik.

If piehole doesn't work... The client will ask the Mikrotik.
I tried this and it doesn't work
Can you tell where it fails?

Is it that the piehole appears up? Or something else?
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: DNS Failover

Thu May 28, 2020 12:59 pm

Set the Mikrotik to use a DNS other than piehole... Like 8.8.8.8, 1.1.1.1.

Then in your DHCP server... Set the DNS value under network to be piehole, Mikrotik.

If piehole doesn't work... The client will ask the Mikrotik.
That does not work. The client will use piehole and Mikrotik simultaneously.
 
mcb777
just joined
Posts: 3
Joined: Thu May 14, 2020 6:29 pm

Re: DNS Failover

Thu May 28, 2020 6:47 pm

When I bring down Pi-hole (DHCP Server DNS) it doesn't switch over to the DNS servers specified in /ip dns and nothing resolves.
Last edited by mcb777 on Fri May 29, 2020 10:17 pm, edited 1 time in total.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: DNS Failover

Fri May 29, 2020 3:39 pm

Set the Mikrotik to use a DNS other than piehole... Like 8.8.8.8, 1.1.1.1.

Then in your DHCP server... Set the DNS value under network to be piehole, Mikrotik.

If piehole doesn't work... The client will ask the Mikrotik.
I tried this and it doesn't work
Can you tell where it fails?

Is it that the piehole appears up? Or something else?
When I bring down Pi-hole (DHCP Server DNS) it doesn't switch over to the DNS servers specified in /ip dns and nothing resolves.
Your router is set to allow DNS requests?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: DNS Failover

Fri May 29, 2020 4:38 pm

Could you please use "Post replay" instead of quoting hole previous posts.

We are able to follow the thread ... no need to quote it all the time.
 
ferdytao
newbie
Posts: 29
Joined: Mon Sep 26, 2016 8:51 am

Re: DNS Failover

Mon Jun 15, 2020 12:43 pm

I couldn't get netwatch to trigger properly with all of its permissions restrictions. For my home use case, running a little script once a minute from the scheduler seems to work well. I have my DHCP Server > Networks > DNS Servers pointed to my MikroTik router gateway address so clients do not need to reconfigure.
I’m using this solution actually with a script to change to public dns if PiHole is offline. I wonder if it’s possible to point clients directly to PiHole bypass MikroTik to speed up the query.
If I set the PiHole address by dhcp network to the client, I need to wait for a renewal to change the addresses to the clients, any other solutions? Perhaps a NAT redirect would be the best solution?!
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: DNS Failover

Mon Jun 15, 2020 4:44 pm

Ok... well here is an idea.

So in practice... assuming your PiHole sits at 192.168.1.3
Set your DHCP server to tell clients to use 8.8.8.8 and 8.8.4.4.
Make a firewall address list named Google
/ip firewall address-list
add address=8.8.8.8 comment="GoogleDNS" list=Google
add address=8.8.4.4 comment="GoogleDNS" list=Google
Set a NAT to grab/redirect any DNS request sent to those 2 DNS servers and send it to your PiHole. Make the comment "REDIRECTDNS"
/ip firewall nat
add action=dst-nat chain=dstnat comment="REDIRECTDNS" dst-address-list=\
    Google dst-port=53 protocol=udp to-addresses=192.168.1.3
add action=dst-nat chain=dstnat comment="REDIRECTDNS" dst-address-list=\
    Google dst-port=53 protocol=tcp to-addresses=192.168.1.3
    
Set a netwatch to check the PiHole. If the PiHole is down... DISABLE REDIRECTDNS. If its up... ENABLE REDIRECTDNS.
Last edited by gotsprings on Mon Jun 15, 2020 5:58 pm, edited 1 time in total.
 
ferdytao
newbie
Posts: 29
Joined: Mon Sep 26, 2016 8:51 am

Re: DNS Failover

Mon Jun 15, 2020 5:10 pm

Thanks for your reply, I just tried without success and I suppose here is the correct answer: viewtopic.php?t=143849#p708150

So basically I will keep the pihole dns as primary mikrotik DNS and change it with public servers in case of fails.
 
RackKing
Member
Member
Posts: 380
Joined: Wed Oct 09, 2013 1:59 pm

Re: DNS Failover

Thu Jun 25, 2020 4:40 pm

@ferdytao

Checking in to see how this is working for you. I am about to set this up for myself. Can you share your setup?

Thanks.
 
Perks
just joined
Posts: 1
Joined: Mon Dec 14, 2020 5:58 pm

Re: DNS Failover

Fri Apr 30, 2021 9:09 pm

Hello, sorry to hijack the topic.

I just took the script @mcb777 posted and give a little tweak to make it work with adguard-home
:local servers [/ip dns get servers];
:do {
    /tool fetch http-header-field="Authorization: Basic user:password" url="http://IP_Adguard/control/status" keep-result=no;
    if ($servers != "IP_Adguard") do={
        /ip dns set servers=IP_Adguard;
    }
} on-error {
    if ($servers != "94.140.14.14;94.140.15.15") do={
        /ip dns set servers=94.140.14.14,94.140.15.15;
        :log error "AdGuard-Home down, switched to AdGuard DNS";
    }
}
i'm pushing Mikrotik IP through DHCP as dns Server, then the script just check every minute if the raspeberry running adguard-home is working and if not it just change the DNS to the Adguard ones
Adguard needs authentication to be able to fetch through the Rest API, so where you can see the user:password, just have to paste user:password encoded to Base64 Format and of course change the IP_Adguard to your own IP


Thank you very much to all and especially to mcb777 for the base
 
shafiqrahman
Member Candidate
Member Candidate
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: DNS Failover

Thu May 06, 2021 1:05 am

I am also searching for a DNS failover script. My intention was to route all traffic from the router (192.168.88.1) to pihole (192.168.88.5) then back to router and then out to WAN(using 1.1.1.1).
Client --> Mikrotik-->pihole-->Mikrotik as a DNS--> wan
After trying dst-nat rules nothing worked and finally achieved that using:
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.5 gateway=192.168.88.1 netmask=24
add address=192.168.88.5/32 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
Now, only thing left is the fallback method. To my understanding script produce better result cause, through it a website (google.com) can be directly pinged and pihole has a tendency to stop working.
To my understanding /ip dns get servers will get dns servers from /ip dns. So, How do I get dns server address from /ip dhcp-server network?
Please, anyone confirm (coding error check) whether this script works or not?
:local currentDNS [/ip dhcp-server network address=192.168.88.0/24 comment=defconf get dns-servers]
:local piholeDNS "192.168.88.5"
:local testDomain "www.google.com"

:if ($currentDNS = $piholeDNS) do={
    :do {
        :resolve $testDomain server $piholeDNS
    } on-error={
        /ip dhcp-server network set 0 address=192.168.88.0/24 dns-server=$piholeDNS comment=defconf dns-none=yes gateway=192.168.88.1 netmask=24
    }
} else={
    :do {
        :resolve $testDomain server $piholeDNS
        /ip dhcp-server network set 0 address=192.168.88.0/24 dns-server=$piholeDNS comment=defconf gateway=192.168.88.1 netmask=24
    } on-error={}
}
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: DNS Failover

Sat May 08, 2021 12:41 pm

Set the DHCP server to hand out 8.8.8.8 and 8.8.4.4.
Set up a firewall nat rule that redirects that to the pihole.
Add a netwatch to see if the pihole is up. If it not... Disable the redirect.

Who is online

Users browsing this forum: diasdm, SMARTNETTT and 68 guests