Community discussions

MUM Europe 2020
 
guru431
just joined
Topic Author
Posts: 11
Joined: Fri Nov 29, 2019 10:37 am

MikroTik and internal DNS server

Fri Nov 29, 2019 10:43 am

Good day! Help solve the problem.

MikroTik RB750Gr3 (6.45.7) is connected to the Internet provider. Behind it is the internal network 192.168.1.0/24. For this network, DHCP and DNS server is this MikroTik (192.168.1.1). Also on the network there is another DNS server - 192.168.1.10. It will forward dns requests through vpn tunnel to the third DNS server.

Task: I want to configure on MikroTik, instead of ISP DNS, my DNS server from the internal network (192.168.1.10) so that all DNS queries from both the router and the network go into the tunnel.
What has been done: I removed the “Use peer DNS” checkbox in the IP - DHCP Client and entered 192.168.1.10 in IP - DNS.

Problem:
In the internal network there are a lot of various devices (computers, laptops, tablets, phones) on different OS. After the settings above, the devices on Windows, Android and Debian work correctly - all DNS queries from them go into the tunnel (checked through dnsleaktest). But there is a problem with Apple devices (iOS and macOS) - Terrible losses begin from them to MikroTik (ping to the gateway shows 40-80% of losses).
During the tests, it turned out that losses on apple devices begin after entering any IP address in the IP - DNS that is included in the range of configured MikroTik static routes (IP - Routes). And it doesn’t matter if it exists or not, whether it has a DNS server or not.
If in IP - DNS I leave the DNS address of the provider or configure any other external DNS server, and in IP - DHCP server - Networks - DNS servers I configure 192.168.1.10 or if this server is manually configured on each Apple device, then everything works fine. But this is a failure. At this facility, we need to completely abandon external DNS.

Please, help.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 12:51 pm

Why you need mikrotik in this scheme at all: just add the address of your DNS server in DHCP -> Networks for your network, and let all your devices use it directly.
 
guru431
just joined
Topic Author
Posts: 11
Joined: Fri Nov 29, 2019 10:37 am

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 1:21 pm

In this case, mikrotik will send its dns requests through the provider. We need to ensure that there are no DNS requests to the provider at all.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 1:55 pm

No, if you don’t have “use peer dns” checked, and have your server specified in DNS, it won’t.
 
guru431
just joined
Topic Author
Posts: 11
Joined: Fri Nov 29, 2019 10:37 am

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 3:36 pm

Yes it works. I cleared all entries in the IP - DNS and entered 192.168.1.10 in IP - DHCP server - Networks - DNS servers.

But I still want to understand why my scheme does not work on Apple. It would be preferable for me if mikrotik was the DNS server on devices on the local network, and all external queries would go to the second dns - 192.168.1.10
Last edited by guru431 on Fri Nov 29, 2019 3:56 pm, edited 1 time in total.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 3:45 pm

In the situation you want to troubleshoot (nothing specified in DHCP networks), what DNS servers do apple devices get?
Does it change anything if you add router's address in DHCP networks as a DNS server too, not only as Gateway?
 
guru431
just joined
Topic Author
Posts: 11
Joined: Fri Nov 29, 2019 10:37 am

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 4:08 pm

All clients on the local network receive DHCP settings. The role of DHCP and DNS servers, as well as the gateway is MikRotik. Settings come right and it works.
If on Mikroitk in IP - DNS address is 8.8.8.8, and on apple devices, the DNS address is 192.168.1.1, then everything works.
If on Mikroitk in IP - DNS address is 8.8.8.8, and on apple devices, the DNS address is 192.168.1.10, then everything works.
If on Mikroitk in IP - DNS address is 192.168.1.10, and on apple devices, the DNS address is 192.168.1.1, then there are big losses to mikrotik.
If on Mikroitk in IP - DNS address is 192.168.1.10, and on apple devices, the DNS address is 192.168.1.10, then there are big losses to mikrotik.
In the last two cases, heavy losses only to the gateway and Internet addresses. To neighboring devices on the local network, ping is normal.
 
guru431
just joined
Topic Author
Posts: 11
Joined: Fri Nov 29, 2019 10:37 am

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 4:25 pm

Add:
If on Mikroitk in IP - DNS you enter any external address, then the ping between apple and mikrotik devices will be excellent.
If on Mikroitk in IP - DNS you enter any internal address from IP - Routes, then ping between apple and mikrotik devices will be with great losses.
And once again I remind you - this is only on the iPhone, iPad, MacBook. On Windows, Android and Debian there is no such problem.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5985
Joined: Mon Jun 08, 2015 12:09 pm

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 4:55 pm

Some devices insist on using DNS servers they choose themselves, in addition to or instead of DNS servers returned in DHCP replies.
It may also be that when you are fiddling with settings like this, some devices continue to operate on the previous information that was returned by DHCP.
Changing it in DHCP will have effect starting from half the configured leasetime (or in worst case the entire leasetime).

And you never know what "clever" decision a device makes based on the information returned. It may think it is behind a hotspot login page, it may decide it is best to setup a VPN, it may even decide not to use DNS at all and use DoH or DoT.
These days, you are never sure what is going to happen when making setups like that.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 5:00 pm

I don't get it, what has ping to do with dns settings at all?!
What address are you trying to ping?
And using what tool.

The only thing that comes to mind is that you DNS does not serve PTR-entries correctly.
But once again, it has nothing to do with ping.
 
guru431
just joined
Topic Author
Posts: 11
Joined: Fri Nov 29, 2019 10:37 am

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 5:07 pm

I rebooted both apple devices and mikrotik after changing the settings. It does not help.
I also can not understand how the change of DNS, static routes and losses to the gateway are interconnected.

I ping the gateway 192.168.1.1 from apple devices. If on Mikroitk in IP - DNS you enter any internal address from IP - Routes, then the loss is more than 50%.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5985
Joined: Mon Jun 08, 2015 12:09 pm

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 5:11 pm

That indicates that the Apple devices have added another default route, which does not work, and then alternate the usage between those two routes.
It can be the result of setting incorrect options in your DHCP server.
 
guru431
just joined
Topic Author
Posts: 11
Joined: Fri Nov 29, 2019 10:37 am

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 5:21 pm

Everything is fine with routes:

Routing tables

Internet:
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGSc en0
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#5 UCS en0 !
192.168.1 link#5 UCS en0 !
192.168.1.1/32 link#5 UCS en0 !
192.168.1.1 cc:2d:e0:65:ca:6 UHLWIir en0 1199
192.168.1.6 0:15:5d:1:65:1b UHLWIi en0 1133
192.168.1.19/32 link#5 UCS en0 !
224.0.0/4 link#5 UmCS en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI en0
255.255.255.255/32 link#5 UCS en0 !
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 5:28 pm

Post your config:
/export hide-sensitive
 
guru431
just joined
Topic Author
Posts: 11
Joined: Fri Nov 29, 2019 10:37 am

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 5:33 pm

The only thing that comes to mind is that you DNS does not serve PTR-entries correctly.
But once again, it has nothing to do with ping.
This has nothing to do with it.
DNS correctly handles PTR. I can specify a non-existent external address and there will be no loss.
Problem with addresses from static routes.
I can specify a non-existent internal address (for example 192.168.3.55) and there are no losses. But if I specify a non-existent address from static routes (for example, 192.168.1.55), then losses will begin.
 
guru431
just joined
Topic Author
Posts: 11
Joined: Fri Nov 29, 2019 10:37 am

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 5:40 pm

Post your config:
/export hide-sensitive
There is a lot of sensitive information.
Maybe something specific?
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 5:57 pm

Post your config:
/export hide-sensitive
There is a lot of sensitive information.
Maybe something specific?
Well, all specific ideas were already spoken :)
What is left are the ones, that you won't normally think of.

Replace things like public IP's and port numbers open to outside world with some aliases.
And remove all other sensitive info like usernames/passwords, MAC addresses and so on, that is not relevant.
 
guru431
just joined
Topic Author
Posts: 11
Joined: Fri Nov 29, 2019 10:37 am

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 6:04 pm

I removed everything unnecessary )
# model = RouterBOARD 750G r3
/interface bridge
add admin-mac=00:11:22:33:44:55 auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=55:44:33:22:11:00 speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.101-192.168.1.199
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=3h name=defconf
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether3 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=192.168.1.10
/ip firewall filter
add action=drop chain=input comment="Manual block list" src-address-list=block_ip_list
add action=drop chain=forward comment="Manual block list" src-address-list=block_ip_list
add action=drop chain=forward comment=BlackList_port in-interface=ether1 src-address-list=BlackList_port
add action=drop chain=input comment=BlackList_port in-interface=ether1 src-address-list=BlackList
add action=drop chain=forward comment=Port_scanner_drop src-address-list="port scanners"
add action=drop chain=input comment=Port_scanner_drop src-address-list="port scanners"
add action=add-src-to-address-list address-list=BlackList_port address-list-timeout=2w chain=input comment="Honeypot UDP" dst-port=1194,5060 in-interface=ether1 log=yes protocol=udp src-address-list=\
    !WhiteList
add action=add-src-to-address-list address-list=BlackList_port address-list-timeout=2w chain=input comment="Honeypot TCP" dst-port=21,22,23,389,1194,1433,1521,3306,3389,4899,5001,5060,5900,8080 \
    in-interface=ether1 log=yes protocol=tcp src-address-list=!WhiteList
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input in-interface=ether1 protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward comment="drop ssh brute forcers" dst-port=43112 in-interface=ether1 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w chain=forward connection-state=new dst-port=43112 in-interface=ether1 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=2m chain=forward connection-state=new dst-port=43112 in-interface=ether1 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=2m chain=forward connection-state=new dst-port=43112 in-interface=ether1 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=2m chain=forward connection-state=new dst-port=43112 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment="drop pptp brute forcers" dst-port=1723 protocol=tcp src-address-list=pptp_blacklist
add action=add-src-to-address-list address-list=pptp_blacklist address-list-timeout=1w chain=forward connection-state=new dst-port=1723 protocol=tcp src-address-list=pptp_stage3
add action=add-src-to-address-list address-list=pptp_stage3 address-list-timeout=1m chain=forward connection-state=new dst-port=1723 protocol=tcp src-address-list=pptp_stage2
add action=add-src-to-address-list address-list=pptp_stage2 address-list-timeout=1m chain=forward connection-state=new dst-port=1723 protocol=tcp src-address-list=pptp_stage1
add action=add-src-to-address-list address-list=pptp_stage1 address-list-timeout=1m chain=forward connection-state=new dst-port=1723 protocol=tcp
add action=reject chain=forward comment="Block telemetry Microsoft" layer7-protocol=telemetry protocol=tcp reject-with=tcp-reset
add action=drop chain=forward comment="Block telemetry Microsoft" layer7-protocol=telemetry protocol=udp
add action=drop chain=forward comment="Disable internet access for CCTV" src-address=192.168.1.92-192.168.1.100
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Block to internet" dst-address-list=block_to_internet
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mark ls1" dst-address-list=ls1 new-routing-mark=mark_ls1 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=1723 in-interface=ether1 protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat dst-address=111.222.111.222 dst-port=1723 protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.2
add action=src-nat chain=srcnat dst-address=192.168.1.2 dst-port=1723 protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.1
add action=dst-nat chain=dstnat dst-port=80,440-444,587,43110-43119 in-interface=ether1 protocol=tcp to-addresses=192.168.1.10
add action=dst-nat chain=dstnat dst-address=111.222.111.222 dst-port=80,440-444,587,43110-43119 protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.10
add action=src-nat chain=srcnat dst-address=192.168.1.10 dst-port=80,440-444,587,43110-43119 protocol=tcp src-address=192.168.1.0/24 to-addresses=192.168.1.1
add action=dst-nat chain=dstnat dst-port=500,1701,4500,43110,43119 in-interface=ether1 protocol=udp to-addresses=192.168.1.10
add action=dst-nat chain=dstnat dst-address=111.222.111.222 dst-port=500,1701,4500,43110,43119 protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.1.10
add action=src-nat chain=srcnat dst-address=192.168.1.10 dst-port=500,1701,4500,43110,43119 protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.1.1
/ip route
add comment="Route ls1" distance=1 gateway=192.168.1.201 routing-mark=mark_ls1
add distance=1 dst-address=10.10.10.0/24 gateway=192.168.1.10
add distance=1 dst-address=10.10.30.0/24 gateway=192.168.1.10
add distance=1 dst-address=10.10.49.0/24 gateway=192.168.1.10
add distance=1 dst-address=10.10.50.0/24 gateway=192.168.1.10
add distance=1 dst-address=10.10.51.0/24 gateway=192.168.1.202
add distance=1 dst-address=10.10.52.0/24 gateway=192.168.1.201
add distance=1 dst-address=10.10.60.0/24 gateway=192.168.1.4
add distance=1 dst-address=10.96.3.0/24 gateway=192.168.1.6
add distance=1 dst-address=192.168.0.0/24 gateway=192.168.1.10
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.1.2
add distance=1 dst-address=192.168.5.0/24 gateway=192.168.1.10
add distance=1 dst-address=192.168.7.0/24 gateway=192.168.1.10
add distance=1 dst-address=192.168.10.0/24 gateway=192.168.1.4
add distance=1 dst-address=192.168.11.0/24 gateway=192.168.1.4
add distance=1 dst-address=192.168.12.0/24 gateway=192.168.1.4
add distance=1 dst-address=192.168.22.0/24 gateway=192.168.1.11
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set enabled=yes
/ip traffic-flow target
add dst-address=192.168.1.10 port=9996 v9-template-timeout=1m
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=51.141.32.51 secondary-ntp=94.247.111.10
/system ntp server
set enabled=yes multicast=yes
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set ether2-master disabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: MikroTik and internal DNS server

Fri Nov 29, 2019 6:52 pm

I don't see anything wrong apart from two moments, that are not related to the problem:

1) Address should be moved to the bridge from ether3
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether3 network=192.168.1.0
2) Your firewall is highly inefficient, when it comes to the load on CPU: all traffic passes your multiple blocklist rules, even all that belonging to already established connections.
You should move your "established/related" rules all the way up in both chains.

However I can't see anything that can mess with DNS.
 
guru431
just joined
Topic Author
Posts: 11
Joined: Fri Nov 29, 2019 10:37 am

Re: MikroTik and internal DNS server  [SOLVED]

Sun Dec 01, 2019 2:26 am

I found the cause of the problem:
/interface detect-internet
set detect-interface-list=all
This setting is made by the Mikrotik application for iOS.

This fixes the problem:
/interface detect-internet set detect-interface-list=WAN
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: MikroTik and internal DNS server

Sun Dec 01, 2019 10:48 am

Seems strange.
Especially because it manifests itself only for apple devices.
Probably a bug.

Anyway, glad you found it.

Who is online

Users browsing this forum: MSN [Bot] and 93 guests