Community discussions

MikroTik App
 
rezaf28
just joined
Topic Author
Posts: 2
Joined: Wed Jul 08, 2020 5:29 am

BUG: DNS USE ONLY DOH

Wed Jul 08, 2020 6:02 am

Hi!
Sorry for bad english!

if you setup doh for dns , and add dns ip s like 8.8.8.8 , 1.1.1.1
mikrotik just use doh.

what problem?

i want to get host ip for domain, example: test1.com
but cloudflare doh can't lookup domain ip.
now, RouterOS must go to check other dns servers (like 8.8.8.8, user add)
but don't do this!

For Fix:
you can't do anything!

Note:
if user want to use DOH => add use only doh checkbox to doh configuration.

RouterOS 6.47 Latest updated
RB911G-5HPnD
Mikrotik Sextant g
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: BUG: DNS USE ONLY DOH

Wed Jul 08, 2020 10:08 am

DoH is a one horse only with Mikrotik. So DoH or normal DNS.

My advise is to use DoH in the webbrowser or in countries or with ISP providers that repressive. This in non-repressive countries/ISP you are only feeding the big firms with our private data.
 
rezaf28
just joined
Topic Author
Posts: 2
Joined: Wed Jul 08, 2020 5:29 am

Re: BUG: DNS USE ONLY DOH

Wed Jul 08, 2020 10:26 am

DoH is a one horse only with Mikrotik. So DoH or normal DNS.

My advise is to use DoH in the webbrowser or in countries or with ISP providers that repressive. This in non-repressive countries/ISP you are only feeding the big firms with our private data.
I know. but i need this for my doing work! and dns server!
this is not only problem . when Router can't resolve ip from server 1 dont get to try with server 2.
just only when server 1 isnt work go to server 2,.
this is problem too.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: BUG: DNS USE ONLY DOH

Wed Jul 08, 2020 11:26 am

I addressed that in the first two sentences. When using DoH you loose the 'backup' server option.
Last edited by msatter on Wed Jul 08, 2020 11:26 am, edited 1 time in total.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: BUG: DNS USE ONLY DOH

Wed Jul 08, 2020 11:26 am

Mikrotik never tried to resolve DNS from multiple servers. If first one fail, mikrotik considers it as a valid response.
If you want to resolve specific domains through different server, you can use FWD entry. E.G.:
/ip dns static add forward-to=10.0.0.1 regexp=".*\.example\.local" type=FWD
This will forward all your *.example.local queries to your local domain server with IP 10.0.0.1

That is a theory but unfortunately this does not work with DOH right now. Mikrotik staff is aware (reported in [SUP-20565], resolved in v6.48beta12*) and hopefully they will soon release fix in stable channel.

For now, you have to do it with dst-nat (same way as we did it in the past):
/ip firewall layer7-protocol add name="local dns" regexp="^.+(.*.example.local).*\$"
/ip firewall nat add action=dst-nat chain=dstnat dst-port=53 layer7-protocol="local dns" log=yes protocol=udp to-addresses=10.0.0.1
this will work with DOH because it completely skips mikrotik's DNS system (DST-NAT occurs before routing decision and the packet goes to "forward" instead of "input").

* edit: still not fixed.
Last edited by vecernik87 on Wed Jul 08, 2020 12:31 pm, edited 1 time in total.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: BUG: DNS USE ONLY DOH

Wed Jul 08, 2020 11:57 am

That is a theory but unfortunately this does not work with DOH right now. Mikrotik staff is aware (reported in [SUP-20565], resolved in v6.48beta12) and hopefully they will soon release fix in stable channel.
Does it work for you with 6.48beta12? To my findings the behavior did not change.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: BUG: DNS USE ONLY DOH

Wed Jul 08, 2020 12:31 pm

That is a theory but unfortunately this does not work with DOH right now. Mikrotik staff is aware (reported in [SUP-20565], resolved in v6.48beta12) and hopefully they will soon release fix in stable channel.
Does it work for you with 6.48beta12? To my findings the behavior did not change.
ouch, sorry, I didn't actually test it. Instead I relied on changelog which was quite clear
*) dns - do not use DoH for local queries when a server is specified;
So, you are right - still does not work...

I am more and more thinking that this FWD is nice but actually not practical because with DST-NAT solution, I can even specify source (e.g. guest network won't be able to resolve internal domain names from corporate domain) so it gives me more precise control over it
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: BUG: DNS USE ONLY DOH

Wed Jul 08, 2020 9:42 pm

Don't even suggest that there's anything good about L7 hack, the whole thing is completely wrong. :) Better than nothing, but that's it. Yes, being able to use it selectively is good and you currently can't to it otherwise, so once again it may be the best in some cases. But it doesn't make it great, because it still has all limitations as before (no tcp, no ipv6, no cache, did I forget something?).

Easiest way how to solve different FWDs for different clients would be ability to have independent resolver instances listening on different addresses. Other way would be to introduce some conditions for static records. But it doesn't seem likely that MikroTik is going to do any of that.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: BUG: DNS USE ONLY DOH

Thu Jul 09, 2020 3:26 am

Gosh, I couldn't agree more. In no way I meant to say that L7 NAT hack is ideal. I actually hate it because it does not apply to RouterOS itself (Prerouting is not in Output chain)

But as you acknowledged, it is better than nothing, if you can't have dedicated DNS appliance. I guess we are really pushing "routers" to do more than it should...
 
norteng
just joined
Posts: 4
Joined: Tue Sep 29, 2020 3:31 pm

Re: BUG: DNS USE ONLY DOH

Tue Jul 13, 2021 11:57 pm

vecernik87, sorry my english
in my case, mikrotik is 10.0.0.2 and dnsdomain is 10.0.0.1
i try your solution, but my client dns give this:
;; reply from unexpected source: 10.0.0.1#53, expected 10.0.0.2#53
;; reply from unexpected source: 10.0.0.1#53, expected 10.0.0.2#53
;; reply from unexpected source: 10.0.0.1#53, expected 10.0.0.2#53
;; connection timed out; no servers could be reached

Mikrotik never tried to resolve DNS from multiple servers. If first one fail, mikrotik considers it as a valid response.
If you want to resolve specific domains through different server, you can use FWD entry. E.G.:
/ip dns static add forward-to=10.0.0.1 regexp=".*\.example\.local" type=FWD
This will forward all your *.example.local queries to your local domain server with IP 10.0.0.1

That is a theory but unfortunately this does not work with DOH right now. Mikrotik staff is aware (reported in [SUP-20565], resolved in v6.48beta12*) and hopefully they will soon release fix in stable channel.

For now, you have to do it with dst-nat (same way as we did it in the past):
/ip firewall layer7-protocol add name="local dns" regexp="^.+(.*.example.local).*\$"
/ip firewall nat add action=dst-nat chain=dstnat dst-port=53 layer7-protocol="local dns" log=yes protocol=udp to-addresses=10.0.0.1
this will work with DOH because it completely skips mikrotik's DNS system (DST-NAT occurs before routing decision and the packet goes to "forward" instead of "input").

* edit: still not fixed.

Who is online

Users browsing this forum: gigabyte091, Google [Bot], infabo, thomassocz and 82 guests