Community discussions

MikroTik App
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

IPv4 only network DNS issues with mobile devices

Sat Jul 24, 2021 7:01 pm

Hello all!

I'm new to this community and MikroTik products in general. I've decided to go with a "RB4011iGS+5HacQ2HnD-IN" since my IPS router started annoying me.
To keep this short as possible, I have a public static IPv4 address and a IPv4 /24 home network where all my devices are connected. MikroTik router has one DHCP server defined (pretty basic setup) which is handing out IPs to all the devices. As for the DNS, I have 2x Raspberry Pi's (for redundancy purposes) with Pihole running on them. Pihole is set-up to use Cloudflare as a DNS.

This is all working very well, except for the smartphones .. they seem to be bypassing the Pihole and I get no ad blocking on them. I believe that this is due to the mobile devices assigning themselves an IPv6 address (via SLAAC) and using AAAA DNS -> they get no IPv6 DNS server info from the router since it's a IPv4 network. And then the default DNS (from what I saw via torch, 8.8.8.8) is used for queries.
torch.png
Pihole DNS settings
pihole.PNG
Primary Pihole and secondary Pihole
dns.png
Does anyone know a good & clean way to solve this problem? I wouldn't want to enable IPv6 on the router & Piholes just to filter AAAA DNS queries. And as previously stated, from what I noticed only mobile devices are causing these "problems".

Thanks in advance!
You do not have the required permissions to view the files attached to this post.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: IPv4 only network DNS issues with mobile devices

Sat Jul 24, 2021 8:46 pm

To prove your theory, disable mobile data on the phone to see what happens.

You should really post your export so everyone can see the whole config.
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: IPv4 only network DNS issues with mobile devices

Sat Jul 24, 2021 9:10 pm

To prove your theory, disable mobile data on the phone to see what happens.

You should really post your export so everyone can see the whole config.
Aren't the torch results enough? It clearly shows queries towards google DNS inside of the local network. Why would mobile data traffic show on the router??
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: IPv4 only network DNS issues with mobile devices

Sat Jul 24, 2021 9:24 pm

Devices don't have to use DHCP assigned DNS - Chromecast devices for instance only use 8.8.8.8.

You mentioned slaac assigned by the mobile connection.

I was following your assumption and trying to verify the the source.

If you want better answers with out a lot of guessing, post your export (with hide-sensitive=yes).
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: IPv4 only network DNS issues with mobile devices

Sun Jul 25, 2021 12:58 am

You mentioned slaac assigned by the mobile connection.
Noone said it was "assigned by the mobile connection", the smartphone uses slaac to assign itself an IPv6 in the local network. This is not the case just with my phone (huawei p40 pro), the same behaviour was observed with 3 others as well (2x Huawei & 1x Xiaomi). Iphone 11 for example does not do that.
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
/ip dns
set servers=192.168.100.2,192.168.100.3
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: IPv4 only network DNS issues with mobile devices

Sun Jul 25, 2021 1:09 am

I don't know why the phones would do this(have not seen this on phones at least). You are best off using a dst nat rule that redirects port 53 traffic to your pi hole servers. I use a rule like this to point to my local resolvers that then use doh.
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: IPv4 only network DNS issues with mobile devices

Sun Jul 25, 2021 2:33 am

Following did the trick:
/ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.100.2 protocol=udp src-address=!192.168.100.2 dst-address=!192.168.100.2 dst-port=53 in-interface=bridge
/ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address=192.168.100.0/24 dst-address=192.168.100.2 dst-port=53
Just not sure how to make this solution redundant .. since I use 2x Piholes and now everything is being sent to the x.x.x.2 Pihole, and the x.x.x.3 is just sitting pretty.
If the Pihole Nr.1 (192.168.100.2) goes offline, I will have no working DNS in my network. Any tips?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: IPv4 only network DNS issues with mobile devices

Sun Jul 25, 2021 2:40 am

Try to instead of redirect,
drop on firewall filter forward the direct connections from "pool of smartphone ip" to the IP 8.8.8.8 and 8.8.4.4
On this way probably the device must be forced to use internal provided IP from DHCP Server
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: IPv4 only network DNS issues with mobile devices

Sun Jul 25, 2021 3:01 am

Try to instead of redirect,
drop on firewall filter forward the direct connections from "pool of smartphone ip" to the IP 8.8.8.8 and 8.8.4.4
On this way probably the device must be forced to use internal provided IP from DHCP Server
Would like to give it a try, just not sure about the rule (since I'm new to MikroTik)
Would it look something like this?
/ip firewall nat add protocol=udp dst-port=53 dst-address=8.8.8.8 action=drop
Not sure how to add both destination addresses, and also I would do it for the whole subnet because otherwise I'll have to either set-up 2 DHCP servers or manually sort smartphones / assign them static IPs in a specific range. I think ..
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: IPv4 only network DNS issues with mobile devices

Sun Jul 25, 2021 3:55 am

Your rules only cover udp, so don't forget the tcp rules for DNS (not as common as udp).

I don't know if any failover scenario other than using bgp and creating an anycast address to be used by DNS.

You would use bird on the pihole devices for bgp.

In the dst-nat rule you would use the anycast address.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: IPv4 only network DNS issues with mobile devices  [SOLVED]

Sun Jul 25, 2021 9:43 am

I mean this, not on NAT but on fiilters:

6.6.6.6 is the smartphone IP just for do the test
/ip fire filter
add action=drop chain=forward dst-address=8.8.8.8 dst-port=53 protocol=tcp src-address=6.6.6.6
add action=drop chain=forward dst-address=8.8.8.8 dst-port=53 protocol=udp src-address=6.6.6.6
add action=drop chain=forward dst-address=8.8.4.4 dst-port=53 protocol=tcp src-address=6.6.6.6
add action=drop chain=forward dst-address=8.8.4.4 dst-port=53 protocol=udp src-address=6.6.6.6
 
User avatar
Gomo
newbie
Topic Author
Posts: 36
Joined: Sat Jul 24, 2021 6:41 pm

Re: IPv4 only network DNS issues with mobile devices

Sun Jul 25, 2021 11:26 am

Yap, it works well!
fw-filter.png
I'll change it now so that it'll be valid for whole /24 network. Thanks for the help!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], coreshock, johnson73 and 70 guests