Community discussions

MikroTik App
 
gittubaba
newbie
Topic Author
Posts: 30
Joined: Thu May 31, 2018 5:55 pm

DoH corrupting DNS cache? DNS cache full with invalid data?

Mon Jun 22, 2020 5:31 pm

So rather a strange problem occurred today. I woke up and heard complain that some sites aren't accelerable from my network. Especially www.youtube.com. For some reason the dns wasn't being resolved, but only for few domains.

 dig @192.168.1.1 www.google.com

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> @192.168.1.1 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56004
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         231     IN      A       172.217.167.132

;; Query time: 1 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Jun 22 19:11:50 +06 2020
;; MSG SIZE  rcvd: 48
--
 dig @192.168.1.1 www.youtube.com

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> @192.168.1.1 www.youtube.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
--
 dig @8.8.8.8 www.youtube.com

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> @8.8.8.8 www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61986
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.youtube.com.               IN      A

;; ANSWER SECTION:
www.youtube.com.        21388   IN      CNAME   youtube-ui.l.google.com.
youtube-ui.l.google.com. 88     IN      A       216.58.200.142
youtube-ui.l.google.com. 88     IN      A       172.217.167.142
youtube-ui.l.google.com. 88     IN      A       172.217.160.142
youtube-ui.l.google.com. 88     IN      A       216.58.196.174
youtube-ui.l.google.com. 88     IN      A       172.217.163.46
youtube-ui.l.google.com. 88     IN      A       172.217.163.78
youtube-ui.l.google.com. 88     IN      A       172.217.163.142

;; Query time: 72 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jun 22 19:12:13 +06 2020
;; MSG SIZE  rcvd: 190


192.168.1.1 is my router - RB750Gr3. What is really interesting that during this time both cache-size and cache-used in /ip dns was 2048KiB. But /ip dns cache had only 3-4 entries and reverted to empty in 1 sec interval. I tried flush cache multiple times. No avail. cache-used is still 2048KiB and no meaningful entry was being added to cache. Then I doubled cache-size to 4096KiB, and instantly cache-used became 4096KiB too. But still ip dns cache is broken.

Then I restarted the router and suddenly everything is fixed. Every domain is resolving correctly. cache-used isn't full anymore. Right now cache has 302 items and cache-used is only 183KiB.

Now my question is what caused this problem? It was clear the dns service was somehow broken/corrupted? As cache-used being 100% size with only 3-4 entries. Is there any other way to clear/restart dns service other than router reboot? I've been running this router for years and never had this problem. I upgraded to 6.47 recently (I always keep up to date with stable channel). And I configured DoH.

My current DNS setting
[admin@GittuTik] /ip dns> print
                      servers: 8.8.8.8,8.8.4.4
              dynamic-servers: 103.86.96.100,103.86.99.100
               use-doh-server: https://dns.google/dns-query
              verify-doh-cert: yes
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 10s
          query-total-timeout: 15s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 4096KiB
                cache-max-ttl: 1w
                   cache-used: 183KiB
 
EchelonCA
just joined
Posts: 4
Joined: Thu May 10, 2018 4:54 am

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jun 23, 2020 10:42 am

I can confirm that with the recent release of 6.47, I am experiencing the same issues, but only when DoH is enabled.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jun 23, 2020 11:58 am

I would say DoH is still in development / wide beta. It was introduced in this version.
When you want reliability, just turn it off until things are completely sorted out and stable.

(in fact I am surprised that DoH resolved entries even show up in the cache at all)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jun 23, 2020 1:22 pm

(in fact I am surprised that DoH resolved entries even show up in the cache at all)

Out of curiosity: why shouldn't DoH resolved entries be cached?
 
gittubaba
newbie
Topic Author
Posts: 30
Joined: Thu May 31, 2018 5:55 pm

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jun 23, 2020 1:50 pm

I would say DoH is still in development / wide beta. It was introduced in this version.
When you want reliability, just turn it off until things are completely sorted out and stable.

(in fact I am surprised that DoH resolved entries even show up in the cache at all)
If that was the case then 6.47 shouldn't have been pushed to stable channel. Nevertheless thats not the point.

Are mikrotik devs aware of this problem? Is posting here enough or do I have to report bug through some other channel?
I can confirm that with the recent release of 6.47, I am experiencing the same issues, but only when DoH is enabled.
Interesting. Also I think I can reproduce it. Right now even if i clear the cache, cache-used is ~600KiB. So I guess this 600KiB is the garbage/corrupt data, which is increasing over time. I guess as soon as it hits cache-size, dns service will break again.
Another thing I noticed, even if I disable DoH, and flush, cache-used is still ~600KiB. So without rebooting the router its impossible to clear dns cache?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jun 23, 2020 3:29 pm

Yes recommend, a supout report to MT, data points help when fixing code.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jun 23, 2020 4:06 pm

(in fact I am surprised that DoH resolved entries even show up in the cache at all)
Out of curiosity: why shouldn't DoH resolved entries be cached?
They should be, but in this release there was some other functionality added to the DNS resolver (added record types and forwards) and the way these features are handled when DoH is enabled suggests that DoH was "hooked" into the DNS resolver at the wrong place: not as an external DNS server, but as a handler for internal DNS requests that replaces the existing resolver.
 
gittubaba
newbie
Topic Author
Posts: 30
Joined: Thu May 31, 2018 5:55 pm

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jun 23, 2020 11:26 pm

It happened again. And this time dns cache-used wasn't even 100% full. But suddenly dns queries stopped working. **Sigh**. I disabled DoH for now. Situations like this I wish metarouter was available for more models .....
 
fflo
newbie
Posts: 46
Joined: Wed Jan 02, 2019 7:59 am

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Wed Jun 24, 2020 8:51 am

...
My current DNS setting
[admin@GittuTik] /ip dns> print
                      servers: 8.8.8.8,8.8.4.4
              dynamic-servers: 103.86.96.100,103.86.99.100
               use-doh-server: https://dns.google/dns-query
              verify-doh-cert: yes
        allow-remote-requests: yes
          max-udp-packet-size: 4096
         query-server-timeout: 10s
          query-total-timeout: 15s
       max-concurrent-queries: 100
  max-concurrent-tcp-sessions: 20
                   cache-size: 4096KiB
                cache-max-ttl: 1w
                   cache-used: 183KiB
Did you setup static DNS for dns.google? Like (for dual-stack IPv4/IPv6):
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d \
    use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns static
add address=8.8.4.4 name=dns.google ttl=5m type=A
add address=8.8.8.8 name=dns.google ttl=5m type=A
add address=2001:4860:4860::8844 name=dns.google ttl=5m type=AAAA
add address=2001:4860:4860::8888 name=dns.google ttl=5m type=AAAA
Or does the error also occur if you use Cloudflare public DoH DNS?
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d \
    use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
 
gittubaba
newbie
Topic Author
Posts: 30
Joined: Thu May 31, 2018 5:55 pm

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Wed Jun 24, 2020 2:09 pm

No I didn't set static entries for dns.google as I had 8.8.8.8 and 8.8.4.4 for resolving it first time. I don't see how it would be relevant ......... If DoH can't resolv its own name (dns.google) then it posts a error in log. But the issue wasn't that as there were no error in log when this issue happens.
 
Ryo
just joined
Posts: 5
Joined: Thu Jan 11, 2018 8:00 am

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jul 14, 2020 7:22 pm

yes, this issue is still present in 6.47.1
 
gsbiz
just joined
Posts: 20
Joined: Sat Nov 17, 2018 5:18 pm

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Mon Jul 27, 2020 3:26 pm

I stumbled on this this morning in 6.47.1, Once the cache is full you can see it constantly refreshing current entries and reloading the static entries. All DNS requests time out.
> pbs.twimg.com
Server: [192.168.1.1]
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.
Is there a way to restart just the DNS service?
 
bobaoapae
just joined
Posts: 5
Joined: Sat Jul 18, 2020 1:43 am

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jul 28, 2020 5:41 am

Beta version has this same issue here
 
gittubaba
newbie
Topic Author
Posts: 30
Joined: Thu May 31, 2018 5:55 pm

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jul 28, 2020 3:26 pm

Is there a way to restart just the DNS service?
No...

It is a legit issue. It'd be nice to have someone from mikrotik confirm that they are aware and working on this issue.
 
gsbiz
just joined
Posts: 20
Joined: Sat Nov 17, 2018 5:18 pm

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Aug 04, 2020 6:21 pm

Hi All,
I reported this problem to Mikrotik Support, I have just had this response:
Hello,

We are seeing similar reports, currently we are trying to reproduce the issue. We are looking forward to fixing it as soon as possible.

Best regards,
 
User avatar
maxslug
newbie
Posts: 25
Joined: Sun Aug 30, 2020 7:07 am

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Mon Dec 07, 2020 10:08 pm

Seeing the same thing, DoH enabled and DNS cache constantly evicted every second. 6.47.3
 
User avatar
maxslug
newbie
Posts: 25
Joined: Sun Aug 30, 2020 7:07 am

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Sun Dec 13, 2020 10:29 pm

Trying 6.48beta58 since I saw some recent DNS and DoH things in the ChangeLog (though none seemed directly addressed at this).
 
User avatar
maxslug
newbie
Posts: 25
Joined: Sun Aug 30, 2020 7:07 am

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Thu Dec 17, 2020 6:47 pm

Trying 6.48beta58 since I saw some recent DNS and DoH things in the ChangeLog (though none seemed directly addressed at this).
About 4 days running and the cache size is staying at around 400k/4096k and there are plenty of entries. I would say 6.48beta58 fixed this for me!

-m
 
mxcone17
just joined
Posts: 15
Joined: Mon Jul 20, 2020 1:27 am

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Sun Jun 06, 2021 7:24 am

I know this is a year old post, but I have this problem with DoH off and have tried both newest ros releases. I can't get rid of this problem. I end up rebooting my router multiple times a day.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Sun Jun 06, 2021 10:25 am

Try change to another DoH provider.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Sun Jun 06, 2021 11:17 am

Or simply forget about DoH...
 
mxcone17
just joined
Posts: 15
Joined: Mon Jul 20, 2020 1:27 am

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Mon Jun 07, 2021 5:13 am

Thats the weird part, I ended up leaving DoH behind, but the problems didn't go away when DoH went away.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Mon Jun 07, 2021 8:55 am

@mxcone17
Do you have a DNS problem or DoH problem.
Post complete config (export hide-sensitive) togseter with what hardware you are using and what RouterOS you have.
 
mxcone17
just joined
Posts: 15
Joined: Mon Jul 20, 2020 1:27 am

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Mon Jun 07, 2021 8:20 pm

@Jotne
Starting to think a DNS problem. I am currently on the Hex S and v7.1 beta 6. I have tried downgrading to v6.49, but the problem was still there. I have played with my firewall rules as well to no avail.
Here is the DNS print:
[admin@MikroTik Hex S] >> /ip dns/ cache/ print
Flags: S - STATIC
Columns: NAME, TYPE, DATA, TTL
# NAME TYPE DATA TTL
0 S router.lan A 192.168.88.1 0s
1 api.amazon.com A 52.46.158.193 49s
2 api.amazonalexa.com CNAME tp.b16066390-frontier.amazonalexa.com. 15m25s
3 tp.b16066390-frontier.amazonalexa.com CNAME d1gsg05rq1vjdw.cloudfront.net. 30s
4 d1gsg05rq1vjdw.cloudfront.net A 13.227.22.180 30s

[admin@MikroTik Hex S] >> /ip dns/ print
servers: 129.250.35.251,209.244.0.4,8.8.8.8,1.1.1.1
dynamic-servers:
use-doh-server:
verify-doh-cert: yes
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 4800KiB
cache-max-ttl: 1w
cache-used: 4800KiB
Here is the export hide-sensitive:
RouterOS 7.1beta6
# software id = PY15-P11Z
# model = RB760iGS
# serial number = XXXXXXXXXF91
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:87 auto-mac=no comment=defconf dhcp-snooping=yes igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether3 ] name="ether3 lan"
set [ find default-name=ether5 ] name="ether5 wan" poe-out=forced-on
/interface pppoe-client
add add-default-route=yes disabled=no interface="ether5 wan" keepalive-timeout=disabled name=pppoe-out1conifer user=x.xxxx
/disk
set sd1 disabled=no
set sd1-part1 disabled=no name=disk1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=us6204.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add disabled=yes name=NordVPN pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge lease-time=30m name=defconf
/queue type
add kind=sfq name=sfq-default sfq-perturb=10
/queue simple
add max-limit=4M/26M name="parent queue" target=bridge total-queue=sfq-default
add limit-at=2M/10M max-limit=3M/26M name=First parent="parent queue" priority=1/1 target="192.168.88.15/32,192.168.88.32/32,192.168.88.29/32,192.168.88.40/32,192.168.88.232/32,192.168.88.220\
/32,192.168.88.42/32,192.168.88.240/32,192.168.88.12/32,192.168.88.39/32,192.168.88.221/32,192.168.88.222/32" total-queue=sfq-default
add limit-at=512k/512k max-limit=1M/5M name=Middle parent="parent queue" priority=5/5 target="192.168.88.10/32,192.168.88.11/32,192.168.88.13/32,192.168.88.14/32,192.168.88.17/32,192.168.88.1\
8/32,192.168.88.22/32,192.168.88.23/32,192.168.88.24/32,192.168.88.25/32,192.168.88.26/32,192.168.88.53/32,192.168.88.236/32,192.168.88.237/32,192.168.88.20/32,192.168.88.19/32,192.168.88\
.16/32,192.168.88.31/32,192.168.88.35/32,192.168.88.34/32" total-queue=sfq-default
add limit-at=512k/512k max-limit=1M/8M name=last parent="parent queue" target="192.168.88.235/32,192.168.88.223/32,192.168.88.225/32,192.168.88.241/32,192.168.88.239/32,192.168.88.218/32,192.\
168.88.230/32,192.168.88.21/32,192.168.88.19/32,192.168.88.30/32,192.168.88.28/32,192.168.88.243/32,192.168.88.35/32,192.168.88.33/32" total-queue=sfq-default
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface="ether3 lan"
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf disabled=yes interface="ether5 wan"
add bridge=bridge comment=defconf interface=sfp1
/ip firewall connection tracking
set tcp-established-timeout=1h tcp-last-ack-timeout=15s tcp-syn-received-timeout=10s tcp-syn-sent-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether5 wan" list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid,clientid_duid disabled=no interface="ether5 wan" use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-size=4800KiB servers=129.250.35.251,209.244.0.4,8.8.8.8,1.1.1.1 verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input in-interface=bridge
add action=drop chain=forward connection-limit=8,24 disabled=yes dst-address=1.1.1.1 dst-port=53 protocol=udp
add action=drop chain=forward connection-limit=8,24 disabled=yes dst-address=8.8.8.8 dst-port=53 protocol=udp
add action=drop chain=forward connection-limit=10,32 src-address=192.168.88.14
add action=drop chain=forward disabled=yes dst-address=192.168.88.25
add action=reject chain=forward connection-limit=8,32 disabled=yes protocol=tcp reject-with=icmp-network-unreachable src-address=192.168.88.34
add action=fasttrack-connection chain=forward dst-port=53 hw-offload=yes protocol=tcp
add action=accept chain=forward dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward dst-port=53 hw-offload=yes protocol=udp
add action=accept chain=forward dst-port=53 protocol=udp
add action=fasttrack-connection chain=forward dst-address=192.168.88.40 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.40
add action=fasttrack-connection chain=forward disabled=yes dst-address=192.168.88.29 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.29
add action=fasttrack-connection chain=forward dst-address=192.168.88.232 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.232
add action=fasttrack-connection chain=forward disabled=yes dst-address=192.168.88.220 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.220
add action=fasttrack-connection chain=forward disabled=yes dst-address=192.168.88.10 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.10
add action=fasttrack-connection chain=forward disabled=yes dst-address=192.168.88.42 hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.42
add action=reject chain=forward connection-limit=15,32 disabled=yes protocol=tcp reject-with=icmp-net-prohibited src-address=192.168.88.235 tcp-flags=syn
add action=reject chain=forward connection-limit=15,32 disabled=yes protocol=tcp reject-with=icmp-network-unreachable src-address=192.168.88.241 tcp-flags=syn
add action=reject chain=forward connection-limit=15,32 disabled=yes protocol=tcp reject-with=icmp-net-prohibited src-address=192.168.88.21 tcp-flags=syn
add action=reject chain=forward connection-limit=15,32 disabled=yes protocol=tcp reject-with=icmp-network-unreachable src-address=192.168.88.223 tcp-flags=syn
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input dst-port=53 in-interface="ether5 wan" protocol=tcp
add action=drop chain=input dst-port=53 in-interface="ether5 wan" protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related,untracked disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=\
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip smb
set comment="Mikrotik hex SMB" enabled=yes
/ip traffic-flow ipfix
set nat-events=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="MikroTik Hex S"
/system logging
add disabled=yes topics=dns
/system note
set note="Lick lick lick my balls"
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1h name="connection clear" on-event=script1 policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/19/2021 start-time=00:00:00
add interval=30m name="dns flush " on-event=script2 policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/19/2021 start-time=08:07:40
/system script
add comment="Connection clear " dont-require-permissions=no name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":foreach i in=[/ip firewall connection find] do={/ip firewall connection remove \$i}"
add dont-require-permissions=no name=script2 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip dns cache flush"
add dont-require-permissions=no name=script3 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"ip firewall connection {:foreach i in [find src-address=\"192.168.88.235\"] do={remove \$i}}"
add dont-require-permissions=no name=script4 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/ip firewall connection remove [find where !seen-reply timeout>\"30s\" protocol=tcp src-address~\":443\"];"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
Last edited by BartoszP on Thu Nov 03, 2022 12:41 am, edited 1 time in total.
Reason: Use proper tags: quote to quote, code for code
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jun 08, 2021 8:47 am

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface="ether3 lan"
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf disabled=yes interface="ether5 wan"
Why have you added WAN interface ether5 to the bridge. Even if its disabled, it should not be there, since bridge is your inside configuration.
/system note
set note="Lick lick lick my balls"
:)
 
mxcone17
just joined
Posts: 15
Joined: Mon Jul 20, 2020 1:27 am

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jun 08, 2021 8:51 am

Didn't even notice it there. Leftover when port 5 was configured to be Wan. It is now completely removed, not just disabled. And the message was just for anyone who tried to access the system besides me =)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Tue Jun 08, 2021 8:56 am

I see it tries to verify DoH cert even if DoH is turned off. Can be removed, but do not think that should give any problem.
Do not see any other big configuration errors.

You can try to remove DNS cache-size=4800KiB so it uses the default one. Just to see if there are any error in the allocation of DNS cache.
 
madgrok
just joined
Posts: 7
Joined: Wed Jul 19, 2017 1:08 pm

Re: DoH corrupting DNS cache? DNS cache full with invalid data?

Wed Nov 02, 2022 2:06 pm

Тhis issue is still present in RouterOS 7.6 (hAP ac^3). Another router (hAP ac^2) with a similar configuration does not have such a problem.

Who is online

Users browsing this forum: BinaryTB and 73 guests