Community discussions

MikroTik App
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

DNS connection failure

Fri Mar 19, 2021 8:57 am

Hi guys
I'm using 8.8.8.8 and 8.8.4.4 for our DNS server. Today after losing internet, I found that the internet connection still active on my Mikrotik router but the dns could not be reached from end-client. It leads me to change to open DNS. Traceroute attached below. I wonder what cause the issue.
Thanks
Image
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: DNS connection failure

Fri Mar 19, 2021 11:45 am

Maybe your ISP?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNS connection failure

Fri Mar 19, 2021 12:00 pm

Did you configure some "clever" script that automatically puts IP addresses that perform a port scan into some hackers list and blocks them in the raw firewall?
When you do that, it is common to have this problem!
There are people who send such portscan-like packets (e.g. a TCP SYN to port 23) with google DNS service as the source address.
So your script will enter 8.8.8.8 and 8.8.4.4 in the ban list and you lose your DNS. Oh what fun!

(well, with the above traceroute that problem of course is not in your own router... but I have seen it happen!)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS connection failure

Fri Mar 19, 2021 12:36 pm

Exactly, so instead of making us guess.
/export hide-sensitive file=anynameyouwish
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: DNS connection failure

Fri Mar 19, 2021 12:38 pm


There are people who send such portscan-like packets (e.g. a TCP SYN to port 23) with google DNS service as the source address.
So your script will enter 8.8.8.8 and 8.8.4.4 in the ban list and you lose your DNS. Oh what fun!

(well, with the above traceroute that problem of course is not in your own router... but I have seen it happen!)
That's pretty cool.

Will have to start adding a "never ban address list" to my firewall rules.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS connection failure

Fri Mar 19, 2021 12:41 pm

I am seeing an issue reported in other threads about DNS.
Something to the effect that the MT DNS does not use all the available DNS listed addresse,s but only the last one on the list.
If that last one is not working for whatever reason, it does not look at the rest! Could be a bug?

If this is the case try putting 1.1.1.1 or 9.9.9.9 as the DNS server in test subnets and see if that fixes your issue/
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: DNS connection failure

Fri Mar 19, 2021 1:06 pm

I am seeing an issue reported in other threads about DNS.
Something to the effect that the MT DNS does not use all the available DNS listed addresse,s but only the last one on the list.
If that last one is not working for whatever reason, it does not look at the rest! Could be a bug?

If this is the case try putting 1.1.1.1 or 9.9.9.9 as the DNS server in test subnets and see if that fixes your issue/
Out of curiosity...

Just checked my router.

Sure enough... It's sending dns queries to 1.0.0.3 rather than 1.1.1.3.

6.48.1 RouterOS

Edit:
Disabled 1.0.0.3.
Dns queries started going to 1.1.1.3.
Enabled 1.0.0.3 dns as second server.
Requests are still going to 1.1.1.3
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: DNS connection failure

Fri Mar 19, 2021 1:26 pm

Hi all
For ISP issue concern I still can ping to 8.8.8.8 on Mikrotik when client doesn't. After changing to new DNS server (Open-DNS) It happened one again but just few minutes.
After that I have downgraded firmware from v6.48.1 to long-term v6.47.9
One more thing is I have 3 WAN lines, 2 static ips and one PPPoE. When using mangle to specific one network to one WAN it did not work.
My configuration is below.
Sorry for my bad English.
/interface pppoe-client
add disabled=no interface=ether2 name=pppoe-out1 user=hbhbla_ftth128
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PPTP ranges=10.10.10.10-10.10.10.100
/ppp profile
set *FFFFFFFE dns-server=208.67.222.222 local-address=10.10.10.1 remote-address=PPTP
/queue type
add kind=pcq name=DownLoad pcq-classifier=dst-address pcq-rate=20M
add kind=pcq name=Upload pcq-classifier=src-address pcq-rate=20M
/queue simple
add name=queue1 queue=Upload/DownLoad target=172.16.10.0/24
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface pptp-server server
set enabled=yes
/ip address
add address=203.x.x.x/30 interface=ether1 network=203.x.x.x
add address=172.16.1.1/24 interface=ether4 network=172.16.1.0
add address=14.x.x.x/30 interface=ether3 network=14.x.x.x
/ip cloud
set ddns-enabled=yes
/ip dns
set servers=8.8.8.8,203.113.131.1,203.113.188.1,203.113.131.2
/ip firewall address-list
add address=203.x.x.x list=WAN_IPs
add address=14.x.x.x list=WAN_IPs
add address=23.148.145.238 list=Black_Ips
add address=172.16.40.0/24 list=Connected_sub
add address=10.10.10.0/24 list=Connected_sub
add address=172.16.10.87 list=ANAM
add address=172.16.10.27 list=ANAM
add address=172.16.10.0/24 list=Connected_sub
add address=172.16.20.0/24 list=Connected_sub
add address=172.16.30.0/24 list=Connected_sub
add address=172.16.99.0/24 list=Connected_sub
/ip firewall filter
add action=add-src-to-address-list address-list=Black_Ips address-list-timeout=none-dynamic chain=forward disabled=yes dst-port=5060-5061 in-interface=ether1 protocol=udp \
    src-address=!14.x.x.x
add action=add-src-to-address-list address-list=Black_Ips address-list-timeout=none-dynamic chain=forward disabled=yes dst-port=5060-5061 in-interface=ether3 protocol=udp \
    src-address=!14.x.x.x
add action=drop chain=forward disabled=yes src-address-list=Black_Ips
add action=drop chain=input src-address=111.7.96.132
add action=drop chain=forward src-address=111.7.96.132
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=yes dst-address-list=!Connected_sub new-connection-mark=WAN3_conn passthrough=yes \
    src-address=10.10.10.0/24
add action=mark-routing chain=prerouting connection-mark=WAN3_conn disabled=yes new-routing-mark=to_WAN3 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=dst-nat chain=dstnat dst-port=53 log=yes log-prefix=A protocol=udp src-address=10.10.10.100 to-addresses=176.103.130.132 to-ports=53
add action=masquerade chain=srcnat out-interface=ether3
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=5001 protocol=tcp to-addresses=172.16.10.200 to-ports=5001
add action=dst-nat chain=dstnat dst-port=5006 protocol=tcp to-addresses=172.16.10.200 to-ports=5006
add action=dst-nat chain=dstnat dst-port=2021 protocol=tcp to-addresses=172.16.10.200 to-ports=2021
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=5060 in-interface=ether3 protocol=udp to-addresses=172.16.40.254 to-ports=5060
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=5061 in-interface=ether3 protocol=udp to-addresses=172.16.40.254 to-ports=5061
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=10000-20000 in-interface=ether3 protocol=udp to-addresses=172.16.40.254 to-ports=10000-20000
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=8080 protocol=tcp to-addresses=172.16.40.254 to-ports=80
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1 routing-mark=to_WAN3
add check-gateway=ping distance=1 gateway=203.x.x.x routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=14.x.x.x routing-mark=to_WAN2
add check-gateway=ping distance=2 gateway=14.x.x.x
add check-gateway=ping distance=3 gateway=pppoe-out1
add check-gateway=ping distance=4 gateway=203.x.x.x
add distance=1 dst-address=172.16.2.0/24 gateway=172.16.1.2
add distance=1 dst-address=172.16.10.0/24 gateway=172.16.1.2
add distance=1 dst-address=172.16.20.0/23 gateway=172.16.1.2
add distance=1 dst-address=172.16.30.0/24 gateway=172.16.1.2
add distance=1 dst-address=172.16.40.0/24 gateway=172.16.1.2
add distance=1 dst-address=172.16.99.0/24 gateway=172.16.1.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: DNS connection failure

Sat Mar 27, 2021 4:59 am

Hi guys
Is there anyone who have the same issue like that?
On Mikrotik I can ping DNS server but client side can't
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS connection failure

Sat Mar 27, 2021 2:04 pm

Its a tad to busy for me to see anything wrong.
What I suggest is
a. copy your current config.
b. reset to default settings for everything.
c. Add the LAN network you need
d. Bring in the ppoe wan
TEST to SEE if you have proper DNS

YES
e. Add second and third static wANIPs
TEST to see if you have proper DNS

YES
f. bring in pptp setup (although this is the worst type of secure tunnel you can choose??)
TEST to see if you have proper DNS.

YES.
NOW feel free to bring all the other junk on the config into the equation but if its not needed dont.
Some of your destination nat rules are wrongly configed.
You have two sourcenat rules for ether1 and ppoe-1, you only need one per dynamic WANIP (that being the ppoe-1 one)
The static IPs should not use masquerade but should use sourcenat action and chain.
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: DNS connection failure

Sun Mar 28, 2021 1:08 pm

Hi Anav
I'll take your advise.
As you know I have 3 Wans IPs, 2 Static and 1 Dynamic. It quite strange that I can not ping by second or third interface in Mikrotik terminal
ping 8.8.8.8 interface=ether3
It also not working with firewall mangle to bind and redirect user to second Wan.
For DNS failure, I have to reboot router to work again everytime issue occur.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19105
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: DNS connection failure

Sun Mar 28, 2021 4:21 pm

Hi Anav
I'll take your advise.
As you know I have 3 Wans IPs, 2 Static and 1 Dynamic. It quite strange that I can not ping by second or third interface in Mikrotik terminal
ping 8.8.8.8 interface=ether3
It also not working with firewall mangle to bind and redirect user to second Wan.
For DNS failure, I have to reboot router to work again everytime issue occur.
I wouldnt touch/use mangling until you have the three WANS up and running to your LAN and the basic firewall rules.
Then based on your requirements, an efficient config can be derived which may or may not include mangling.
KISS
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: DNS connection failure

Sun Mar 28, 2021 4:34 pm

Flush connections on ISP changes.
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: DNS connection failure

Wed Mar 31, 2021 11:19 am

Hi guys
After changing to a new mikrotik router, the issue still remain.
Internet on router still on but client can not resolve DNS, I have to reboot the router and then I work again
Here is my full configuration, hop you guy will take a look
Thanks
/interface bridge
add name=LAN
/interface pppoe-client
add disabled=no interface=ether3 name=pppoe-out1 user=xxx
/interface list
add name=all-lans
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VPN ranges=10.10.10.10-10.10.10.100
/ppp profile
add local-address=10.10.10.1 name=PPTP_Prof remote-address=VPN
/routing ospf instance
set [ find default=yes ] distribute-default=if-installed-as-type-1 router-id=1.1.1.1
/interface bridge port
add bridge=LAN interface=ether5
add bridge=LAN interface=ether6
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
/interface list member
add interface=LAN list=all-lans
/interface pptp-server server
set enabled=yes
/ip address
add address=14.x.x.x/30 interface=ether1 network=14.x.x.x
add address=172.16.1.1/24 interface=LAN network=172.16.1.0
add address=172.16.5.1/30 interface=sfp2 network=172.16.5.0
/ip cloud
set ddns-enabled=yes
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=172.16.40.0/24 list=connected-subnets
add address=10.10.10.0/24 list=connected-subnets
add address=172.16.10.0/24 list=connected-subnets
add address=172.16.20.0/23 list=connected-subnets
add address=172.16.30.0/24 list=connected-subnets
add address=172.16.99.0/24 list=connected-subnets
add address=172.16.1.0/24 list=connected-subnets
add address=172.16.2.0/24 list=connected-subnets
/ip firewall filter
add action=add-src-to-address-list address-list=Black_Ips address-list-timeout=none-dynamic chain=forward dst-port=5060-5061 in-interface=ether1 protocol=udp src-address=\
    !14.x.x.x
add action=add-src-to-address-list address-list=Black_Ips address-list-timeout=none-dynamic chain=forward dst-port=5060-5061 in-interface=ether2 protocol=udp src-address=\
    !14.x.x.x
add action=drop chain=forward src-address-list=Black_Ips
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 src-address-list=connected-subnets to-addresses=14.x.x.x
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat disabled=yes dst-port=5001 protocol=tcp to-addresses=172.16.10.200 to-ports=5001
add action=dst-nat chain=dstnat disabled=yes dst-port=5006 protocol=tcp to-addresses=172.16.10.200 to-ports=5006
add action=dst-nat chain=dstnat disabled=yes dst-port=2021 protocol=tcp to-addresses=172.16.10.200 to-ports=2021
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=5060 in-interface=ether1 protocol=udp to-addresses=172.16.40.254 to-ports=5060
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=5061 in-interface=ether1 protocol=udp to-addresses=172.16.40.254 to-ports=5061
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=10000-20000 in-interface=ether1 protocol=udp to-addresses=172.16.40.254 to-ports=10000-20000
add action=dst-nat chain=dstnat dst-address=14.x.x.x dst-port=8080 protocol=tcp to-addresses=172.16.40.254 to-ports=80
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=14.x.x.x
add check-gateway=ping distance=3 gateway=pppoe-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=adtek profile=PPTP_Prof service=pptp
/routing ospf interface
add cost=100 interface=sfp2 network-type=broadcast
/routing ospf network
add area=backbone network=172.16.5.0/30
add area=backbone network=172.16.1.0/24
/system clock
set time-zone-name=Asia/Bangkok
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNS connection failure

Wed Mar 31, 2021 11:35 am

Re-read reply #3. There is your problem.
Also, set up a decent firewall, also for input. Otherwise you will be hacked.
 
TheLordOfTheShells
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Tue Oct 03, 2017 2:48 am

Re: DNS connection failure

Wed Mar 31, 2021 5:07 pm

Hi pe1chl
Today when it happened, I did something to check.
1. Disconnected all the network and just let one Labtop to check: Change to new DNS server but still can not resolve domain (Maybe DNS service was blocked), can ping 1.1.1.1 but 8.8.8.8 can not. Some chat applications still work.
2. Add 2 rule for DNS from outside
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
3. Reboot router: Just work for awhile, after few minute, it happens again.
Could you share some rule to make router more secure?
Thanks
Image
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNS connection failure

Wed Mar 31, 2021 6:04 pm

Use the default rules. And first remove that
add action=add-src-to-address-list address-list=Black_Ips address-list-timeout=none-dynamic chain=forward dst-port=5060-5061 in-interface=ether1 protocol=udp src-address=\
!14.x.x.x
(and probably the other Black_Ips related rules)
because that is bringing you nothing and it is the cause of your trouble.

Who is online

Users browsing this forum: Amazon [Bot], emunt6 and 89 guests