Community discussions

MikroTik App
 
mode
newbie
Topic Author
Posts: 37
Joined: Sun Jun 03, 2018 12:12 am

DNS forward problem since using Win 11 *hard nut to crack*

Mon Nov 22, 2021 7:13 pm

Hi All,

i am using my Microtik Router to forward all DNS requests for *.mydomain.com to a internal DNS Server because i access services trough a vpn and the outfacing dns does not resolve them.
[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
2    ;;; Ext DNS Response
      chain=srcnat action=masquerade protocol=udp dst-address=<IP of DNS Server> dst-port=53 log=yes log-prefix="Special DNS" 
4    ;;; Ext DNS Request
      chain=dstnat action=dst-nat to-addresses=<IP of DNS Server> to-ports=53 layer7-protocol=Special_DNS protocol=udp 
      src-address=192.168.0.0/24 dst-address-type=local dst-port=53 log=yes log-prefix="Special DNS" 

[admin@MikroTik] /ip firewall layer7-protocol> print
 # NAME                                                             REGEXP                                                           
 0 Special_DNS                                                      mydomain.com
This is working fine for years, but since i am using Win 11 i have trouble resolving mydomain.com names.

I set the IP of my mikrotik without encryption as fixed and only dns server on the win11 client.
When i try to access an application like test.mydomain.com using chrome, firefox or soapui i get a dns not found error.
Then i try ping test.mydomain.com and this works. After that i can access test.mydomain.com with my applications as long as it stays in dns cache.
UPDATE AT THIS POINT: If i try several times with my application (in this test case 6 refresh in firefox) it suddenly works. I do not understand why...

I know that this is a Windows 11 problem, but it only occurs with mydomain.com forwarded addresses. I also have some local DNS entries like nas.local. These always work fine (resolved by mikrotik).

I suspect that Windows 11 is trying to resolve encrypted DNS on its own, even though a static DNS server without encryption is specified.

Since I'm sure I won't be able to find help in a Win 11 forum with this setup, I'll ask here. I hope someone has an idea. It's no fun to use ping all the time to get the IP resolution to work.

BR

mode
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS forward problem since using Win 11 *hard nut to crack*

Mon Nov 22, 2021 9:06 pm

There's DoH support in Windows 11, I didn't test it, but nothing suggests that system would try to use it even if not configured. And if ping resolves it correctly, which is definitely done by system, then it looks ok.

But if it doesn't work with Firefox or Chrome, they do have own independent DoH, so perhaps that could be it. I don't know how agressively they currently try to use it.

Btw, you don't need to use L7, recent RouterOS supports forwarding in it's DNS resolver, look for static FWD records.
 
mode
newbie
Topic Author
Posts: 37
Joined: Sun Jun 03, 2018 12:12 am

Re: DNS forward problem since using Win 11 *hard nut to crack*

Mon Nov 22, 2021 11:20 pm

Hi,

When i try several times in an application by hitting refresh the name is suddenly resolved. Ping works always at first try. The problem is not only in browsers. e.g. soapui is affected too.

DNS FWD does not work on my mikrotik. I believe it is not working when using DoH on Mikrotik. So I will continue to use my L7 solution.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS forward problem since using Win 11 *hard nut to crack*

Mon Nov 22, 2021 11:34 pm

I think you're right about FWD and DoH (but you didn't mention having it on router).

As for the problem, it's probably time to have some fun with your favourite packet sniffer. Flush Windows DNS cache, start the program and see if there's regular DNS query and any response coming back. If not, you can watch if there's any DoH request instead, which will be slightly more difficult to catch, because it looks like any other https, so it will help to close everything else you can, to minimize unwanted noise. Hopefully it will reveal something.
 
mode
newbie
Topic Author
Posts: 37
Joined: Sun Jun 03, 2018 12:12 am

Re: DNS forward problem since using Win 11 *hard nut to crack*

Tue Nov 23, 2021 12:12 pm

I have already tried to track the DNS requests with Wireshark. I can say for sure that no request goes out on port 53. I can't say for sure if a DoH request goes out, because I had too much background noise. I will restart the computer and open only one browser window and see if I can identify a DoH request. I will report back then
Thanks for your support....
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1020
Joined: Sun Jun 28, 2015 7:36 pm

Re: DNS forward problem since using Win 11 *hard nut to crack*

Wed Nov 24, 2021 3:30 am

Remember that editing file hosts on windows you can force DNS requests to the IP that you specify

C:\Windows\system32\drivers\etc\hosts

200.200.200.200 my.netdomain.com

I hope that it can help you.

Regards.
 
mode
newbie
Topic Author
Posts: 37
Joined: Sun Jun 03, 2018 12:12 am

Re: DNS forward problem since using Win 11 *hard nut to crack*

Wed Nov 24, 2021 12:52 pm

Hi,

i also disabled IPv6 to ensure that it does not cause the issue. But the problem remains.

It's also funny that some hosts that are resolved by the VPN don't work, while others do. There is no system behind which ones work and which ones don't.

I was able to determine with Wireshark that Win11 was making the following call instead of the DNS query to my local DNS in the exact Moment where the DNS query should be made:
2021-11-24 11_47_16-Clipboard.png
I think this might be a DoH call on a Microsoft server. I have tried several times and always found this call in Wireshark.
How can I get WIndows to stop doing this?

btw: I know the Hosts file but i want to use the external dns because i do not want to edit all dns changes manually.
You do not have the required permissions to view the files attached to this post.
 
mode
newbie
Topic Author
Posts: 37
Joined: Sun Jun 03, 2018 12:12 am

Re: DNS forward problem since using Win 11 *hard nut to crack*

Wed Nov 24, 2021 1:15 pm

Ok now I am completely confused.
I have blocked the IP 52.168.64.244 in the Windows firewall and now I receive DNS requests all the time, as expected.
BUT
It doesn't seem to have anything to do with DNS forwarding. Also local DNS entries are not resolved correctly.
Example my nas. It has the hostname nas.ts with the IP 192.168.6.9.

First a ping on nas.ts, dns resolution fails. (lines 1 and 2 in the log).
After that I do a ipconfig /flushdns
and again a ping nas.ts, dns resolution successful (lines 3 and 4 in the log).
But when I look at the two requests in line 1 and 3, I can't see any difference. Why does the mikrotik DNS server only respond correctly after a flushdns?
The log proves that Windows sends two identical requests, of which only the one after the flushdns is answered correctly. This drives me crazy. Mikrotik should not know about the flushdns since it is a host only cache.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS forward problem since using Win 11 *hard nut to crack*

Thu Nov 25, 2021 1:41 am

But you did get response for first query, suggesting that it reached some resolver that doesn't know about nas.ts. You didn't write where is this one defined, but request is to router, so either it should have ended up there, or it should have been forwarded elsewhere, and whichever it was, it didn't happen. Why, that's a question.

Your L7 regexp can have tons of false positives, because it looks for <anything>mydomain<any character>com<anything> anywhere in packet, but it won't match anything else, so that's probably not a problem. Some other rules (that we don't see) could possibly influence it, but it doesn't seem very likely that they would affect only some queries and not other same ones. In any case, this should be easy to debug, that response came from somewhere. If the query was forwarded to external server using dstnat, you can capture responses from there. If it went to router and was forwarded to its DoH resolver, you can see that in log, if you enable verbose logging for dns.

After you resolve the above, and if it's not complete solution, you can play futher with those port 443 requests to Microsoft's IP, but that would be more difficult. You'd need own webserver, redirect those requests there, configure https with self-signed certificate that you'd add as trusted to Windows, and that should allow you to see what exactly are those requests. But it seems weird, I didn't find any single complaint about Windows 11 not respecting configuration and using DoH with some hardcoded server. Of course it doesn't prove anything, not many people would notice and that system is not out very long.
 
mode
newbie
Topic Author
Posts: 37
Joined: Sun Jun 03, 2018 12:12 am

Re: DNS forward problem since using Win 11 *hard nut to crack*

Thu Nov 25, 2021 2:20 pm

Hi Sob
Thank you for your detailed answer.
What irritated me is that this setup has worked flawlessly for years. Only the new Win 11 PC has these problems. And the worse is that most things are not easily reproducible.
I will try to narrow down the problem further and report back here with new findings.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNS forward problem since using Win 11 *hard nut to crack*

Thu Nov 25, 2021 4:53 pm

What irritated me is that this setup has worked flawlessly for years. Only the new Win 11 PC has these problems. And the worse is that most things are not easily reproducible.
I will try to narrow down the problem further and report back here with new findings.
That is the life of the system/network admin. Things that always have worked perfectly are broken by arbitrary updates made for (or in response to) "requirements" that are completely irrelevant to your situation, but are still enforced on you.
Change of DNS to DoT or even worse DoH, enforcement of https even for intranet situations, removal of established technologies like Java, Flash, etc, we all have to deal with it.
Of course it keeps our work hours filled, it would not be nice when everything works without problem all the time...
 
Kindis
Member
Member
Posts: 434
Joined: Tue Nov 01, 2011 6:54 pm
Location: Sweden

Re: DNS forward problem since using Win 11 *hard nut to crack*

Thu Nov 25, 2021 11:22 pm

So how about a new strategy?
Buy NextDNS and point all DNS, Dot and Doh to them and your config.
I use to do something similar but worked like crap. In NextDNS I can do DNS rewrite and I have added the things I want a internal resolve for.
By doing this I moved the issue to someone else who support it + I get same resolution from all devices thanks to Private DNS in android etc.
There is also a free tier so you can test.
 
mode
newbie
Topic Author
Posts: 37
Joined: Sun Jun 03, 2018 12:12 am

Re: DNS forward problem since using Win 11 *hard nut to crack*

Wed Dec 01, 2021 12:45 pm

** UPDATE **
I further could find out the following.
It does not matter if a DNS request is made by a browser, a ping command or any other software.
If a DNS request fails and a flushdns is executed afterwards, the chance is high that the next request will be successful. Sometimes the flushdns has to be executed several times.

Therefore, the problem will be whatever the Windows DNS cache.

Under Windows 11 you can't disable the DNS service under Services.msc anymore. Therefore I have deactivated it via regedit. This works as follows:
Run regedit to start Registry Editor.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache.
Locate the Start registry value and change it from 2 (Automatic) to 4 (Disabled).
Restart the computer.

Since then there are no more problems. Thanks to all who have contributed here.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNS forward problem since using Win 11 *hard nut to crack*

Wed Dec 01, 2021 5:38 pm

Actually, if you didn't solve the problem shown by packet capture, where something did respond to query for nas.ts, saying that the domain doesn't exist, then Windows DNS cache is just doing what it's supposed to. The answer was clear - domain doesn't exist. So it's unlikely to start existing the next second and there's no point in trying to immediatelly send another query. If it worked like that, upstream resolvers would be flooded with queries for non-existent domains. That's why even negative answer is cached for a while. If you flush cache and try to resolve hostname again, cache doesn't have any info about it, so it sends another query and it has chance to succeed. I'm not sure how exactly it works with cache disabled, if there are some automatic retries, but at least you got rid of cached negative answers. But the real problem still exists, only it's less visible.
 
mode
newbie
Topic Author
Posts: 37
Joined: Sun Jun 03, 2018 12:12 am

Re: DNS forward problem since using Win 11 *hard nut to crack*

Wed Dec 01, 2021 7:33 pm

I have to retract the solution because then the Samba client will not work. The next time it does not work I will take a close look at the DNS cache.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNS forward problem since using Win 11 *hard nut to crack*

Wed Dec 01, 2021 7:37 pm

I think the cache is a wrong track for your search. The problem is likely not the cache, but the fact that Windows has defined and is using another resolver than you hope for. E.g. via DoH, DoT or whatever mechanism.
So (part of) the requests are sent to another DNS resolver than your MikroTik router, and they fail. The failure is stored in the cache.
The next time you try the request (sometimes) goes to the router and it works, and that gets cached.
 
mode
newbie
Topic Author
Posts: 37
Joined: Sun Jun 03, 2018 12:12 am

Re: DNS forward problem since using Win 11 *hard nut to crack*  [SOLVED]

Wed Dec 08, 2021 8:59 pm

Problem was solved by replacing my L7 DNS Forward construct with the new Mikrotik FWD function in DNS Module.

It seems that Win 11 sometimes sent DNS packets that were not detected by the L7 rule and thus were not responded to. This not found was then cached.
Since I use the FWD rule on miktrotik no error occurs anymore.
Changes to Windows 11 are now no longer necessary.

It seems that Windows 11 sometimes fragments the DNS packets or does something else with them that they are no longer recognized by the l7 regex.

Thanks to all who have puzzled here with me :-)

Who is online

Users browsing this forum: Bing [Bot] and 94 guests