Community discussions

MikroTik App
just joined
Topic Author
Posts: 1
Joined: Tue Mar 17, 2020 2:56 pm

DNS traffic throught IPSec VPN

Thu May 21, 2020 4:12 pm

I have configured IPSec VPN tunnels between our main office and 5 branch offices on MikroTik CCR1009-7G-1C-1S+ devices. In main site we have Windows Server Active Directory domain controller which is also configured as DNS server for branch offices. All branches should use DNS from main office as primary server. Communication from/to main office and branch office is established, ICMP ping is working on both sides, we can open SMB shares located in main site, move files from branch to main office and back. The only problem are DNS requests. All requests from branch office (any branch office) are timed out, clients in branch offices are not seeing DNS server from main office at all. What can be the problem?
Forum Guru
Forum Guru
Posts: 5007
Joined: Mon Dec 04, 2017 9:19 pm

Re: DNS traffic throught IPSec VPN

Thu May 21, 2020 5:09 pm

In the absence of any description of the network topology at the the HQ, it's nothing but guessing: if it's not a firewall rule blocking DNS queries coming in via WAN without an exception for these that come in via WAN but transported using bare IPsec, the next most likely thing to me is routing at the DNS server itself, which doesn't have the CCR as its default gateway.

Running /tool sniffer quick port=53 at the CCR at HQ is your best starting point. It should show you whether the DNS queries arrive from the BO, where are they sent if they do, and whether any responses ever come back from the server. If you use bare IPsec rather than IPsec-encrypted point-to-point tunnels between virtual interfaces, you won't see whether the responses were sent back to the BO this way, but you may use firewall mangle rules to count or log them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot], heidarren, karlisi, lorenaustin, mezeipetister, normis, plisken and 69 guests